storage: Confirmation before erasing non-empty filesystems #20272
Conversation
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
7 times, most recently
from
5803fbe
to
1acb017
Compare
|
Here's some revised mockups that streamline things:
This is all assuming we detect data like we talked about yesterday. That is, show the warning only if:
Examples:
This would let Cockpit not get in the way when someone is adding and removing partitions, but it also would protect someone from accidentally losing data. We should use this general pattern for initializing the disk, formatting a partition, and anything else that would probably cause someone to lose data on a partition like this. Although we should rework the warning area a little with regard to the text (and probably table too). Open questions:
|
Thanks! I think we should split the parts out that are general improvements to the "Initialize disk" dialog. They might even happen as part of #19882. |
|
I think "a partition on this disk" is too specific, there are other cases like LVM2 logical volumes. What about "Important data might be deleted" as the header? |
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
from
1acb017
to
e75d76d
Compare
|
@garrett, looks like this now:
The text of the "important data" section pretty small. This is the result of using The gap between the table and the checkbox line is because the table is in the dialog body, while the checkbox line is in the footer. |
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
2 times, most recently
from
61d25c4
to
6aa6559
Compare
This has been implemented in #19882.
This has been implemented here.
This has been partly implemented here (for the "important data" table), and will be completed in #19882.
@garrett, I don't understand this, can you elaborate? |
I did this in #19882. |
I am reluctant to implement this. We would have to identify all places in Cockpit where things get created. That's of course possible, but I hope we can find a more straighforward rule to determine whether to show the warning or not, a rule that doesn't require us to gather information as the user is using Cockpit. That would be more robust. Right now the rule is:
My hope is that encrypted devices that are created by Cockpit will remain open during the installation process. The idea behind the list of recognized filesystem types is to avoid trying to mount unusual filesystems that might be supported by the kernel, but are maybe buggy. |
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
from
6aa6559
to
bcecc43
Compare
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
2 times, most recently
from
dd4eff0
to
219c595
Compare
pkg/storaged/dialog.jsx
Outdated
| [decode_filename(u.block.PreferredDevice)], | ||
| { superuser: true, err: "message" }); | ||
| if (empty.trim() != "yes") { | ||
| console.log("INFO", empty); |
There was a problem hiding this comment.
Let's just remove this!
| } | ||
| if (client.in_anaconda_mode() && !expect_single_unmount && u.block) { | ||
| if (u.block.IdUsage == "filesystem" && | ||
| ["xfs", "ext2", "ext3", "ext4", "btrfs", "vfat", "ntfs"].indexOf(u.block.IdType) >= 0) { |
There was a problem hiding this comment.
Are these all the filesystems udisks supports? If so Cockpit should already have a list of them somewhere right? Or can't we get this from udisks? Like http://storaged.org/doc/udisks2-api/latest/gdbus-org.freedesktop.UDisks2.Manager.html#gdbus-property-org-freedesktop-UDisks2-Manager.SupportedFilesystems
There was a problem hiding this comment.
Are these all the filesystems udisks supports?
No, the idea is to only mount a small number of well-known filesystems, instead of just throwing everything that we find at the kernel.
|
|
||
| if (have_data) { | ||
| usage.Teardown = true; | ||
| dlg.need_confirmation(_("I confirm I want to lose this data forever")); |
There was a problem hiding this comment.
It's a dramatic situation! :-)
| dev=$1 | ||
|
|
||
| need_unmount="" | ||
| mp=$(findmnt -no TARGET "$dev" | cat) |
There was a problem hiding this comment.
That cat seems unnecessary:
[jelle@t14s][~/projects/cockpit/main]%x=$(findmnt -no TARGET /dev/nvme0n1p1)
[jelle@t14s][~/projects/cockpit/main]%echo $x
/boot
There was a problem hiding this comment.
It protects against the exit code of findmnt. When $dev is not mounted, findmnt exits with code 1, which would stop the script because of set -e. In a pipeline, the last sub-command determines the exit code of the while pipeline, and cat always exits with 0.
| # A filesystem is empty if it only has directories in it. | ||
|
|
||
| first=$(find "$mp" -not -type d | head -1) | ||
| info=$(stat -f -c '{ "unit": %S, "free": %f, "total": %b }' "$mp") |
There was a problem hiding this comment.
Neither of these commands is allowed to fail as then we will exit and never unmount if needed. So maybe we should use a trap for that.
(I can only get find to fail when not running as root for example but maybe it can fail on broken symlinks or pipes as root?)
There was a problem hiding this comment.
So maybe we should use a trap for that.
Good point!
| m.execute(f"echo einszweidrei | cryptsetup luksFormat --pbkdf-memory 32768 {disk}") | ||
| m.execute(f"echo einszweidrei | cryptsetup luksOpen {disk} dm-test") | ||
| m.execute("mkfs.ext4 /dev/mapper/dm-test; mount /dev/mapper/dm-test /mnt; echo Hi >/mnt/hello; umount /mnt") | ||
| m.execute("cryptsetup close dm-test") |
There was a problem hiding this comment.
A test for a Filesystem with only directories would be nice as well.
|
Are the screenshots up to date? They still vary wildly from the mockups in several ways. |
Yes.
Many of the changes are in #19882. I have changed some of your UI text:
Also, I left the action out of the confirmation text since the confirmation is used with more than just initializing disks: "I confirm I want to lose this data forever". |
But only in Anaconda mode.
mvollmer
force-pushed
the
storage-extra-warning-for-non-empty-filesystems
branch
from
219c595
to
70f3eb3
Compare
| } catch { | ||
| u.data_warning = _("Device contains unrecognized data"); |
There was a problem hiding this comment.
These 2 added lines are not executed by any test.
| @@ -68,7 +68,7 @@ export function make_legacy_vdo_page(parent, vdo, backing_block, next_card) { | |||
| } | |||
| }, | |||
| Inits: [ | |||
| init_active_usage_processes(client, usage) | |||
| init_teardown_usage(client, usage) | |||
There was a problem hiding this comment.
This added line is not executed by any test.
| @@ -130,7 +130,7 @@ | |||
| } | |||
| }, | |||
| Inits: [ | |||
| init_active_usage_processes(client, usage) | |||
| init_teardown_usage(client, usage) | |||
There was a problem hiding this comment.
This added line is not executed by any test.
But only in Anaconda mode.
Demo: https://youtu.be/EYU2jzDI0gk
Storage: Cockpit asks for extra confirmation before deleting files in Anaconda mode
When using Cockpit to configure storage manually during installation with Anaconda, one normally only operates on empty filesystems. You might create a couple of partitions with filesystems and then change your mind and delete those partitions again, maybe to create them in a slightly different way. These are all pretty harmless operations since no actual data gets deleted.
However, there might also be filesystems present that have not been created during installation. They might contain other operating systems and old, valueable files. In order to protect against deleting these by accident, Cockpit now checks whether a filesystem contains actual files before deleting it, and asks for extra confirmation if it does.