On Sun, Jul 25, 2010 at 11:29 AM, Robert <[email protected]> wrote: > I haven't tried this mount, but IMHO if you mount some garbage as a > specific file system type, then the OS should give you an error and > deny the mount. It should not crash. > Maybe you are mounting through a script, for automated backups, or > through the automounter. Now if you insert by accident a wrong medium > then this shouldn't lead to a crash.
You want the kernel to detect a bad filesystem at mount time. Let's think through the consequences of that. You can crash a system right now by mounting an otherwise valid ffs partition that has been corrupted in particular ways. This has been documented for *decades* on the mount_ffs man page. (I recall seeing it on the manpage in SunOS 4.1.0 in 1991 or so.) To prevent that, fsck would have to be built into the kernel (you might replace the binary, after all) and run on each mount. Note that 'preen' mode can be trivially tricked too, so each call to mount() will do a full fsck. What, you want to be able to mount a clean 1TB partition in less than an hour? But there might be some corruption in the structures around the 800GB mark! Oh, so you think we should defer this until the data is actually accessed? Really? Have you tried to work out the correctness invariants for this? Remember, since this is an NFS server, stuff can be accessed right after mount without path walking, so your invariants can't depend on path checking being done for them... If you're writing a script that needs to mount possibly corrupt data, then you need to screw your head on and do things like run fsck -y -t <whatever> on the device first. And use a sane fs type. Philip Guenther
