On 2013/01/10 01:37, Jan Kara wrote:
> On Mon 07-01-13 20:38:24, Fernando Luis Vázquez Cao wrote:
>> As things stand now a filesystem frozen through the in-kernel bdev
level API
>> can be thawed using the userspace sb level API, which can lead to
accidental
>> corruption of filesystem snapshots and backups.
>>
>> To address this problem we modify the in-kernel API so that we can tell
>> fsfreeze that a kernel initiated freeze is in progress and that the
filesystem
>> should not be thawed no matter how many times the FITHAW ioctl is
invoked.
>
> I'm not sure if this isn't going too far in the direction of trying to
> prevent sysadmin to shoot himself in the foot. For well written
applications
> where FITHAW and FIFREEZE are paired, things should work OK after your
> initial fixes. And if someone calls unpaired FITHAW, things can break
> spectacularly anyway for other users of FIFREEZE. So I just wouldn't
bother
> with any more protections. What do you think?
I think that FITHAW/FIFREEZE should not interfere with
(freeze/thaw)_bdev, which is an internal kernel API. It could be the
case that users of freeze_bdev (external modules) cannot handle a
scenario where a frozen filesystem is unexpectedly thawed through the
userspace API.
This kind of protection is also beneficial in virtualization
environments where there can be hypervisor initiated uses of the
fsfreeze API (this is a reality in KVM with the advent of QEMU's guest
agent), which means that we effectively have two administrative
domains (the guest's and hypervisor's). It would be nice if we can
avoid situations where a guest initiated dm-snapshot is not affected
by a spurious FITHAW request from the hypervisor.
If the added complexity is acceptable I think this king of protections
is desirable.
- Fernando
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
