UFS Crash and directories now missing

> Hi folks,
>
> We had a server crash and required a hard reboot. The system is on one
> disk and another disc mounts /usr/jails and everything runs in jails,
> pristine base system, and the base system is working perfectly.
>
> The second volume, the one with the jails mounted but every jail
> directory disappeared except one. df still shows the data being used
> so I'm guessing it's a logical error in the directory structure or
> something. I unmounted the drive and ran fsck and reported no
> problems. df shows the data being use so where is the data??
>

> On Fri, Apr 27, 2012 at 7:52 PM, Alejandro Imass <[hidden email]> wrote:
> >
> > We had a server crash and required a hard reboot. The system is on one
> > disk and another disc mounts /usr/jails and everything runs in jails,
> > pristine base system, and the base system is working perfectly.
> >
> > The second volume, the one with the jails mounted but every jail
> > directory disappeared except one. df still shows the data being used
> > so I'm guessing it's a logical error in the directory structure or
> > something. I unmounted the drive and ran fsck and reported no
> > problems. df shows the data being use so where is the data??
> >

> Hi,
>
> On Saturday 28 April 2012 09:33:47 Alejandro Imass wrote:
>> On Fri, Apr 27, 2012 at 7:52 PM, Alejandro Imass <[hidden email]> wrote:
>> >
>> > We had a server crash and required a hard reboot. The system is on one
>> > disk and another disc mounts /usr/jails and everything runs in jails,
>> > pristine base system, and the base system is working perfectly.
>> >
>> > The second volume, the one with the jails mounted but every jail
>> > directory disappeared except one. df still shows the data being used
>> > so I'm guessing it's a logical error in the directory structure or
>> > something. I unmounted the drive and ran fsck and reported no
>> > problems. df shows the data being use so where is the data??
>> >
>
> what is du saying?
>>
>> OK, so here is an update, maybe someone has some clue here....
>>
>> All the jails wound up in the /usr/local/etc/apache22 of the only
>> surviving jail which is the http proxy to all the other jails.
>
> You want to say that all the data you were looking for have been moved to this directory?
>>

>> Right before the server crashed I noticed MySQL at 100% o several CPUs
>> and the server was on it's knees, so I'm wondering.... was this an
>> attack? is it possible that Apache or MySQL moved the files??
>>
>> I mean the jails are there, I'm even backing them up right now.... but
>> how did these directories move here?????
>>
>> Anybody has ANY logical explanation???
>
> Journaling is new to me. Could this be the cause?
>

>
> All the jails wound up in the /usr/local/etc/apache22 of the only
> surviving jail which is the http proxy to all the other jails.
>
> Right before the server crashed I noticed MySQL at 100% o several CPUs
> and the server was on it's knees, so I'm wondering.... was this an
> attack? is it possible that Apache or MySQL moved the files??
>
> I mean the jails are there, I'm even backing them up right now.... but
> how did these directories move here?????
>
> Anybody has ANY logical explanation???
>

>>
>> All the jails wound up in the /usr/local/etc/apache22 of the only
>> surviving jail which is the http proxy to all the other jails.
>>
>> Right before the server crashed I noticed MySQL at 100% o several CPUs
>> and the server was on it's knees, so I'm wondering.... was this an
>> attack? is it possible that Apache or MySQL moved the files??
>>
>> I mean the jails are there, I'm even backing them up right now.... but
>> how did these directories move here?????
>>
>> Anybody has ANY logical explanation???
>>
> 99% - someone did moved them.
> 1% - hardware problem possibly memory. without this there is no way for
> directory to be "accidentally" moved

>> I somewhat agree, but it wasn't a person. I am the only administrator,
>> the only one with root access. The jails were effectively moved to the
>> /usr/local/etc/apache22 of the single that survived at the top level.
>> I'm thinking something between mount, EzJail, the journal and the way
>> MySQL created a great deal of head contention, so something must have
>> gotten corrupted at the directory level like you state, but the
>> strange part is no _data_ corruption as such, because I was able to
>> physically archive the jails, move them to the correct directory and
>
>
> no matter what you do FreeBSD DOES NOT ramdomly move directories. if you are
> sure you didn't move it yourself then it must be machine hardware problem
> but still unlikely.

> On Sat, Apr 28, 2012 at 3:22 AM, Wojciech Puchar
> <[hidden email]> wrote:
> >> I somewhat agree, but it wasn't a person. I am the only administrator,
> >> the only one with root access. The jails were effectively moved to the
> >> /usr/local/etc/apache22 of the single that survived at the top level.
> >> I'm thinking something between mount, EzJail, the journal and the way
> >> MySQL created a great deal of head contention, so something must have
> >> gotten corrupted at the directory level like you state, but the
> >> strange part is no _data_ corruption as such, because I was able to
> >> physically archive the jails, move them to the correct directory and
> >
> >
> > no matter what you do FreeBSD DOES NOT ramdomly move directories. if you are
> > sure you didn't move it yourself then it must be machine hardware problem
> > but still unlikely.
>
> After a little more research, ___it it NOT unlikely at all___ that
> under high distress and a hard boot, UFS could have somehow corrupted
> the directory structure, whilst maintaining the data intact.

>
>  Alejandro Imass <[hidden email]> wrote:
>> On Sat, Apr 28, 2012 at 3:22 AM, Wojciech Puchar
>> <[hidden email]> wrote:
>> >> I somewhat agree, but it wasn't a person. I am the only administrator,
>> >> the only one with root access. The jails were effectively moved to the
>> >> /usr/local/etc/apache22 of the single that survived at the top level.
>> >> I'm thinking something between mount, EzJail, the journal and the way
>> >> MySQL created a great deal of head contention, so something must have
>> >> gotten corrupted at the directory level like you state, but the
>> >> strange part is no _data_ corruption as such, because I was able to
>> >> physically archive the jails, move them to the correct directory and
>> >
>> >
>> > no matter what you do FreeBSD DOES NOT ramdomly move directories. if you are
>> > sure you didn't move it yourself then it must be machine hardware problem
>> > but still unlikely.
>>
>> After a little more research, ___it it NOT unlikely at all___ that
>> under high distress and a hard boot, UFS could have somehow corrupted
>> the directory structure, whilst maintaining the data intact.
>
> This is techically accurate, *BUT* the specifics of the quote "corruption"
> unquote in the case under discussion make it *EXTREMELY* unlikely that this
> is what happened.
>
> 99.99+++% of all UFS filesystem "corruption' issues are the result of a
> system crash _between_ the time cached 'meta-data' is updated in memory
> and that data is flushed to disk (a deferred write).
>
> The second most common (and vanishingly rare) failure mode is a powerfail
> _as_ a sector of disk is being written -- resulting in 'garbage data'
> being written to disk.
>
> The next possibility is 'cosmic rays'.  If running on 'cheap' hardware (i.e.,
> without 'ECC' memory), this can cause a *SINGLE-BIT* error in data being
> output.
>
> The fact that the 'corrupted' filesystem passed fsck -without- any reported
> errors shows that everything in the filesystem meta-data was consistent
>
> Given *that*, there are precisely *TWO* ways that the 'results' that have
> been reported could have happened.
>
>  1) "Something" did a mv(2) of the various jail directories 'from' their
>     original location to the 'apache' diretory.  This involves simply
>     *copying* the diretory entry from the jail's 'parent directory' to
>     the apache directory, and then marking the entry in the original
>     parent as 'unused'.  Nothing other than the  directory whre the jail
>     'used to live', and the directory 'where it was found' are touched.
>     This occured _through_ the system 'mv' function, so all the normal
>     'housekeeping' was done properly.
>
>  2) it was -not- done though mv(2) -- but that requires that a whole
>     *series* of "corruptions" of the filesystem, _ALL_ of which had to
>     occur in 'exactly' the right way.  They are:

> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
> <[hidden email]> wrote:
>>
>>  Alejandro Imass <[hidden email]> wrote:
>>> On Sat, Apr 28, 2012 at 3:22 AM, Wojciech Puchar
>>> <[hidden email]> wrote:
>>> >> I somewhat agree, but it wasn't a person. I am the only administrator,
>>> >> the only one with root access. The jails were effectively moved to the
>>> >> /usr/local/etc/apache22 of the single that survived at the top level.
>>> >> I'm thinking something between mount, EzJail, the journal and the way
>>> >> MySQL created a great deal of head contention, so something must have
>>> >> gotten corrupted at the directory level like you state, but the
>>> >> strange part is no _data_ corruption as such, because I was able to
>>> >> physically archive the jails, move them to the correct directory and
>>> >
>>> >
>>> > no matter what you do FreeBSD DOES NOT ramdomly move directories. if you are
>>> > sure you didn't move it yourself then it must be machine hardware problem
>>> > but still unlikely.
>>>
>>> After a little more research, ___it it NOT unlikely at all___ that
>>> under high distress and a hard boot, UFS could have somehow corrupted
>>> the directory structure, whilst maintaining the data intact.
>>
>> This is techically accurate, *BUT* the specifics of the quote "corruption"
>> unquote in the case under discussion make it *EXTREMELY* unlikely that this
>> is what happened.
>>
>> 99.99+++% of all UFS filesystem "corruption' issues are the result of a
>> system crash _between_ the time cached 'meta-data' is updated in memory
>> and that data is flushed to disk (a deferred write).
>>
>> The second most common (and vanishingly rare) failure mode is a powerfail
>> _as_ a sector of disk is being written -- resulting in 'garbage data'
>> being written to disk.
>>
>> The next possibility is 'cosmic rays'.  If running on 'cheap' hardware (i.e.,
>> without 'ECC' memory), this can cause a *SINGLE-BIT* error in data being
>> output.
>>
>> The fact that the 'corrupted' filesystem passed fsck -without- any reported
>> errors shows that everything in the filesystem meta-data was consistent
>>
>> Given *that*, there are precisely *TWO* ways that the 'results' that have
>> been reported could have happened.
>>
>>  1) "Something" did a mv(2) of the various jail directories 'from' their
>>     original location to the 'apache' diretory.  This involves simply
>>     *copying* the diretory entry from the jail's 'parent directory' to
>>     the apache directory, and then marking the entry in the original
>>     parent as 'unused'.  Nothing other than the  directory whre the jail
>>     'used to live', and the directory 'where it was found' are touched.
>>     This occured _through_ the system 'mv' function, so all the normal
>>     'housekeeping' was done properly.
>>
>>  2) it was -not- done though mv(2) -- but that requires that a whole
>>     *series* of "corruptions" of the filesystem, _ALL_ of which had to
>>     occur in 'exactly' the right way.  They are:
>
> [...]
>
>> I think it is safe to conclude that the probabilities -greatly- favor
>> alternative #1.
>>
>
> OK. So after your comments and further research I concur with you on
> the mv but if it wasn't a human, then this might be exposing a serious
> security flaw in the jail system or the way EzJail implements it. The
> whole point of using jails is to protect things like this from
> happening. Given that the only jail that survived was the front-end
> Apache Web server/reverse proxy, then it is also safe to suspect the
> apache (or other) process running on it was able to perform a mv of
> the rest of the jails to it's own /usr/local/etc/apache22 directory.
>
> Is there no possibility is that after the system crash, the journal
> recocery process and/or fsck could have moved this directories ?
>

> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
> <[hidden email]> wrote:
> >  Alejandro Imass <[hidden email]> wrote:
> >> After a little more research, ___it it NOT unlikely at all___ that
> >> under high distress and a hard boot, UFS could have somehow corrupted
> >> the directory structure, whilst maintaining the data intact.
> >
> > This is techically accurate, *BUT* the specifics of the quote "corruption"
> > unquote in the case under discussion make it *EXTREMELY* unlikely that this
> > is what happened.
> >
> > 99.99+++% of all UFS filesystem "corruption' issues are the result of a
> > system crash _between_ the time cached 'meta-data' is updated in memory
> > and that data is flushed to disk (a deferred write).
> >
> > The second most common (and vanishingly rare) failure mode is a powerfail
> > _as_ a sector of disk is being written -- resulting in 'garbage data'
> > being written to disk.
> >
> > The next possibility is 'cosmic rays'.  If running on 'cheap' hardware
> > (i.e., without 'ECC' memory), this can cause a *SINGLE-BIT* error in
> > data being output.
> >
> > The fact that the 'corrupted' filesystem passed fsck -without- any reported
> > errors shows that everything in the filesystem meta-data was consistent
> >
> [...]
>
> > I think it is safe to conclude that the probabilities -greatly- favor
> > alternative #1.
> >
>
> OK. So after your comments and further research I concur with you on
> the mv but if it wasn't a human, then this might be exposing a serious
> security flaw in the jail system or the way EzJail implements it.

>
> Alejandro Imass <[hidden email]> wrote:
>> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
>> <[hidden email]> wrote:
>> >  Alejandro Imass <[hidden email]> wrote:
>> >> After a little more research, ___it it NOT unlikely at all___ that
>> >> under high distress and a hard boot, UFS could have somehow corrupted
>> >> the directory structure, whilst maintaining the data intact.
>> >
>> > This is techically accurate, *BUT* the specifics of the quote "corruption"
>> > unquote in the case under discussion make it *EXTREMELY* unlikely that this
>> > is what happened.
>> >
>> > 99.99+++% of all UFS filesystem "corruption' issues are the result of a
>> > system crash _between_ the time cached 'meta-data' is updated in memory
>> > and that data is flushed to disk (a deferred write).
>> >
>> > The second most common (and vanishingly rare) failure mode is a powerfail
>> > _as_ a sector of disk is being written -- resulting in 'garbage data'
>> > being written to disk.
>> >
>> > The next possibility is 'cosmic rays'.  If running on 'cheap' hardware
>> > (i.e., without 'ECC' memory), this can cause a *SINGLE-BIT* error in
>> > data being output.
>> >
>> > The fact that the 'corrupted' filesystem passed fsck -without- any reported
>> > errors shows that everything in the filesystem meta-data was consistent
>> >
>> [...]
>>
>> > I think it is safe to conclude that the probabilities -greatly- favor
>> > alternative #1.
>> >
>>
>> OK. So after your comments and further research I concur with you on
>> the mv but if it wasn't a human, then this might be exposing a serious
>> security flaw in the jail system or the way EzJail implements it.
>
> BOGON ALERT!!!
>

> On Sat, Apr 28, 2012 at 1:31 PM, Robert Bonomi <[hidden email]> wrote:
> >
> > Alejandro Imass <[hidden email]> wrote:
> >> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
> >> <[hidden email]> wrote:
> >> >  Alejandro Imass <[hidden email]> wrote:
> >> >> After a little more research, ___it it NOT unlikely at all___ that
> >> >> under high distress and a hard boot, UFS could have somehow corrupted
> >> >> the directory structure, whilst maintaining the data intact.
> >> >
> >> > This is techically accurate, *BUT* the specifics of the quote "corruption"
> >> > unquote in the case under discussion make it *EXTREMELY* unlikely that this
> >> > is what happened.
> >> >
> >> > 99.99+++% of all UFS filesystem "corruption' issues are the result of a
> >> > system crash _between_ the time cached 'meta-data' is updated in memory
> >> > and that data is flushed to disk (a deferred write).
> >> >
> >> > The second most common (and vanishingly rare) failure mode is a powerfail
> >> > _as_ a sector of disk is being written -- resulting in 'garbage data'
> >> > being written to disk.
> >> >
> >> > The next possibility is 'cosmic rays'.  If running on 'cheap' hardware
> >> > (i.e., without 'ECC' memory), this can cause a *SINGLE-BIT* error in
> >> > data being output.
> >> >
> >> > The fact that the 'corrupted' filesystem passed fsck -without- any reported
> >> > errors shows that everything in the filesystem meta-data was consistent
> >> >
> >> [...]
> >>
> >> > I think it is safe to conclude that the probabilities -greatly- favor
> >> > alternative #1.
> >> >
> >>
> >> OK. So after your comments and further research I concur with you on
> >> the mv but if it wasn't a human, then this might be exposing a serious
> >> security flaw in the jail system or the way EzJail implements it.
> >
> > BOGON ALERT!!!
> >
>
> I admit my ignorance on how the filesystem works but I don't think
> your condescending remarks add a lot of value. The issue here is this
> actually happened and there is a flaw somewhere other than "the stupid
> administrator did it".

> On Sat, 28 Apr 2012 13:52:02 -0400, Alejandro Imass wrote:
>> On Sat, Apr 28, 2012 at 1:31 PM, Robert Bonomi <[hidden email]> wrote:
>> >
>> > Alejandro Imass <[hidden email]> wrote:
>> >> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
>> >> <[hidden email]> wrote:
>> >> >  Alejandro Imass <[hidden email]> wrote:
>> >> >> After a little more research, ___it it NOT unlikely at all___ that
>> >> >> under high distress and a hard boot, UFS could have somehow corrupted
>> >> >> the directory structure, whilst maintaining the data intact.
>> >> >
>> >> > This is techically accurate, *BUT* the specifics of the quote "corruption"
>> >> > unquote in the case under discussion make it *EXTREMELY* unlikely that this
>> >> > is what happened.
>> >> >
>> >> > 99.99+++% of all UFS filesystem "corruption' issues are the result of a
>> >> > system crash _between_ the time cached 'meta-data' is updated in memory
>> >> > and that data is flushed to disk (a deferred write).
>> >> >
>> >> > The second most common (and vanishingly rare) failure mode is a powerfail
>> >> > _as_ a sector of disk is being written -- resulting in 'garbage data'
>> >> > being written to disk.
>> >> >
>> >> > The next possibility is 'cosmic rays'.  If running on 'cheap' hardware
>> >> > (i.e., without 'ECC' memory), this can cause a *SINGLE-BIT* error in
>> >> > data being output.
>> >> >
>> >> > The fact that the 'corrupted' filesystem passed fsck -without- any reported
>> >> > errors shows that everything in the filesystem meta-data was consistent
>> >> >
>> >> [...]
>> >>
>> >> > I think it is safe to conclude that the probabilities -greatly- favor
>> >> > alternative #1.
>> >> >
>> >>
>> >> OK. So after your comments and further research I concur with you on
>> >> the mv but if it wasn't a human, then this might be exposing a serious
>> >> security flaw in the jail system or the way EzJail implements it.
>> >
>> > BOGON ALERT!!!
>> >
>>
>> I admit my ignorance on how the filesystem works but I don't think
>> your condescending remarks add a lot of value. The issue here is this
>> actually happened and there is a flaw somewhere other than "the stupid
>> administrator did it".
>
> If you search the archives of this list, you'll find my _first_
> post to that list: I've had a similar problem, df shows data
> must be there after crash (panic -> reboot -> fsck trouble), but
> files aren't there (even _not_ in lost+found). It's quite possible
> that in _exceptional_ moments this can happen. The fsck program
> is intended to repair the most typical file system faults, but
> nothing "complicated" will be done without interaction: Altering
> data on disk will _always_ involve the responsible (!) admin to
> check if it is really intended "to do so".
>
> There can be many reasons. I've never found out what was the

> On Sat, Apr 28, 2012 at 1:31 PM, Robert Bonomi<[hidden email]>  wrote:
>> Alejandro Imass<[hidden email]>  wrote:
>>> On Sat, Apr 28, 2012 at 11:39 AM, Robert Bonomi
>>> <[hidden email]>  wrote:
>>>>   Alejandro Imass<[hidden email]>  wrote:
>>>>> After a little more research, ___it it NOT unlikely at all___ that
>>>>> under high distress and a hard boot, UFS could have somehow corrupted
>>>>> the directory structure, whilst maintaining the data intact.
>>>> This is techically accurate, *BUT* the specifics of the quote "corruption"
>>>> unquote in the case under discussion make it *EXTREMELY* unlikely that this
>>>> is what happened.
>>>>
>>>> 99.99+++% of all UFS filesystem "corruption' issues are the result of a
>>>> system crash _between_ the time cached 'meta-data' is updated in memory
>>>> and that data is flushed to disk (a deferred write).
>>>>
>>>> The second most common (and vanishingly rare) failure mode is a powerfail
>>>> _as_ a sector of disk is being written -- resulting in 'garbage data'
>>>> being written to disk.
>>>>
>>>> The next possibility is 'cosmic rays'.  If running on 'cheap' hardware
>>>> (i.e., without 'ECC' memory), this can cause a *SINGLE-BIT* error in
>>>> data being output.
>>>>
>>>> The fact that the 'corrupted' filesystem passed fsck -without- any reported
>>>> errors shows that everything in the filesystem meta-data was consistent
>>>>
>>> [...]
>>>
>>>> I think it is safe to conclude that the probabilities -greatly- favor
>>>> alternative #1.
>>>>
>>> OK. So after your comments and further research I concur with you on
>>> the mv but if it wasn't a human, then this might be exposing a serious
>>> security flaw in the jail system or the way EzJail implements it.
>> BOGON ALERT!!!
>>
> I admit my ignorance on how the filesystem works but I don't think
> your condescending remarks add a lot of value. The issue here is this
> actually happened and there is a flaw somewhere other than "the stupid
> administrator did it".

> On Sat, Apr 28, 2012 at 3:22 AM, Wojciech Puchar
> <[hidden email]> wrote:
> >> I somewhat agree, but it wasn't a person. I am the only administrator,
> >> the only one with root access. The jails were effectively moved to the
> >> /usr/local/etc/apache22 of the single that survived at the top level.
> >> I'm thinking something between mount, EzJail, the journal and the way
> >> MySQL created a great deal of head contention, so something must have
> >> gotten corrupted at the directory level like you state, but the
> >> strange part is no _data_ corruption as such, because I was able to
> >> physically archive the jails, move them to the correct directory and
> >
> >
> > no matter what you do FreeBSD DOES NOT ramdomly move directories. if you are
> > sure you didn't move it yourself then it must be machine hardware problem
> > but still unlikely.
>
> After a little more research, ___it it NOT unlikely at all___ that
> under high distress and a hard boot, UFS could have somehow corrupted
> the directory structure, whilst maintaining the data intact. From what
> I've learned so far, UFS is actually divided into 2 layers: one that
> controls the directory structure and metadata and a lower layer
> containing the data, so the directories being screwed up and the data
> intact it is actually quite possible.
>
> What I'm trying to do is figure out is how it happened, and try
> prevent it from happening again, so instead of dismissing it as
> impossibility, I think we all should spend a little time figuring out
> how these things can happen and determine how it can be prevented or
> reduced.