Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp2561637ybh; Mon, 9 Mar 2020 08:19:48 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsZxiMJ3/OGnMryS8r6tYEqhVIOuYXOICTjr0/3Q1n+2duVZfKAzShf/dMiSTvDbmm4nCyZ X-Received: by 2002:a9d:567:: with SMTP id 94mr8535313otw.201.1583767188287; Mon, 09 Mar 2020 08:19:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583767188; cv=none; d=google.com; s=arc-20160816; b=hyU1gNGaryTZF19MU3L8+BullPPEFFMm4vqzgGerU1ltWrJL3lRg15HIjzuPJ3Qj7o U6D9kbWMzv0l1lF+8oTzqNlpiIY3vun7bqynXBwkYGz73pKCEJ8Fwms5Mq8Ry5Bc9H1l gOsoeNetH93/FL1+mhDcCwfV3RHGbCkvgvKIQcqSOeGjZ7fHTnM6gA5GLuj7nz+1+H/n ot42hca1DKBF6RPrNQAZo/LKyqhNXlb7v+rSwL04vJpGOwqimWYR5eU5ISpM9DpLwUgB z7TcWZM2JWeNdufh3DqnODmcOsrb5hvAzqmpNGqpJey9PEQqkz/z/b8d5z/ixG0hm4H0 iJeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=lYnrPQpfxC2AnH8i9PX7J6cAZSw0+CqvVcVy3sKV6oQ=; b=zjboQBAbFePRLBvJoC6d2USC87cl4n4PzBVEoO1NGMg7O6ZJcBd/Ro/SjzpWotB90C +/ysOG2W8K/7j5RPG8bnoKlthTV5UULmt6SfDL0kefeb4zI/siNH7Wvg926JQJYUzSa9 TraBxjKl3coxU574XEKo9r+Zp04S3TjgLsgMu6vTHc2mHScrqd2OHk7X84E7/Gxc4r1+ hXKX86AbZBV84VG2C6/E3dVq/Uos2sVQTgKbWjpLnwYQOlLQ+lf0Z9ZmMbV2yQcsKrxM AJK2lKczZa76Dytg3hAswKL0Q84f2TysS0n8upXUkga8FOKgTz+AvAMVi0IQ8v7JieBm H+FA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a18si6296625otf.230.2020.03.09.08.19.31; Mon, 09 Mar 2020 08:19:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726810AbgCIPSu (ORCPT + 99 others); Mon, 9 Mar 2020 11:18:50 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:56353 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726446AbgCIPSu (ORCPT ); Mon, 9 Mar 2020 11:18:50 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-105.corp.google.com [104.133.0.105] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 029FIdAR028102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 9 Mar 2020 11:18:41 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id ECE6B42045B; Mon, 9 Mar 2020 11:18:38 -0400 (EDT) Date: Mon, 9 Mar 2020 11:18:38 -0400 From: "Theodore Y. Ts'o" To: Jean-Louis Dupond Cc: linux-ext4@vger.kernel.org Subject: Re: Filesystem corruption after unreachable storage Message-ID: <20200309151838.GA4852@mit.edu> References: <20200124203725.GH147870@mit.edu> <3a7bc899-31d9-51f2-1ea9-b3bef2a98913@dupond.be> <20200220155022.GA532518@mit.edu> <7376c09c-63e3-488f-fcf8-89c81832ef2d@dupond.be> <20200225172355.GA14617@mit.edu> <50f93ccb-2b2c-15c5-8b08-facc3a25068a@dupond.be> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50f93ccb-2b2c-15c5-8b08-facc3a25068a@dupond.be> Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Mon, Mar 09, 2020 at 02:52:38PM +0100, Jean-Louis Dupond wrote: > Did some more tests today. > > Setting the SCSi timeout higher seems to be the most reliable solution. > When the storage recovers, the VM just recovers and we can continue :) > > Also did test setting the filesystem option 'error=panic'. > When the storage recovers, the VM freezes. So a hard reset is needed. But on > boot a manual fsck is also needed like in the default situation. > So it seems like it still writes data to the FS before doing the panic? > You would expect it to not touch the fs anymore. > > Would be nice if this situation could be a bit more error-proof :) Did the panic happen immediately, or did things hang until the storage recovered, and *then* it rebooted. Or did the hard reset and reboot happened before the storage network connection was restored? Fundamentally I think what's going on is that even though there is an I/O error reported back to the OS, but in some cases, the outstanding I/O actually happens. So in the error=panic case, we do update the superblock saying that the file system contains inconsistencies. And then we reboot. But it appears that even though host rebooted, the storage area network *did* manage to send the I/O to the device. I'm not sure what we can really do here, other than simply making the SCSI timeout infinite. The problem is that storage area networks are flaky. Sometimes I/O's make it through, and even though we get an error, it's an error from the local SCSI layer --- and it's possible that I/O will make it through. In other cases, even though the storage area network was disconnected at the time we sent the I/O saying the file system has problems, and then rebooted, the I/O actually makes it through. Given that, assuming that if we're not sure, forcing an full file system check is better part of valor. And if it hangs forever, and we do a hard reset reboot, I don't know *what* to trust from the storage area network. Ideally, there would be some way to do a hard reset of the storage area network so that all outstanding I/O's from the host that we are about to reset will get forgotten before we do actually the hard reset. - Ted