linux-xfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/2 v2] xfsprogs: metadump warns about dirty journal
@ 2017-04-13  8:13 Jan Tulak
  2017-04-13  8:13 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
  2017-04-13  8:13 ` [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue Jan Tulak
  0 siblings, 2 replies; 13+ messages in thread
From: Jan Tulak @ 2017-04-13  8:13 UTC (permalink / raw)
  To: linux-xfs; +Cc: Jan Tulak

Hi guys

Per the discussion in the previous patches, I'm sending this updated version.
It does nothing with mdrestore, only adds a bit more elaborate warning on
the dump side and adds the same info also to the man page for metadump.

Hopefully, this is ok for everyone and we can continue the discussion
if/what to do with mdrestore in the old thread.


This set is based on xfsprogs: 07a3e79 for-next branch,
git tree is https://github.com/jtulak/xfsprogs-dev/tree/metadump

Cheers,
Jan


Jan Tulak (2):
  metadump: warn about corruption if log is dirty
  xfsprogs: update man for metadump about dirty log/obfuscation issue

 db/metadump.c           | 4 +++-
 man/man8/xfs_metadump.8 | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

-- 
2.1.4


^ permalink raw reply	[flat|nested] 13+ messages in thread

* [PATCH 1/2] metadump: warn about corruption if log is dirty
  2017-04-13  8:13 [PATCH 0/2 v2] xfsprogs: metadump warns about dirty journal Jan Tulak
@ 2017-04-13  8:13 ` Jan Tulak
  2017-04-13 11:54   ` Brian Foster
  2017-04-13  8:13 ` [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue Jan Tulak
  1 sibling, 1 reply; 13+ messages in thread
From: Jan Tulak @ 2017-04-13  8:13 UTC (permalink / raw)
  To: linux-xfs; +Cc: Jan Tulak

Add a warning about possible corruption when exporting a dirty log, as
the log content does not agree with obfuscated metadata.

Signed-off-by: Jan Tulak <jtulak@redhat.com>
---
Change: More elaborate warning message.
---
 db/metadump.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/db/metadump.c b/db/metadump.c
index 66952f6..2dd8593 100644
--- a/db/metadump.c
+++ b/db/metadump.c
@@ -2726,7 +2726,9 @@ copy_log(void)
 		/* keep the dirty log */
 		if (obfuscate)
 			print_warning(
-_("Filesystem log is dirty; image will contain unobfuscated metadata in log."));
+_("Warning: log recovery of an obfuscated metadata image can leak "
+"unobfuscated metadata and/or cause image corruption. Please mount "
+"the source filesystem to clean the log or disable obfuscation, if possible."));
 		break;
 	case -1:
 		/* log detection error */
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13  8:13 [PATCH 0/2 v2] xfsprogs: metadump warns about dirty journal Jan Tulak
  2017-04-13  8:13 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
@ 2017-04-13  8:13 ` Jan Tulak
  2017-04-13 12:01   ` Brian Foster
  1 sibling, 1 reply; 13+ messages in thread
From: Jan Tulak @ 2017-04-13  8:13 UTC (permalink / raw)
  To: linux-xfs; +Cc: Jan Tulak

This is something that should be documented, as it is not obvious to
everyone.

Signed-off-by: Jan Tulak <jtulak@redhat.com>
---
 man/man8/xfs_metadump.8 | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
index 3731d6a..1b40fb8 100644
--- a/man/man8/xfs_metadump.8
+++ b/man/man8/xfs_metadump.8
@@ -59,6 +59,12 @@ options where
 are not obfuscated. Names between 5 and 8 characters in length inclusively
 are partially obfuscated.
 .PP
+Log recovery of an obfuscated metadata image can leak
+unobfuscated metadata and/or cause image corruption. Please mount
+the source filesystem to clean the log or disable obfuscation, if possible.
+If you have to obfuscate an image with a dirty log, tell about it to whoever
+you are sending the image to.
+.PP
 .B xfs_metadump
 should not be used for any purposes other than for debugging and reporting
 filesystem problems. The most common usage scenario for this tool is when
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] metadump: warn about corruption if log is dirty
  2017-04-13  8:13 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
@ 2017-04-13 11:54   ` Brian Foster
  2017-06-15  0:06     ` Eric Sandeen
  0 siblings, 1 reply; 13+ messages in thread
From: Brian Foster @ 2017-04-13 11:54 UTC (permalink / raw)
  To: Jan Tulak; +Cc: linux-xfs

On Thu, Apr 13, 2017 at 10:13:53AM +0200, Jan Tulak wrote:
> Add a warning about possible corruption when exporting a dirty log, as
> the log content does not agree with obfuscated metadata.
> 
> Signed-off-by: Jan Tulak <jtulak@redhat.com>
> ---
> Change: More elaborate warning message.
> ---
>  db/metadump.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/db/metadump.c b/db/metadump.c
> index 66952f6..2dd8593 100644
> --- a/db/metadump.c
> +++ b/db/metadump.c
> @@ -2726,7 +2726,9 @@ copy_log(void)
>  		/* keep the dirty log */
>  		if (obfuscate)
>  			print_warning(
> -_("Filesystem log is dirty; image will contain unobfuscated metadata in log."));
> +_("Warning: log recovery of an obfuscated metadata image can leak "
> +"unobfuscated metadata and/or cause image corruption. Please mount "
> +"the source filesystem to clean the log or disable obfuscation, if possible."));
>  		break;

Thanks Jan, just one very minor nit having read this again... could we
put the "if possible" closer to the part about mounting the source
image? Otherwise it reads to me that it might not be technically
possible to disable obfuscation, which is not the case (though the user
may not want to do that as a matter of policy). For example:

"... Please mount the source filesystem to clean the log, if possible,
or disable obfuscation."

With that tweak:

Reviewed-by: Brian Foster <bfoster@redhat.com>

>  	case -1:
>  		/* log detection error */
> -- 
> 2.1.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13  8:13 ` [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue Jan Tulak
@ 2017-04-13 12:01   ` Brian Foster
  2017-04-13 12:29     ` Jan Tulak
  0 siblings, 1 reply; 13+ messages in thread
From: Brian Foster @ 2017-04-13 12:01 UTC (permalink / raw)
  To: Jan Tulak; +Cc: linux-xfs

On Thu, Apr 13, 2017 at 10:13:54AM +0200, Jan Tulak wrote:
> This is something that should be documented, as it is not obvious to
> everyone.
> 
> Signed-off-by: Jan Tulak <jtulak@redhat.com>
> ---
>  man/man8/xfs_metadump.8 | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
> index 3731d6a..1b40fb8 100644
> --- a/man/man8/xfs_metadump.8
> +++ b/man/man8/xfs_metadump.8
> @@ -59,6 +59,12 @@ options where
>  are not obfuscated. Names between 5 and 8 characters in length inclusively
>  are partially obfuscated.
>  .PP
> +Log recovery of an obfuscated metadata image can leak
> +unobfuscated metadata and/or cause image corruption. Please mount
> +the source filesystem to clean the log or disable obfuscation, if possible.
> +If you have to obfuscate an image with a dirty log, tell about it to whoever
> +you are sending the image to.
> +.PP

We might want the man page content to be a bit more descriptive than
what xfs_metadump actually emits for a warning. For example:

"xfs_metadump does not obfuscate data in the filesystem log. Log
recovery of an obfuscated metadump image may expose unobfuscated
metadata and/or cause filesystem corruption. It is recommended to
disable obfuscation for filesystems that must be captured with a dirty
log."

... but that's just my .02. Feel free to reword that and solicit more
feedback from others too. Another thought here could be to intimate that
if an obfuscated+dirty log metadump image is truly required, it is the
user responsibility to verify that the resulting image has not been
corrupted by the metadump process and does not contain sensitive
metadata (as opposed to telling the user to simply tell the recipient of
the image about it).

Brian

>  .B xfs_metadump
>  should not be used for any purposes other than for debugging and reporting
>  filesystem problems. The most common usage scenario for this tool is when
> -- 
> 2.1.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 12:01   ` Brian Foster
@ 2017-04-13 12:29     ` Jan Tulak
  2017-04-13 13:04       ` Brian Foster
  2017-04-13 13:49       ` Eric Sandeen
  0 siblings, 2 replies; 13+ messages in thread
From: Jan Tulak @ 2017-04-13 12:29 UTC (permalink / raw)
  To: Brian Foster; +Cc: linux-xfs

On Thu, Apr 13, 2017 at 2:01 PM, Brian Foster <bfoster@redhat.com> wrote:
> On Thu, Apr 13, 2017 at 10:13:54AM +0200, Jan Tulak wrote:
>> This is something that should be documented, as it is not obvious to
>> everyone.
>>
>> Signed-off-by: Jan Tulak <jtulak@redhat.com>
>> ---
>>  man/man8/xfs_metadump.8 | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
>> index 3731d6a..1b40fb8 100644
>> --- a/man/man8/xfs_metadump.8
>> +++ b/man/man8/xfs_metadump.8
>> @@ -59,6 +59,12 @@ options where
>>  are not obfuscated. Names between 5 and 8 characters in length inclusively
>>  are partially obfuscated.
>>  .PP
>> +Log recovery of an obfuscated metadata image can leak
>> +unobfuscated metadata and/or cause image corruption. Please mount
>> +the source filesystem to clean the log or disable obfuscation, if possible.
>> +If you have to obfuscate an image with a dirty log, tell about it to whoever
>> +you are sending the image to.
>> +.PP
>
> We might want the man page content to be a bit more descriptive than
> what xfs_metadump actually emits for a warning. For example:
>
> "xfs_metadump does not obfuscate data in the filesystem log. Log
> recovery of an obfuscated metadump image may expose unobfuscated
> metadata and/or cause filesystem corruption. It is recommended to
> disable obfuscation for filesystems that must be captured with a dirty
> log."
>
> ... but that's just my .02. Feel free to reword that and solicit more
> feedback from others too. Another thought here could be to intimate that
> if an obfuscated+dirty log metadump image is truly required, it is the
> user responsibility to verify that the resulting image has not been
> corrupted by the metadump process and does not contain sensitive
> metadata (as opposed to telling the user to simply tell the recipient of
> the image about it).
>

Sounds reasonable, so how about these two paragraphs?

> "xfs_metadump does not obfuscate data in the filesystem log. Log
> recovery of an obfuscated metadump image may expose unobfuscated
> metadata and/or cause filesystem corruption. It is recommended to
> disable obfuscation for filesystems that must be captured with a dirty
> log.

If it is necessary to use obfuscation for any reason and the source fileystem
can't be mounted to clean the log, the resulting image should be tested for
any corruption caused by metadump process and any sensitive information
in the log and the recipient of the image informed about the result."

Cheers,
Jan

-- 
Jan Tulak
jtulak@redhat.com / jan@tulak.me

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 12:29     ` Jan Tulak
@ 2017-04-13 13:04       ` Brian Foster
  2017-04-13 13:49       ` Eric Sandeen
  1 sibling, 0 replies; 13+ messages in thread
From: Brian Foster @ 2017-04-13 13:04 UTC (permalink / raw)
  To: Jan Tulak; +Cc: linux-xfs

On Thu, Apr 13, 2017 at 02:29:34PM +0200, Jan Tulak wrote:
> On Thu, Apr 13, 2017 at 2:01 PM, Brian Foster <bfoster@redhat.com> wrote:
> > On Thu, Apr 13, 2017 at 10:13:54AM +0200, Jan Tulak wrote:
> >> This is something that should be documented, as it is not obvious to
> >> everyone.
> >>
> >> Signed-off-by: Jan Tulak <jtulak@redhat.com>
> >> ---
> >>  man/man8/xfs_metadump.8 | 6 ++++++
> >>  1 file changed, 6 insertions(+)
> >>
> >> diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
> >> index 3731d6a..1b40fb8 100644
> >> --- a/man/man8/xfs_metadump.8
> >> +++ b/man/man8/xfs_metadump.8
> >> @@ -59,6 +59,12 @@ options where
> >>  are not obfuscated. Names between 5 and 8 characters in length inclusively
> >>  are partially obfuscated.
> >>  .PP
> >> +Log recovery of an obfuscated metadata image can leak
> >> +unobfuscated metadata and/or cause image corruption. Please mount
> >> +the source filesystem to clean the log or disable obfuscation, if possible.
> >> +If you have to obfuscate an image with a dirty log, tell about it to whoever
> >> +you are sending the image to.
> >> +.PP
> >
> > We might want the man page content to be a bit more descriptive than
> > what xfs_metadump actually emits for a warning. For example:
> >
> > "xfs_metadump does not obfuscate data in the filesystem log. Log
> > recovery of an obfuscated metadump image may expose unobfuscated
> > metadata and/or cause filesystem corruption. It is recommended to
> > disable obfuscation for filesystems that must be captured with a dirty
> > log."
> >
> > ... but that's just my .02. Feel free to reword that and solicit more
> > feedback from others too. Another thought here could be to intimate that
> > if an obfuscated+dirty log metadump image is truly required, it is the
> > user responsibility to verify that the resulting image has not been
> > corrupted by the metadump process and does not contain sensitive
> > metadata (as opposed to telling the user to simply tell the recipient of
> > the image about it).
> >
> 
> Sounds reasonable, so how about these two paragraphs?
> 
> > "xfs_metadump does not obfuscate data in the filesystem log. Log
> > recovery of an obfuscated metadump image may expose unobfuscated
> > metadata and/or cause filesystem corruption. It is recommended to
> > disable obfuscation for filesystems that must be captured with a dirty
> > log.
> 
> If it is necessary to use obfuscation for any reason and the source fileystem
> can't be mounted to clean the log, the resulting image should be tested for
> any corruption caused by metadump process and any sensitive information
> in the log and the recipient of the image informed about the result."
> 

You might want to give Eric/Darrick some time to provide feedback before
sending out a new version, but otherwise that works for me. Thanks!

Brian

> Cheers,
> Jan
> 
> -- 
> Jan Tulak
> jtulak@redhat.com / jan@tulak.me
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 12:29     ` Jan Tulak
  2017-04-13 13:04       ` Brian Foster
@ 2017-04-13 13:49       ` Eric Sandeen
  2017-04-13 15:50         ` Darrick J. Wong
  1 sibling, 1 reply; 13+ messages in thread
From: Eric Sandeen @ 2017-04-13 13:49 UTC (permalink / raw)
  To: Jan Tulak, Brian Foster; +Cc: linux-xfs

On 4/13/17 7:29 AM, Jan Tulak wrote:
> On Thu, Apr 13, 2017 at 2:01 PM, Brian Foster <bfoster@redhat.com> wrote:
>> On Thu, Apr 13, 2017 at 10:13:54AM +0200, Jan Tulak wrote:
>>> This is something that should be documented, as it is not obvious to
>>> everyone.
>>>
>>> Signed-off-by: Jan Tulak <jtulak@redhat.com>
>>> ---
>>>  man/man8/xfs_metadump.8 | 6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
>>> index 3731d6a..1b40fb8 100644
>>> --- a/man/man8/xfs_metadump.8
>>> +++ b/man/man8/xfs_metadump.8
>>> @@ -59,6 +59,12 @@ options where
>>>  are not obfuscated. Names between 5 and 8 characters in length inclusively
>>>  are partially obfuscated.
>>>  .PP
>>> +Log recovery of an obfuscated metadata image can leak
>>> +unobfuscated metadata and/or cause image corruption. Please mount
>>> +the source filesystem to clean the log or disable obfuscation, if possible.
>>> +If you have to obfuscate an image with a dirty log, tell about it to whoever
>>> +you are sending the image to.
>>> +.PP
>>
>> We might want the man page content to be a bit more descriptive than
>> what xfs_metadump actually emits for a warning. For example:
>>
>> "xfs_metadump does not obfuscate data in the filesystem log. Log
>> recovery of an obfuscated metadump image may expose unobfuscated
>> metadata and/or cause filesystem corruption. It is recommended to
>> disable obfuscation for filesystems that must be captured with a dirty
>> log."
>>
>> ... but that's just my .02. Feel free to reword that and solicit more
>> feedback from others too. Another thought here could be to intimate that
>> if an obfuscated+dirty log metadump image is truly required, it is the
>> user responsibility to verify that the resulting image has not been
>> corrupted by the metadump process and does not contain sensitive
>> metadata (as opposed to telling the user to simply tell the recipient of
>> the image about it).
>>
> 
> Sounds reasonable, so how about these two paragraphs?
> 
>> "xfs_metadump does not obfuscate data

metadata

>> in the filesystem log. Log
>> recovery of an obfuscated metadump image may expose unobfuscated
>> metadata and/or cause filesystem corruption.

I would add "in the restored image." so that it does not sound like
damage to the original filesystem could result.

> It is recommended to
>> disable obfuscation for filesystems that must be captured with a dirty
>> log.
> 
> If it is necessary to use obfuscation for any reason

drop "for any reason" - just makes this long text longer...

> and the source fileystem
> can't be mounted to clean the log, the resulting image should be tested for
> any corruption caused by metadump process and any sensitive information
> in the log and the recipient of the image informed about the result."

The end-user running metadump may not have the expertise to "test the resulting
image for any corruption ..."  - they're probably just following some support
person's instructions to "run this command..."  How about this:

---

xfs_metadump cannot obfuscate metadata in the filesystem log.  Log
recovery of an obfuscated metadump image may expose clear-text
metadata and/or cause filesystem corruption in the restored image.
It is recommended that the source filesystem be mounted and unmounted
first if possible, to produce a metadump with a clean log.

If a metadump must be produced from a filesystem with a dirty log,
it is recommended that obfuscation be turned off with -o option, if
metadata such as filenames is not considered sensitive.  If obfuscation
is required on a metadump with a dirty log, please inform the recipient
of the metadump image about this situation.
---

-Eric

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 13:49       ` Eric Sandeen
@ 2017-04-13 15:50         ` Darrick J. Wong
  2017-04-13 17:01           ` Eric Sandeen
  0 siblings, 1 reply; 13+ messages in thread
From: Darrick J. Wong @ 2017-04-13 15:50 UTC (permalink / raw)
  To: Eric Sandeen; +Cc: Jan Tulak, Brian Foster, linux-xfs

On Thu, Apr 13, 2017 at 08:49:52AM -0500, Eric Sandeen wrote:
> On 4/13/17 7:29 AM, Jan Tulak wrote:
> > On Thu, Apr 13, 2017 at 2:01 PM, Brian Foster <bfoster@redhat.com> wrote:
> >> On Thu, Apr 13, 2017 at 10:13:54AM +0200, Jan Tulak wrote:
> >>> This is something that should be documented, as it is not obvious to
> >>> everyone.
> >>>
> >>> Signed-off-by: Jan Tulak <jtulak@redhat.com>
> >>> ---
> >>>  man/man8/xfs_metadump.8 | 6 ++++++
> >>>  1 file changed, 6 insertions(+)
> >>>
> >>> diff --git a/man/man8/xfs_metadump.8 b/man/man8/xfs_metadump.8
> >>> index 3731d6a..1b40fb8 100644
> >>> --- a/man/man8/xfs_metadump.8
> >>> +++ b/man/man8/xfs_metadump.8
> >>> @@ -59,6 +59,12 @@ options where
> >>>  are not obfuscated. Names between 5 and 8 characters in length inclusively
> >>>  are partially obfuscated.
> >>>  .PP
> >>> +Log recovery of an obfuscated metadata image can leak
> >>> +unobfuscated metadata and/or cause image corruption. Please mount
> >>> +the source filesystem to clean the log or disable obfuscation, if possible.
> >>> +If you have to obfuscate an image with a dirty log, tell about it to whoever
> >>> +you are sending the image to.
> >>> +.PP
> >>
> >> We might want the man page content to be a bit more descriptive than
> >> what xfs_metadump actually emits for a warning. For example:
> >>
> >> "xfs_metadump does not obfuscate data in the filesystem log. Log
> >> recovery of an obfuscated metadump image may expose unobfuscated
> >> metadata and/or cause filesystem corruption. It is recommended to
> >> disable obfuscation for filesystems that must be captured with a dirty
> >> log."
> >>
> >> ... but that's just my .02. Feel free to reword that and solicit more
> >> feedback from others too. Another thought here could be to intimate that
> >> if an obfuscated+dirty log metadump image is truly required, it is the
> >> user responsibility to verify that the resulting image has not been
> >> corrupted by the metadump process and does not contain sensitive
> >> metadata (as opposed to telling the user to simply tell the recipient of
> >> the image about it).
> >>
> > 
> > Sounds reasonable, so how about these two paragraphs?
> > 
> >> "xfs_metadump does not obfuscate data
> 
> metadata
> 
> >> in the filesystem log. Log
> >> recovery of an obfuscated metadump image may expose unobfuscated
> >> metadata and/or cause filesystem corruption.
> 
> I would add "in the restored image." so that it does not sound like
> damage to the original filesystem could result.
> 
> > It is recommended to
> >> disable obfuscation for filesystems that must be captured with a dirty
> >> log.
> > 
> > If it is necessary to use obfuscation for any reason
> 
> drop "for any reason" - just makes this long text longer...
> 
> > and the source fileystem
> > can't be mounted to clean the log, the resulting image should be tested for
> > any corruption caused by metadump process and any sensitive information
> > in the log and the recipient of the image informed about the result."
> 
> The end-user running metadump may not have the expertise to "test the resulting
> image for any corruption ..."  - they're probably just following some support
> person's instructions to "run this command..."  How about this:

(Or they're just running some crazy hoover-up-all-the-state script that
support gave them. ;))

> ---
> 
> xfs_metadump cannot obfuscate metadata in the filesystem log.  Log
> recovery of an obfuscated metadump image may expose clear-text
> metadata and/or cause filesystem corruption in the restored image.
> It is recommended that the source filesystem be mounted and unmounted
> first if possible, to produce a metadump with a clean log.

"It is recommended that the source filesystem first be mounted and
unmounted, if possible, to ensure that the log is clean.  That way, all
metadata can be obfuscated correctly and the metadump will capture a
clean log."

...because mounting and unmounting itself does not produce metadumps. :)

> If a metadump must be produced from a filesystem with a dirty log,
> it is recommended that obfuscation be turned off with -o option, if
> metadata such as filenames is not considered sensitive.  If obfuscation
> is required on a metadump with a dirty log, please inform the recipient
> of the metadump image about this situation.

Otherwise seems fine to me.

--D

> ---
> 
> -Eric
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 15:50         ` Darrick J. Wong
@ 2017-04-13 17:01           ` Eric Sandeen
  2017-04-13 17:06             ` Darrick J. Wong
  0 siblings, 1 reply; 13+ messages in thread
From: Eric Sandeen @ 2017-04-13 17:01 UTC (permalink / raw)
  To: Darrick J. Wong; +Cc: Jan Tulak, Brian Foster, linux-xfs

On 4/13/17 10:50 AM, Darrick J. Wong wrote:
> On Thu, Apr 13, 2017 at 08:49:52AM -0500, Eric Sandeen wrote:

>> ---
>>
>> xfs_metadump cannot obfuscate metadata in the filesystem log.  Log
>> recovery of an obfuscated metadump image may expose clear-text
>> metadata and/or cause filesystem corruption in the restored image.
>> It is recommended that the source filesystem be mounted and unmounted
>> first if possible, to produce a metadump with a clean log.
> 
> "It is recommended that the source filesystem first be mounted and
> unmounted, if possible, to ensure that the log is clean.  That way, all
> metadata can be obfuscated correctly and the metadump will capture a
> clean log."
> 
> ...because mounting and unmounting itself does not produce metadumps. :)

That was the "first" bit, but "That way" is a bit colloquial IMHO.
<full_pedant_mode>

How about:

"It is recommended that the source filesystem first be mounted and
unmounted, if possible, to ensure that the log is clean.  After that
operation, all metadata will be obfuscated correctly and xfs_metadump
will capture a clean log."

-Eric

 
>> If a metadump must be produced from a filesystem with a dirty log,
>> it is recommended that obfuscation be turned off with -o option, if
>> metadata such as filenames is not considered sensitive.  If obfuscation
>> is required on a metadump with a dirty log, please inform the recipient
>> of the metadump image about this situation.
> 
> Otherwise seems fine to me.
> 
> --D
> 
>> ---
>>
>> -Eric
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue
  2017-04-13 17:01           ` Eric Sandeen
@ 2017-04-13 17:06             ` Darrick J. Wong
  0 siblings, 0 replies; 13+ messages in thread
From: Darrick J. Wong @ 2017-04-13 17:06 UTC (permalink / raw)
  To: Eric Sandeen; +Cc: Jan Tulak, Brian Foster, linux-xfs

On Thu, Apr 13, 2017 at 12:01:32PM -0500, Eric Sandeen wrote:
> On 4/13/17 10:50 AM, Darrick J. Wong wrote:
> > On Thu, Apr 13, 2017 at 08:49:52AM -0500, Eric Sandeen wrote:
> 
> >> ---
> >>
> >> xfs_metadump cannot obfuscate metadata in the filesystem log.  Log
> >> recovery of an obfuscated metadump image may expose clear-text
> >> metadata and/or cause filesystem corruption in the restored image.
> >> It is recommended that the source filesystem be mounted and unmounted
> >> first if possible, to produce a metadump with a clean log.
> > 
> > "It is recommended that the source filesystem first be mounted and
> > unmounted, if possible, to ensure that the log is clean.  That way, all
> > metadata can be obfuscated correctly and the metadump will capture a
> > clean log."
> > 
> > ...because mounting and unmounting itself does not produce metadumps. :)
> 
> That was the "first" bit, but "That way" is a bit colloquial IMHO.
> <full_pedant_mode>
> 
> How about:
> 
> "It is recommended that the source filesystem first be mounted and
> unmounted, if possible, to ensure that the log is clean.  After that
> operation, all metadata will be obfuscated correctly and xfs_metadump
> will capture a clean log."

"A subsequent invocation of xfs_metadump will capture a clean log and
obfuscate all metadata correctly."

More bikeshedding! Yay! :)

--D

> 
> -Eric
> 
>  
> >> If a metadump must be produced from a filesystem with a dirty log,
> >> it is recommended that obfuscation be turned off with -o option, if
> >> metadata such as filenames is not considered sensitive.  If obfuscation
> >> is required on a metadump with a dirty log, please inform the recipient
> >> of the metadump image about this situation.
> > 
> > Otherwise seems fine to me.
> > 
> > --D
> > 
> >> ---
> >>
> >> -Eric
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] metadump: warn about corruption if log is dirty
  2017-04-13 11:54   ` Brian Foster
@ 2017-06-15  0:06     ` Eric Sandeen
  2017-06-15 11:23       ` Brian Foster
  0 siblings, 1 reply; 13+ messages in thread
From: Eric Sandeen @ 2017-06-15  0:06 UTC (permalink / raw)
  To: Brian Foster, Jan Tulak; +Cc: linux-xfs

On 4/13/17 6:54 AM, Brian Foster wrote:
> On Thu, Apr 13, 2017 at 10:13:53AM +0200, Jan Tulak wrote:
>> Add a warning about possible corruption when exporting a dirty log, as
>> the log content does not agree with obfuscated metadata.
>>
>> Signed-off-by: Jan Tulak <jtulak@redhat.com>
>> ---
>> Change: More elaborate warning message.
>> ---
>>  db/metadump.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/db/metadump.c b/db/metadump.c
>> index 66952f6..2dd8593 100644
>> --- a/db/metadump.c
>> +++ b/db/metadump.c
>> @@ -2726,7 +2726,9 @@ copy_log(void)
>>  		/* keep the dirty log */
>>  		if (obfuscate)
>>  			print_warning(
>> -_("Filesystem log is dirty; image will contain unobfuscated metadata in log."));
>> +_("Warning: log recovery of an obfuscated metadata image can leak "
>> +"unobfuscated metadata and/or cause image corruption. Please mount "
>> +"the source filesystem to clean the log or disable obfuscation, if possible."));
>>  		break;
> 
> Thanks Jan, just one very minor nit having read this again... could we
> put the "if possible" closer to the part about mounting the source
> image? Otherwise it reads to me that it might not be technically
> possible to disable obfuscation, which is not the case (though the user
> may not want to do that as a matter of policy). For example:
> 
> "... Please mount the source filesystem to clean the log, if possible,
> or disable obfuscation."

Hoovering up old patches ... 

To me, Jan's original is ok.  "If possible" applying to both replay and
disabling obfuscation seems reasonable, because "policy" may make it
impossible ;)  So I hate to direct the user to disable obfuscation.

"If possible, please mount the filesystem to clean the log, or disable
obfuscation."

Is that OK?  Gives the user options, and wiggle room..

-Eric

> With that tweak:
> 
> Reviewed-by: Brian Foster <bfoster@redhat.com>
> 
>>  	case -1:
>>  		/* log detection error */
>> -- 
>> 2.1.4
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [PATCH 1/2] metadump: warn about corruption if log is dirty
  2017-06-15  0:06     ` Eric Sandeen
@ 2017-06-15 11:23       ` Brian Foster
  0 siblings, 0 replies; 13+ messages in thread
From: Brian Foster @ 2017-06-15 11:23 UTC (permalink / raw)
  To: Eric Sandeen; +Cc: Jan Tulak, linux-xfs

On Wed, Jun 14, 2017 at 07:06:52PM -0500, Eric Sandeen wrote:
> On 4/13/17 6:54 AM, Brian Foster wrote:
> > On Thu, Apr 13, 2017 at 10:13:53AM +0200, Jan Tulak wrote:
> >> Add a warning about possible corruption when exporting a dirty log, as
> >> the log content does not agree with obfuscated metadata.
> >>
> >> Signed-off-by: Jan Tulak <jtulak@redhat.com>
> >> ---
> >> Change: More elaborate warning message.
> >> ---
> >>  db/metadump.c | 4 +++-
> >>  1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/db/metadump.c b/db/metadump.c
> >> index 66952f6..2dd8593 100644
> >> --- a/db/metadump.c
> >> +++ b/db/metadump.c
> >> @@ -2726,7 +2726,9 @@ copy_log(void)
> >>  		/* keep the dirty log */
> >>  		if (obfuscate)
> >>  			print_warning(
> >> -_("Filesystem log is dirty; image will contain unobfuscated metadata in log."));
> >> +_("Warning: log recovery of an obfuscated metadata image can leak "
> >> +"unobfuscated metadata and/or cause image corruption. Please mount "
> >> +"the source filesystem to clean the log or disable obfuscation, if possible."));
> >>  		break;
> > 
> > Thanks Jan, just one very minor nit having read this again... could we
> > put the "if possible" closer to the part about mounting the source
> > image? Otherwise it reads to me that it might not be technically
> > possible to disable obfuscation, which is not the case (though the user
> > may not want to do that as a matter of policy). For example:
> > 
> > "... Please mount the source filesystem to clean the log, if possible,
> > or disable obfuscation."
> 
> Hoovering up old patches ... 
> 
> To me, Jan's original is ok.  "If possible" applying to both replay and
> disabling obfuscation seems reasonable, because "policy" may make it
> impossible ;)  So I hate to direct the user to disable obfuscation.
> 
> "If possible, please mount the filesystem to clean the log, or disable
> obfuscation."
> 
> Is that OK?  Gives the user options, and wiggle room..
> 

Sounds good to me, thanks!

Brian

> -Eric
> 
> > With that tweak:
> > 
> > Reviewed-by: Brian Foster <bfoster@redhat.com>
> > 
> >>  	case -1:
> >>  		/* log detection error */
> >> -- 
> >> 2.1.4
> >>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2017-06-15 11:23 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-13  8:13 [PATCH 0/2 v2] xfsprogs: metadump warns about dirty journal Jan Tulak
2017-04-13  8:13 ` [PATCH 1/2] metadump: warn about corruption if log is dirty Jan Tulak
2017-04-13 11:54   ` Brian Foster
2017-06-15  0:06     ` Eric Sandeen
2017-06-15 11:23       ` Brian Foster
2017-04-13  8:13 ` [PATCH 2/2] xfsprogs: update man for metadump about dirty log/obfuscation issue Jan Tulak
2017-04-13 12:01   ` Brian Foster
2017-04-13 12:29     ` Jan Tulak
2017-04-13 13:04       ` Brian Foster
2017-04-13 13:49       ` Eric Sandeen
2017-04-13 15:50         ` Darrick J. Wong
2017-04-13 17:01           ` Eric Sandeen
2017-04-13 17:06             ` Darrick J. Wong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).