Merge into main : fix-unsafe-mount-iso-loopback : lp:~crass/casper : Git : Code : Casper

Reviewer	Review Type	Date Requested	Status
Dimitri John Ledkov			Needs Information on 2024-01-18
Steve Langasek		2023-10-08	Needs Information on 2023-12-04
Canonical Hardware Enablement	hwe	2024-01-18	Pending
Review via email: mp+453083@code.launchpad.net

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-12-04:

#

Thanks for this proposal. As this is a substantive change, I would like to see a bug opened against https://bugs.launchpad.net/ubuntu/+source/casper before accepting it, so that we ensure we have a way to track discussion/feedback from users in the future.

A few thoughts:
- Ubuntu does not support hibernation anymore, for various reasons; TL;DR: the usability of it is sufficiently poor, and the power savings advantage sufficiently limited versus suspend on modern systems, that it was not worth carrying on. I don't know what other Linux distributions do with respect to hibernation support these days, but if the situation is similar, then I think this is an uncommon use case.
- This patch changes the default behavior of casper when loading images from nearly all supported writable filesystems. I'm not sure we should change the default. It is *safer*, but it reduces usability for most of our users (again, a hibernated Ubuntu filesystem is uncommon; booting a livefs on a system that's hibernated is even more uncommon). This is partly why I think we should have a bug report attached to this discussion.
- The mount manpage mentions using '-o ro,noload' with ext3 and ext4 filesystems to let it be mounted without the journal being replayed. Wouldn't this be a robust solution that doesn't require refusing to load from ext3/ext4 filesystems by default?
- This is only an issue when the user boots a casper-based system *specifically pointing it* at an image which is located on a journalling filesystem that has a dirty journal because it was mounted by a Linux system that has been hibernated and will be confused by a journal replay happening behind its back. So uh seriously, who does that and why?

Reply

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-12-04:

#

Oh, sorry, I just noticed that this is linked to LP: #1117665. Will take a look there.

Reply

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-12-04:

#

Ok looking at that bug report, I see that it says:

> When a hibernated windows partition exists the ntfs3g mounter will refuse to mount the partition in
> read/write mode and returns an error. This will cause the search script to die and the boot process to
> stop, bringing the system to a debugging shell in the initrd.

But it's straightforward to just mount the filesystem read-only instead, and you're using a much bigger hammer here to disallow even ATTEMPTING to mount the filesystem by default. And the net result is not a better user experience for the user vs what is described in that bug report, because you say the ntfs3g filesystem fails to mount and thus blocks the boot - which is the same result as when casper refuses to try to mount it at all.

I see that you point out that casper actually scans filesystems to find the image, so it's not a matter of having wrongly told casper to look at a SPECIFIC device that has a dirty journal. Nevertheless, the bug report does not support the changes proposed here.

Reply

Revision history for this message

Steve Langasek (vorlon) on 2023-12-04:

#

review: Needs Information

Reply

Revision history for this message

Glenn Washburn (crass) wrote on 2024-01-18:

#

> Thanks for this proposal. As this is a substantive change, I would like to
> see a bug opened against https://bugs.launchpad.net/ubuntu/+source/casper
> before accepting it, so that we ensure we have a way to track
> discussion/feedback from users in the future.
>
> A few thoughts:
> - Ubuntu does not support hibernation anymore, for various reasons; TL;DR: the
> usability of it is sufficiently poor, and the power savings advantage
> sufficiently limited versus suspend on modern systems, that it was not worth
> carrying on. I don't know what other Linux distributions do with respect to
> hibernation support these days, but if the situation is similar, then I think
> this is an uncommon use case.

Yes, I imagine it is. And I shouldn't need to point out that users with uncommon setups are no less deserving of data loss protection.

> - This patch changes the default behavior of casper when loading images from
> nearly all supported writable filesystems. I'm not sure we should change the
> default. It is *safer*, but it reduces usability for most of our users
> (again, a hibernated Ubuntu filesystem is uncommon; booting a livefs on a
> system that's hibernated is even more uncommon). This is partly why I think
> we should have a bug report attached to this discussion.

This is reasonable. So you want a bug report that it explicit about the data loss scenario, correct?

> - The mount manpage mentions using '-o ro,noload' with ext3 and ext4
> filesystems to let it be mounted without the journal being replayed. Wouldn't
> this be a robust solution that doesn't require refusing to load from ext3/ext4
> filesystems by default?

For these filesystems, it might be a robust solution. Personally, I would feel uneasy about it. I'd rather a better guarantee that nothing gets written to the filesystem. For instance, that may still write to the superblock and I don't know if that will corrupt the resume process. I also don't like this because its not general. What about XFS and BTRFS?

> - This is only an issue when the user boots a casper-based system
> *specifically pointing it* at an image which is located on a journalling
> filesystem that has a dirty journal because it was mounted by a Linux system
> that has been hibernated and will be confused by a journal replay happening
> behind its back. So uh seriously, who does that and why?

I think you addressed this in a later comment.

> Thanks for this proposal.  As this is a substantive change, I would like to
> see a bug opened against https://bugs.launchpad.net/ubuntu/+source/casper
> before accepting it, so that we ensure we have a way to track
> discussion/feedback from users in the future.
> 
> A few thoughts:
> - Ubuntu does not support hibernation anymore, for various reasons; TL;DR: the
> usability of it is sufficiently poor, and the power savings advantage
> sufficiently limited versus suspend on modern systems, that it was not worth
> carrying on.  I don't know what other Linux distributions do with respect to
> hibernation support these days, but if the situation is similar, then I think
> this is an uncommon use case.

Yes, I imagine it is. And I shouldn't need to point out that users with uncommon setups are no less deserving of data loss protection.

> - This patch changes the default behavior of casper when loading images from
> nearly all supported writable filesystems.  I'm not sure we should change the
> default.  It is *safer*, but it reduces usability for most of our users
> (again, a hibernated Ubuntu filesystem is uncommon; booting a livefs on a
> system that's hibernated is even more uncommon).  This is partly why I think
> we should have a bug report attached to this discussion.

This is reasonable. So you want a bug report that it explicit about the data loss scenario, correct?

> - The mount manpage mentions using '-o ro,noload' with ext3 and ext4
> filesystems to let it be mounted without the journal being replayed.  Wouldn't
> this be a robust solution that doesn't require refusing to load from ext3/ext4
> filesystems by default?

For these filesystems, it might be a robust solution. Personally, I would feel uneasy about it. I'd rather a better guarantee that nothing gets written to the filesystem. For instance, that may still write to the superblock and I don't know if that will corrupt the resume process. I also don't like this because its not general. What about XFS and BTRFS?

> - This is only an issue when the user boots a casper-based system
> *specifically pointing it* at an image which is located on a journalling
> filesystem that has a dirty journal because it was mounted by a Linux system
> that has been hibernated and will be confused by a journal replay happening
> behind its back.  So uh seriously, who does that and why?

I think you addressed this in a later comment.

Reply

Revision history for this message

Glenn Washburn (crass) wrote on 2024-01-18:

#

Download full text (6.1 KiB)

> Ok looking at that bug report, I see that it says:
>
> > When a hibernated windows partition exists the ntfs3g mounter will refuse to
> mount the partition in
> > read/write mode and returns an error. This will cause the search script to
> die and the boot process to
> > stop, bringing the system to a debugging shell in the initrd.
>
> But it's straightforward to just mount the filesystem read-only instead, and

Yes, more straight forward for NTFS, but not general. Are you suggesting have special logic for NTFS?

You appear to understand that replaying a journal of on a hibernated filesystem will corrupt the resume. I'm not sure if ntfs3g replays the journal when mounting in readonly, but the kernel does for ext3/4. I believe I've seen BTRFS fail to mount on readonly block devices, so I think there's a similar problem there. And I'm unsure of XFS, but let's error on the safe side. This appears to be why the allowed filesystems for the persistent storage file are limited to FAT[1] (though it could and should be opened to more filesystems).

As you'll note, the merge description does not mention the scenario of the linked bug report, which is not a data loss scenario. That was intentional. The bug was linked only because it is also fixed by these changes. The primary intent of these changes is to fix the data loss issue.

> you're using a much bigger hammer here to disallow even ATTEMPTING to mount
> the filesystem by default.

Yes, that is intentional for safety reasons. Its more important to err on the side of not allowing ISOs on some filesystems by default, than to risk data-loss from a corrupted hibernation image.

Now, there are techniques that will allow the mounting of any filesystem read/write without writing any data to the physical block device. But that requires more complexity (and additional kernel modules) and because of that I figured it would be harder to be accepted. Another option that is simpler but I'm more wary of is setting the block device itself to readonly (blockdev --setro). Care would need to be taken that block devices can not be used before being set to readonly. And code would need to be added to remove the readonly status for the persistent storage block device (maybe others). This solution is simpler and I think strikes a good trade-off of by default more limited functionality for avoidance of data loss, with the option to go back to the old behavior if really needed.

> And the net result is not a better user experience
> for the user vs what is described in that bug report, because you say the
> ntfs3g filesystem fails to mount and thus blocks the boot - which is the same
> result as when casper refuses to try to mount it at all.

Your statement is only true _if_ the ISO is on the hibernated NTFS filesystem. Using ISOs on hibernated filesystems are not supported with this patch. As noted above, the more complex solution that allows file access on hibernated filesystems without writing to them would allow this to be supported. But this is not that important to me personally.

A more common case is that the ISO will be on a non-journalled filesystem (eg. FAT). Currently, this would still be a problem when t...

> Ok looking at that bug report, I see that it says:
> 
> > When a hibernated windows partition exists the ntfs3g mounter will refuse to
> mount the partition in
> > read/write mode and returns an error. This will cause the search script to
> die and the boot process to
> > stop, bringing the system to a debugging shell in the initrd.
> 
> But it's straightforward to just mount the filesystem read-only instead, and

Yes, more straight forward for NTFS, but not general. Are you suggesting have special logic for NTFS?

You appear to understand that replaying a journal of on a hibernated filesystem will corrupt the resume. I'm not sure if ntfs3g replays the journal when mounting in readonly, but the kernel does for ext3/4. I believe I've seen BTRFS fail to mount on readonly block devices, so I think there's a similar problem there. And I'm unsure of XFS, but let's error on the safe side. This appears to be why the allowed filesystems for the persistent storage file are limited to FAT[1] (though it could and should be opened to more filesystems).

As you'll note, the merge description does not mention the scenario of the linked bug report, which is not a data loss scenario. That was intentional. The bug was linked only because it is also fixed by these changes. The primary intent of these changes is to fix the data loss issue.

> you're using a much bigger hammer here to disallow even ATTEMPTING to mount
> the filesystem by default.

Yes, that is intentional for safety reasons. Its more important to err on the side of not allowing ISOs on some filesystems by default, than to risk data-loss from a corrupted hibernation image.

Now, there are techniques that will allow the mounting of any filesystem read/write without writing any data to the physical block device. But that requires more complexity (and additional kernel modules) and because of that I figured it would be harder to be accepted. Another option that is simpler but I'm more wary of is setting the block device itself to readonly (blockdev --setro). Care would need to be taken that block devices can not be used before being set to readonly. And code would need to be added to remove the readonly status for the persistent storage block device (maybe others). This solution is simpler and I think strikes a good trade-off of by default more limited functionality for avoidance of data loss, with the option to go back to the old behavior if really needed.

>  And the net result is not a better user experience
> for the user vs what is described in that bug report, because you say the
> ntfs3g filesystem fails to mount and thus blocks the boot - which is the same
> result as when casper refuses to try to mount it at all.

Your statement is only true _if_ the ISO is on the hibernated NTFS filesystem. Using ISOs on hibernated filesystems are not supported with this patch. As noted above, the more complex solution that allows file access on hibernated filesystems without writing to them would allow this to be supported. But this is not that important to me personally.

A more common case is that the ISO will be on a non-journalled filesystem (eg. FAT). Currently, this would still be a problem when there also exists a hibernated journalled filesystem (eg. EXT4 mounted while hibernated). The EXT4 filesystem could be mounted by the iso scan, which may corrupt the hibernation image. With the changes, by default in that situation, the EXT4 filesystem will be skipped instead of mounted, and the ISO will be found on the FAT filesystem. In that case, the improved user experience is no data loss from a corrupted hibernation image.

This also fixes the linked bug's scenario. The typical scenario is the user of windows wants to check out Ubuntu, but is non-commital. So they create a supergrub disk, download the Ubuntu ISO to that usb drive, hibernate windows, and boot into the ISO from supergrub disk. As the linked bug explains, currently the boot of the ISO can go haywire, but with these changes things work fine.

> I see that you point out that casper actually scans filesystems to find the
> image, so it's not a matter of having wrongly told casper to look at a
> SPECIFIC device that has a dirty journal.  Nevertheless, the bug report does
> not support the changes proposed here.

I take you to mean that the linked bug report is for a much narrower issue than what these changes address. This is true. I added the linked bug report to merely show an issue that these changes resolve, not to carry the full weight of supporting these changes. I had no way of knowing that you'd add the requirement of a bug report. So, as asked in response to your initial comment, are you wanting me to create a bug report for the data loss scenario? Since you have a better idea of what you're looking for in the bug report, perhaps it would be easier if you create and link it.

This merge is for a general issue with data-loss from hibernation image corruption. The linked bug report happens to not cause the hibernation image corruption because the ntfs3g mounter does not allow a hibernated NTFS filsystem to be mounted read-write (not sure about readonly), but the linux kernel has no such issues (for other filesystems, I'm unsure about the NTFS kernel driver). So the user lucks out there. If the hibernation image was on EXT4, the user is not so lucky. So, yes, these changes fix a broader class of issues than just that specific scenario in the linked bug report, though the linked bug is fixed as well.

I can see how the linked bug report fails to make clear the data loss potential. However, this merge proposal does, and I'm a little disappointed in and uneasy about the cavalier attitude to data loss, especially when I'm providing a free fix. I hope this is not representative of how Ubuntu treats data loss bugs in "uncommon" situations.

I wonder how many users trying out the Ubuntu livecd over the years have had data-loss and corruption, but they just didn't connect it with the livecd. Or if they did, couldn't be bothered to create a launchpad account and submit a bug, a non-trivial amount of time for someone who might be new to Ubuntu.

[1] https://git.launchpad.net/casper/tree/scripts/casper-helpers#n221

Reply

Revision history for this message

Glenn Washburn (crass) wrote on 2024-01-18:

#

The newly linked bug #41624 is a good read on the issue. In comment #19, Collin Watson mentions that the bug "definitely also affects iso-scan", which is what this merge fixes.

[1] https://bugs.launchpad.net/ubuntu/+source/partman-basicfilesystems/+bug/41624/comments/19

Reply

Revision history for this message

Glenn Washburn (crass) wrote on 2024-01-18:

#

In bug #230703 comment #7[1], Collin Watson says in response to a comment about this data loss bug in lupin "yes, it is a real problem elsewhere, and I'm pretty sure there are bugs about it. That doesn't justify introducing the same bug here, in a much more widely used case. Far more people use the Ubuntu live CD than the other cases you mentioned, and it is extremely important that it not trash the system by default."

He goes on to say "Hibernating and booting a live CD is a much more plausible real-world scenario than either hibernating and performing a USB stick installation or hibernating and performing a Wubi installation."

And then "This change should be reverted, and a comment should be added above the code in question to indicate that it must not be modified to include any filesystem type that might be able to mount a journalled filesystem, so that we don't forget this in future."

Seems like he considered this a serious issue over 15 years ago...

[1] https://bugs.launchpad.net/ubuntu/+source/casper/+bug/230703/comments/7

Reply

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2024-01-18:

#

I am not too sure, but I am suspecting this may affect or break factory provisioning and OEM recovery.

review: Needs Information

Reply

Revision history for this message

Steve Langasek (vorlon) wrote on 2024-01-18:

#

On Thu, Jan 18, 2024 at 04:15:02AM -0000, Glenn Washburn wrote:
> Seems like he considered this a serious issue over 15 years ago...

15 years ago, hibernation was much more common and suspending to RAM
consumed a lot more power.

15 years ago, the current behavior was not the status quo that people have
come to rely on and there was no significant risk of regression as a result
of a categorical revert.

I have asked that you open a bug report where this can be discussed. Merge
proposals are inadequate for the level of nuanced discussion required here.

Reply

Revision history for this message

Glenn Washburn (crass) wrote on 2024-02-01:

#

I've created and added bug #2051898. I had previously asked for clarification on what you wanted in the bug, so I hope its what you had in mind.

Reply

 diff --git a/scripts/casper b/scripts/casper
 index 36a724d..ee978fd 100644
 --- a/scripts/casper
 +++ b/scripts/casper
@@ -40,6 +40,8 @@ parse_cmdline() {
                  export PERSISTENT="" NOPERSISTENT="Yes" ;;
              persistent-path=*)
                  export PERSISTENT_PATH="${x#persistent-path=}" ;;
++            unsafe-mount)
++                export UNSAFE_MOUNT='Yes' ;;
              ip=*)
                  STATICIP=${x#ip=}
                  if [ "${STATICIP}" = "" ]; then
 diff --git a/scripts/casper-helpers b/scripts/casper-helpers
 index 584dac2..926bdac 100644
 --- a/scripts/casper-helpers
 +++ b/scripts/casper-helpers
@@ -350,9 +350,24 @@ find_files()
  is_supported_fs(){
      [ -z "${1}" ] && return 1
      case ${1} in
--        ext2|ext3|ext4|xfs|jfs|reiserfs|vfat|ntfs|iso9660|btrfs|udf)
++        # Do not add any filesystem types here that might be able to
++        # mount a journalled filesystem and replay the journal. Doing so
++        # will cause data loss when a live CD is booted on a system
++        # where filesystems are in use by hibernated operating systems.
++        ext2|vfat|iso9660|udf)
              return 0
              ;;
++        ext3|ext4|xfs|jfs|reiserfs|ntfs|btrfs)
++            # These filesystems are journalled filesystem and so are not safe
++            # to mount, which will replay the journal, when they have been
++            # mounted on a previously hibernated system. Doing this can cause
++            # hibernation resume to fail and thus data loss to occur. Allow
++            # this to be overridden by the user when they know for sure the
++            # journalled filesystem is not part of a hibernation image.
++            if [ -n ${UNSAFE_MOUNT} ]; then
++                return 0
++            fi
++            ;;
      esac
      return 1
+ }

Casper

Merge ~crass/casper:fix-unsafe-mount-iso-loopback into casper:main

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers