tech-kern: Re: FFS reliability problems

Subject: Re: FFS reliability problems
To: NetBSD Kernel Technical Discussion List <tech-kern@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 06/06/2002 12:46:03
[ On Wednesday, June 5, 2002 at 23:50:15 (-0400), Lord Isildur wrote: ]
> Subject: Re: FFS reliability problems
>
> i have to agree, the semantics of the filesystem certainly make it 
> necessary for a file to rightly disappear if that process holding a 
> descriptor exits and it has otherwise been removed. if the process exits 
> nicely or not is not the issue; the file should be gone. now, one can 
> certainly recover them by booting single-user and deliberately relinking 
> them, but fsck shouldnt resurrect them, certainly not by default. 
> 
> isildur
> 
> On Wed, 5 Jun 2002, Thor Lancelot Simon wrote:
> > ...if by "probably" you mean "if you're mysteriously prevented from using
> > single-user mode by some Strange Cosmic Force", that is.
> > 
> > If I delete a file, I do *not* want the system to magically reappear it
> > in /lost+found just because the system crashed while something had it
> > open.  I would be extremely strongly opposed to a change to fsck's
> > default behaviour that caused that, and I believe that many others would
> > as well.

You're talking about something entirely separate from what Thor is
talking about.

You've described the situation where a process exits after holding
open a file with no directory references.  Thor describes a situation
where the process does not exit.  If the process has never exited then
there's no telling what it might have done with the data if it had been
given the chance.

I agree with you, but I'm not so sure I agree with Thor.  While
obviously a file with no directory references is probably intended only
for temporary data, I'm not sure fsck should make such an assumption,
since the data is easily recoverable and can then be disposed of as the
administrator sees fit.

You cannot blame the process for the crash of the system (even if it was
somehow responsible).  A crash is an abnormal termination of the system,
not an abnormal termination of the processes that happened to be running
at the time.  The purpose of fsck is to bring the filesystem into a
consistent and usable state following a crash.  It should always, by
default, do so in such a way that no recoverable data is lost.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>