-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to specify type to 'zfs destroy` #9522
Comments
This was my pretty much first thing I noticed about ZFS. I'm currently checking it out since I fear the day I accidentally delete my files and snapshots provide excellent guard against that. However the destroy command looks a bit like ACME product ... Edit: After some thinking, one possible solution that does not require backward incompatible CLI changes and does not rely user remembering to specify |
changing behaviour of defaults and/or existing options IS a backwards compatibility breaking, adding a new option is not. adding new options is how evolution works while keeping backwards compatibility you don't need a feature flag for pool, because the change i'm requesting is a behaviour enhancement that has nothing to do with how the on-disk format is layed out. in other words, this can be implemented in zfs command without needing to alter the pool attributes. altering the pool is unneeded for this particular case and will only complicate the administration of zfs. a script that wants to use this feature would have to simply invoke zfs --version and determine if the -t option is available or not by knowing in what release this option was made available. a human would have to do the same, or look up the option in the manual page of the target installed system. |
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation At this time it also supports `-t bookmark`. I considered trying to support additional types like volume and filesystem, however my little bit of C experience made that a fairly spooky proposition. In particular, any combination of `-rR` and `-t volume|filesystem` seemed like a potentially complicated set of expected behavior. ("What should happen if I `zfs destroy -t volume -r rpool`?") Closes openzfs#9522. Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation At this time it also supports `-t bookmark`. I considered trying to support additional types like volume and filesystem, however my little bit of C experience made that a fairly spooky proposition. In particular, any combination of `-rR` and `-t volume|filesystem` seemed like a potentially complicated set of expected behavior. ("What should happen if I `zfs destroy -t volume -r rpool`?") Closes openzfs#9522. Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
After creating recursive snapshots with `zfs snapshot -r`, it is tempting to use `zfs destroy -r` to clean up. However, as the man page correctly points out, it is extremely dangerous: Extreme care should be taken when applying either the -r or the -R options, as they can destroy large portions of a pool and cause unexpected behavior for mounted file systems in use. As an author of script-based automation, this gives me great heart-burn. This becomes a pretty tricky validation problem with fairly dire failure modes. Instead, this patch makes it possible for automation authors and fumbling typists to tell ZFS what they *intend* to destroy *before* they pass `-r`, and *before* they start typing in any sort of dataset names: # zfs destroy -t snapshot -r tank@initial-installation 'zfs destroy -t` also supports "filesystem", "volume", "snap", "snapshot", "bookmark", "all" or a comma-separated list of these Closes openzfs#9522. Co-authored-by: InsanePrawn <insane.prawny@gmail.com> Signed-off-by: Graham Christensen <graham@grahamc.com>
hey @grahamc, is your patch still working on main branch? |
I sent a patch in #9882 and I don't know if it is working anymore or not. After I took it to the mailing list for discussion I got feedback that was useful and I think good. However, implementing the patch in the first place was stretching my knowledge of C. I didn't make much effort to update the patch for the feedback I got. It seemed quite a bit more complicated to implement. With my limited experience with C and the ZFS codebase I decided to leave it as-is in case someone else wanted to take it on. Sorry for not saying so sooner! |
Resolves openzfs#9522 by adding an optional [-t type] option gate to the `zfs destroy` command. Checks the type of the supplied argument, then checks if the supplied type is the same or one of the aliases that are also used in `zfs list`. If the type doesn't match, it prints an error to stderr and exits. Signed-off-by: Chris Simons <chris@simons.network>
Resolves openzfs#9522 by adding an optional [-t type] option gate to the `zfs destroy` command. Checks the type of the supplied argument, then checks if the supplied type is the same or one of the aliases that are also used in `zfs list`. If the type doesn't match, it prints an error to stderr and exits. Signed-off-by: Chris Simons <chris@simons.network>
Resolves openzfs#9522 by adding an optional [-t type] option gate to the `zfs destroy` command. Checks the type of the supplied argument, then checks if the supplied type is the same or one of the aliases that are also used in `zfs list`. If the type doesn't match, it prints an error to stderr and exits. Signed-off-by: Chris Simons <chris@simons.network>
System information
Describe the problem you're observing
There are no safeguards when destroying. Whatever is the argument of
zfs destroy
, it will get destroyed. Issuers of the destroy command are humans and humans can make mistakes: for example in shell scripts that generate destroy commands, typos etc.A minimal protection mechanism could reject a destroy action if the type of the dataset to be destroyed does not match the dataset type specified in command line, similar to how
zfs list -t
works, so for examplezfs destroy -t filesystem pool/volumename
orzfs destroy -t snapshot pool/filesystem
would fail.Describe how to reproduce the problem
Include any warning/errors/backtraces from the system logs
The text was updated successfully, but these errors were encountered: