Re: FFS: wrong superblock check ~> crash

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Mon, Oct 20, 2014 at 07:48:31PM +0100, Mindaugas Rasiukevicius wrote:
> > definitively not. I want a panic. If the filesystsem is corrupted
> > something has gone really wrong and you can't trust the running system
> > any more. And there are cases where returning EROFS is worse than
> > panicing (e.g. a NFS server).
> 
> Disagree.  The kernel should remount the file system in read-only mode.
> 
> Perhaps we can debate what to do with corrupted / when the system is
> booting, but for other cases (especially hot-plug or external disks)
> I certainly do not expect a crash.

I do, it's the only sane thing to do if the systen did write bogus
data to the disk and notice it later. Remounting in read-only mode
on a server with active services running doens't do anything good
(I know because linux servers do this. A panic and reboot is a much
better behavior).

If the corrupted filesystem is from a corrupted USB key then not panicing
is probably better; but 1) USB keys usually don't have ffs on them 2)
In such case it would be better to run the filesystem code in userland anyway.

Now if the behavior can be choosen at compile or run-time I'm happy with
it, but there needs to be a way to keep the current behavior.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--