On Fri, Dec 04, 2020 at 02:07:49PM -0600, Eric Sandeen wrote: > On 12/1/20 10:18 AM, Brian Foster wrote: > > On Mon, Nov 30, 2020 at 07:37:31PM -0800, Darrick J. Wong wrote: > >> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > >> > >> Define an incompat feature flag to indicate that the filesystem needs to > >> be repaired. While libxfs will recognize this feature, the kernel will > >> refuse to mount if the feature flag is set, and only xfs_repair will be > >> able to clear the flag. The goal here is to force the admin to run > >> xfs_repair to completion after upgrading the filesystem, or if we > >> otherwise detect anomalies. > >> > >> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > >> --- > > IIUC, we're using an incompat bit to intentionally ensure the filesystem > > cannot mount, even on kernels that predate this particular "needs > > repair" feature. The only difference is that an older kernel would > > complain about an unknown feature and return a different error code. > > Right? > > > > That seems reasonable, but out of curiousity is there a need/reason for > > using an incompat bit over an ro_compat bit? > > I'm a fan of a straight-up incompat, because we don't really know what > format changes in the future might require this flag to be set; nothing > guarantees that future changes will be ro-compat-safe, right? Correct. In the case of the inobtcount upgrade, we know that the inobt/finobt blockcounts in the AGI are zero (and thus wrong) right after the upgrade. If we made it a rocompat bit then we'd allow ro mounts but we'd also have to be careful to prohibit a ro->rw remount, at which point the admin gets a Big Surprise. Why not just make the admin repair the system right then and there? I mean, xfs_admin is already going to run repair anyway, so in practice there shouldn't be that many people trying to push an "upgraded but needs repair" fs at the kernel anyway. --D > -Eric
