Whither btrfsck?

Terms? On GPL software?

I don't agree with any of you. I know people will complain regardless of how scary the warning is, but you simply tell them to go pound sand and that they were sufficiently warned before they ran the tool of the danger. That's how I've always viewed it and when my FS was fried and I got that scary warning I knew I was on my own. After all, that's what real offline backups are for.

I don't understand how fsck can keep up with the file-system when one is integrated into the kernel and advancing independently of the other. It just seems like no matter what you do if you don't involve the wider development community you will never catch up.

I'm not a dev so my opinion doesn't matter but I think this is one of those things that should be out there for everyone to comment and help with. That doesn't mean he has to take all the suggestions as Chris could act just like Linus and lay down ground rules and play the benevolent dictator. I just don't see how he can essentially work alone (or even small team) on a tool that services a FS that's in wide use and development.

Let the distributions decide when it's ready to be compiled and included. Anything else seems to be favoring a single company. What's happening now would be like Linus declaring that no one can use Kernel 3.X until he decides they can.

We know, and you're not billing us for the time, and that's fine.

The question, Chris, isn't "should btrfs be in production use by now", or even "should btrfs be in production use while it doesn't have a working fsck in the wild".

It's "should people too stupid to breathe be protected from themselves by delaying the release of a tool that might make a bad situation worse"?

While I don't think Libertarianism is a workable political theory on the national scale, growing up on Heinlein has made me lean towards it as a personal philosophy, and I'm inclined towards the arguments made above: in short, that with enough eyeballs, all bugs are shallow.

And that anyone dumb enough to trust a development-release filesystem to unbacked up real data of any sort deserves exactly what they get.

The real question is: what percentage of such users will *really* blame the developer -- especially if they had to, for example, go out and get the FS code, instead of just choosing it off an installer screen?

I suspect there are people who think it's higher than I do, but I don't have data.

In any event, we look forward to your patch. :-)

The problem is that people do have this attitude. I work with developers who don't like Red Hat because of what they did in 1999. I work with people who prefer Debian because of "RPM Hell". I've worked with people who hate Perl because of the quality of code written in Perl 3. I've worked with people who have sworn never to use a Seagate disk because of that great problem they had back in 2003 or whatever.

To repurpose http://xkcd.com/242/, maybe scientists can afford the time to see if the same problem happens again later. But sysadmins and programmers tend to be under pressure to produce results, and lots of them can't afford the time to retest their assumptions later. The better ones I've seen test new things out or test their assumptions out at home or on test systems in spare time. The cowboys test them on live systems in production and then wonder why everyone gets upset.

I agree we should all be able to test out btrfsck and have the code in the open so that people can contribute ideas about those corner cases and weird fuzzy problems that Chris might not have thought about. But if there are already people complaining that btrfs is eating their data, then releasing btrfsck early and buggy is only going to hurt its reputation. That's why I support Chris's decision to hold onto it for now. I'm sure he's trying to do the right thing but it's his decision to make.

Have fun,

Paul

As Paul points out, people have this attitude (and I'm one of them sometimes). I'm a scientist and I'm all for zapping myself with magic lightening machines (see xkcd reference cited below) on my own dime and at home, but if I were a sysadmin again I wouldn't be doing that with other people's valuable data. I'd be saying "gee, reiserfs bit me once so now it has to go out of its way to prove that I should use it over something I know is just going to work". This is also why in the real world people are still running OS releases from several years ago, and why they want them supported for the next million years. Because it works and that's all they want.

and how exactly did the FDA test what happens to people's eyes 40 years after the LASIK surgery? how do you really know that you aren't trading the inconvenience of wearing glasses for some years of blindness later?

being wary of LASIK for something irreplaceable like your eyes is not completely unreasonable.

and you can now do it yourself at home!

http://www.lasikathome.com/

Restoring from a backup may save you from the dole queue. Recovering to the data to a point immediately prior to the failure... priceless.

Next time, try to zero-write those bad blocks with "hdparam"; it worked for me.

"for that matter, without something to check the filsystem, how will they even know that it's corrupted?"

More than likely the same way as with any other filesystem: kernel messages when file accesses are attempted. I don't know the default settings in mke2fs these days, but even if they're relatively conservative (on the order of every 10-20 mounts/30 days) a full filesystem check is a rare event on most Linux boxes.

Not to say that btrfsck isn't needed, but most of the time you're relying on what the kernel filesystem code is doing to maintain integrity no matter whether fsck is available or not.

This last line seems to me the key to the whole problem.

You can't (further) corrupt a file system if you don't
write to it. There's a great deal of checking that you can
only afford to do when some program isn't waiting for read()
to come back. On btrfs, if it's designed right, you should
be able to run a consistency checker in background on live
file systems.

It's no fun to be informed that your file system is corrupt
and, further, that it can't be fixed, but that's much better
than *not* being informed that your file system is corrupt,
when it is. The sooner you find out, the fewer backups will
also be corrupt. A tool that can only constrain the locus of
the corruption would still be helpful; only the faulty part
needs to be reloaded from backups.

A widely used checker would result in better bug reports for the
file system proper, as corruption is found early. How many bugs
are still waiting to be found just because nothing is looking?

The way forward, then, is to release a pure checker, first,
and then begin to release repair capabilities one at a time as
they become ready. If the repair tool generated a journal of
changes without writing them to the file system proper, then
you could run a full check on the sum of fs+journal, and only
commit the changes if the result is clearly better than before.
Ideally the repair machinery would actually be the same well
tested code that, in production, integrates more usual changes
into the file system.

I think ideally btrfsck would have been developed alongside the filesystem and at the same level of stability, so that this dilemma wouldn't have come up. We don't live in an ideal world, though, so I understand where Chris is coming from. I guess releasing a read-only fsck might be potentially be a good intermediate step.

Then clone him a few hundred times. What's the problem?

Part of the problem is that there's a whole variety of tools commonly referred to as "fsck". btrfs does have several of them publicly available, and has for some time:

* A readonly btrfsck which serves as a diagnostic tool, and has been distributed along with mkfs.btrfs and company for at least 2 years now.
* Online scrub in the kernel module to check all data and metadata against the checksums, which is also able to correct the bad data from redundant copies if available, and attempt to do the same from repeated reads if not. This has been around for about a year (9 months?).
* A extraction tool to recover files from an unmountable or otherwise damaged filesystem to other media, although it has a somewhat limited scope in what it can recover. This has been available in various forms for 6 months or so.

What we're waiting for is the tool that dives into the guts of a broken filesystem to make it mountable, without requiring independent storage nor deep understanding from its user. This is the tool that easily destroy what almost certainly would have been recoverable data (i.e. the offline extraction tool), and yet is also the tool that distros stick in the boot process on failure which circumspectly warns of the dangers and requires the user to take manual action, at which point the distros will helpfully dump the user at a shell prompt with a convenient "To proceed, run: fsck.btrfs -A --NO_DONT_THIS_WILL_EAT_YOUR_DATA" banner.

Incidentally, this confusion is why zfs gets away with the "no fsck required!" marketing: they have the full set of tools, they just don't call any of them "zfsck".