On Mon, Sep 18 2017, Mikael Abrahamsson wrote: > On Sat, 16 Sep 2017, NeilBrown wrote: > >> "Hiding" is a very vague term. Should we get Harry Potter's >> invisibility cloak and wrap it around the hardware? >> Do we need to: >> - remove from /proc/partitions - possible and possibly sane >> - remove from from /dev - easy, given clear justification >> - remove from /sys/block - I don't think this is justifiable >> - make open() impossible - it already is if you use O_EXCL >> ?? >> >> Possibly something sensible could be done, but we do need a clear >> statement of, and justification for, the customer requirement. > > This is interesting. > > On the IRC channel #linux-raid on freenode, we have frequent visitors who > "oh, I happened to overwrite an active component drive with dd" or "I > zero:ed the superblock on the active component by mistake" etc. So there > is something to it to remove the "/dev/sd*" when they're part of an active > md device. > > However, this would cause problems when people are using for instance > "smartctl" and equivalent ways to pull data from the devices. Same with > mdadm -E. > > Just thinking out loud, perhaps it would make sense to create some kind of > hierarchy along the lines of "/proc/mapper/md0/" and put the components > there for monitoring. However, I think it would be quite confusing for > users if /dev/sd[b-f] disappeared as soon as it was put into an array. > There is also the question about how to refer to these devices when > manipulating with mdadm. > > I don't have good answers, but I can say that there is user pain out there > when they shoot themselves in the foot. If we can come up with a clever > way to help them (without too many downsides), it'd be good. > > If we could disable writing to the drives/partitions from regular > userspace when they're handled by md, that could be some kind of middle > ground. I guess most tools don't use O_EXCL. This is awkward. There are times when userspace needs to write to a device which is in used by me. One example is when using DDF or Intel metadata and userspace manages the metadata. Another is using raid6check to correct inconsistencies. I don't object at all to making it hard for regular commands to write to the devices, but it is hard to come up with a good way to do it. Maybe just removing the /dev/XXX entry would be best. That doesn't stop a determined program, but it does make it harder for an inexperienced user. As you say, that might cause confusion though. It would be nice if we could simple remove write permission, but that is ignored when root opens things. We could add an ioctl that needs to be called on an fd before writes are allowed. This would effect a per-fd write access that applies even to root. If feels a but ugly, but might be possible. Anyway, thanks for the example of a real problem related to this. It does make it easier to think about. NeilBrown
Attachment:
signature.asc
Description: PGP signature
