Do not destroy volume if wizard import fails
Reports are still trickling in that some cases can lead to FreeNAS destroying GELI metadata (for encrypted pools) or the partition table (for unencrypted pools) and issuing zpool destroy when cleaning up after a traceback, much like in #26834.
I don't have many details yet, but the following cases have been brought to my attention:
During an update from 9.10.2-U6 to 11.0-U4, the update got stuck. After installing 11.0-U4 to new media, the pool was gone - it was not encrypted, so it could be recovered with zpool import -D and zpool destroy had been issued. Another forum user tried this out in his test environment and reported that updating to 11.0-U4 will murder pools if the boot pool runs out of space during the process.
Importing a non-encrypted Corral pool on a fresh 11.1-RC3 install resulted in the partition tables being wiped and the pool being destroyed. This one also seems to be recoverable, though still unacceptable. I don't know what the actual error is that triggers this behavior.
#2 Updated by Dru Lavigne about 3 years ago
- Assignee changed from Release Council to William Grzybowski
- Priority changed from No priority to Critical
William: here are 2 examples:
Both were recovered. From these examples do you think there are any more scenarios we need to account for?
#4 Updated by William Grzybowski about 3 years ago
- Subject changed from Pools are still being murdered when cleaning up certain tracebacks to Pool destroyed on Wizard error
- Status changed from Unscreened to Screened
- Priority changed from Critical to Blocks Until Resolved
- Target version set to 11.1
I can reproduce pool destroying if Wizard fails.
I cannot reproduce the full boot pool issue, perhaps that should be a different issue.
#5 Updated by Eric Loewenthal about 3 years ago
William: Could you guys go through every call of volume.delete() and make sure that they're not relying on defaults? That is, if you haven't already.
At that point, Allan Jude's fix from the other day should be free from side-effects, too, and mitigate the damage in this sort of scenario in new code.