Hi William. William Schumann wrote: > Jack, > I've modified the proposal to include some protection for vdevs. If a > vdev is a disk, it must have the attribute "use_entire_disk" if the > disk is labeled or formatted. Suggestions on a better name for this > attribute gladly accepted - I don't think that "use_entire_disk" makes > it adequately clear that the all formatting will be destroyed by > zfs/zpool create. wipe_disk or wipe_entire_disk? erase_disk or erase_entire_disk? > > Modified example: install on boot disk, use some selected disk as > raid2 mirror, and use another selected disk over 30GB for zfs pool > newpool mounted at /export1 > <ai_target_device> > <target_device_select_boot_disk> <!-- use the existing boot device --> > <mirror> <!-- put mirror selected disk named "mirrordev" --> > <vdev use_entire_disk="true">mirrordev</vdev> > </mirror> > <mirror_type>raid2</mirror_type> > </ai_target_device> OK. The above uses the boot disk and sets up a raid2 mirror using "mirrordev". This makes a forward reference as discussed a few days ago. > <ai_target_device> <!-- find disk for a new pool - disk bigger than > 30G --> > <reference_name>newpooldisk</reference_name> > <target_select_min_size>30<target_select_min_size> > </ai_target_device> If I understand this correctly, an arbitrary disk is being picked by the system here for a disk to be called "newpooldisk". We need protection for newpooldisk too. > <ai_target_device> <!-- just grab another disk for use as a mirror --> > <reference_name>mirrordev</reference_name> > <!-- just assume that disk is appropriate for raid2 mirror --> > </ai_target_device> Another arbitrary disk gets recycled here to become "mirrordev". Protection is needed. > <ai_zfs_pool> > <zpool_create name=newpool> <!-- describe the new pool --> > <zpool_options>-m /export1</zpool_options> <!-- specify mount point --> > <vdev use_entire_disk="true"> > newpooldisk <!-- use selected disk named "newpooldisk", overwriting > any formatting --> > </vdev> Ah, here's newpooldisk's protection. I suggest that the protection be a part of the declaration of newpooldisk, not part of the declaration of the zpool which will use it. After all, it is the disk being protected, not the zpool. > </zpool_create> > </ai_zfs_pool> > > Slices and partitions could also be similarly protected. Should they > also be protected? IMO, if the system can arbitrarily pick a slice or partition, protection is needed. If a user has to explicitly ask for the slice or partition, then protection for it isn't as critical but I would still do it. (Don't newfs, format and other destructive commands print "last mounted as blah"?) > A slice could be checked for existing files, but it would have to be > mounted to do this. Perhaps we can just assume that the user knows > what he/she is doing if slices and partitions are specifed. > > Jack, FYI, there is a new disk selection element: > target_device_select_unformatted_disk which can be used to make the > selection process safer. This is OK, but protection for previously-used disks is what we really need.
This was probably addressed earlier, but... another concern I have is that disk cwtxdysz names may move around (or at least they used to) upon reinstall. This will cause nasty problems if different slices than those intended are overwritten. How do we insure that an intended slice is really the one which is being used when cwtxdysz names are used? > > Updated schema: > http://www.opensolaris.org/os/project/caiman/auto_install/ai_manifest_schema.xml > > Since I'm suggesting other changes, I'll review this once the rest of the dust settles. Thanks, Jack > > Thank you, > William > > William Schumann wrote: >> Jack, >> Good point. Read on. >> >> The use case here could be deployment of a computer that is slated >> for complete reinitialization and removal of any existing data. >> >> In principle, the security for the disk is not provided in selection >> criteria, but in the partition, slice, and zfs pool creation. The >> design attempts to preserve data in all cases, unless specified >> otherwise. >> >> However, you have identified a case where the mirror is created >> without regard to what might be on the disk. I would propose that the >> default behavior should be to prevent creating of zpools and mirrors >> on "disks that have data", unless we offer an element to override >> that protection. "Disks that have data" must be more clearly described. >> >> Thanks for pointing this out, >> William >> >> Jack Schwartz wrote: >>> Hi William. >>> >>> On 05/26/09 07:01, William Schumann wrote: >>>> (snip) >>>> >>>> Example: install on boot disk, use some selected disk as raid2 >>>> mirror, and use another selected disk over 30GB for zfs pool >>>> newpool mounted at /export1 >>> Sounds dangerous to have the system pick an arbitrary disk based on >>> size. If we do this, we should check the disk label that the disk >>> was not used, to prevent accidential erasure. >>> >>> Thanks, >>> Jack >> _______________________________________________ >> caiman-discuss mailing list >> caiman-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
