Ubuntu
e2fsprogs package

Bug #209416
Comment #4

Comment 4 for bug 209416

Revision history for this message

Theodore Ts'o (tytso) wrote on 2008-03-31:

There are two prolems with using -y. First of all, the idea of giving the user "these files may have been dmanaged" at the next login doesn't work if these are access control files for controlling which hosts are allowed to talk to a server, or other forms of security critical files if the machine is running on unattended server configuration. As another example, suppose the filesystem contains a database or some other critical application data which is now corrupt. It may be better to not let the system come back up, since there are many business applications where serving wrong data is far, far worse than serving no data at all. (Think financial applications....)

Secondly, e2fsck -y won't always do the best job if the goal is to recover as much files as possible.

I'm willing to consider adding a paremeter to e2fsck.conf file to enable "reckless mode", which in preen mode blindly tries to fix everything according to hueristics, with no care as to whether a system administrator with human judgement could do a better job. I am concerned about this, because Ubuntu users seem to be more likely to have disk corruption issues more frequently than I've seen from other distro's. Maybe it's because some segment of Ubuntu users are not as careful about the sort of hardware they choose and are using cheaper hardware (as the old joke goes, "whatever falls off the boat from Taiwan, as long as its cheapest"); or maybe because people are encouraged to file Launchpad bugs over hardware issues; or maybe its because of a difference in the maintainance strategy of the distro kernel. So the problem with reckless mode is that they might lose files without even noticing that something bad had happened (i.e., they click away or delete the message of filesystem problems because they don't understand it). Of course these "less-clueful users" are also much less likely to be doing regular backups as well.....

In any case, regardless of whether it is a good idea or not to provide a "reckless mode" for e2fsck, upstart **MUST** display output which is printed by the fsck drivers on standard output and upstart **MUST** respect the fsck driver's wishes if it exits saying that a system administrator should stop and look at the filesystem. At least for a server configuration (and I thought Hardy was going to be tagetted at servers), this is a MUST.

There are two prolems with using -y.   First of all, the idea of giving the user "these files may have been dmanaged" at the next login doesn't work if these are access control files for controlling which hosts are allowed to talk to a server, or other forms of security critical files if the machine is running on unattended server configuration.   As another example, suppose the filesystem contains a database or some other critical application data which is now corrupt.  It may be better to not let the system come back up, since there are many business applications where serving wrong data is far, far worse than serving no data at all.  (Think financial applications....)

Secondly, e2fsck -y won't always do the best job if the goal is to recover as much files as possible.

I'm willing to consider adding a paremeter to e2fsck.conf file to enable "reckless mode", which in preen mode blindly tries to fix everything according to hueristics, with no care as to whether a system administrator with human judgement could do a better job.   I am concerned about this, because Ubuntu users seem to be more likely to have disk corruption issues more frequently than I've seen from other distro's.  Maybe it's because some segment of Ubuntu users are not as careful about the sort of hardware they choose and are using cheaper hardware (as the old joke goes, "whatever falls off the boat from Taiwan, as long as its cheapest"); or maybe because people are encouraged to file Launchpad bugs over hardware issues; or maybe its because of a difference in the maintainance strategy of the distro kernel.   So the problem with reckless mode is that they might lose files without even noticing that something bad had happened (i.e., they click away or delete the message of filesystem problems because they don't understand it).   Of course these "less-clueful users" are also much less likely to be doing regular backups as well.....

In any case, regardless of whether it is a good idea or not to provide a "reckless mode" for e2fsck, upstart **MUST** display output which is printed by the fsck drivers on standard output and upstart **MUST** respect the fsck driver's wishes if it exits saying that a system administrator should stop and look at the filesystem.  At least for a server configuration (and I thought Hardy was going to be tagetted at servers), this is a MUST.

Ubuntue2fsprogs package

Comment 4 for bug 209416

Ubuntu
e2fsprogs package