[sheepdog] [sheepdog/sheepdog] e98977: sheep: avoid diskfull caused by recovery process

[AP]

On Fri, May 27, 2016 at 05:17:13PM +0900, Hitoshi Mitake wrote:
> On Mon, May 16, 2016 at 10:50 PM, AP <sheepdog at inml.weebeastie.net> wrote:
> 
> > On Mon, May 02, 2016 at 06:04:53PM +0900, Hitoshi Mitake wrote:
> > > On Sun, May 1, 2016 at 12:14 PM, AP <sheepdog at inml.weebeastie.net>
> > wrote:
> > >
> > > > On Tue, Apr 26, 2016 at 07:20:15PM -0700, Hitoshi Mitake wrote:
> > > > > sheep can corrupt its cluster by diskfull with recovery process. For
> > > > > avoiding this problem, this patch adds a new option -F to dog cluster
> > > > > format. If this command is passed during cluster formatting, every
> > > > > sheep process of the cluster skips recovery if there is a possibility
> > > > > of diskfull during recovery.
...
> > It sounds like the default is to permit overcommit which can result in
> > corruption when the space is not there at a critical time. If this is
> > the case then this should be a conscious decision made by the admin and
> > the default is to go "Your data is precious - have enough space for what
> > you want." It'd be the option of least surprise.
...
> Sorry for my late reply. As you point, the default can result corrupted
> state if there is no space. Turning on the new feature by default would be
> reasonable. How do you think?

I agree. Defaults should result in safety. If someone wishes to juggle
flaming chainsaws ;) that should be an option that they can activate
explicitly.

The switch (-F above, I believe) should activate the unsafe option and
have the warning that it may lead to loss of hands if one is not careful.

> Anyway, careful capacity planning is required for scalable distributed
> storage...

Oh, god yes. :) Giving unsafe defaults, though, IMO, makes that harder.

Andrew