Tuesday, June 9, 2020 7:59 AM, Vertigo Altair <vertigo.alt...@gmail.com> wrote:

> Hi Misc,
> I have a firewall device and I'm using OpenBSD on it.

Last year I had to configure an OpenBSD 6.5 firewall for use in a
remote location, and was concerned about power loss corrupting the
filesystem and making the system unbootable without manual
intervention. As I did not want to modify OpenBSD in unsupported ways,
I decided to test what kind of damage power loss could do, by
randomly removing and applying power to the firewall, many many times.

What I found was that 99% of the time, the system would just repair the
filesystem and boot without problems, but if by chance the power was
removed at a short time window during kernel relinking, the kernel
would become corrupt and leave the system completely unbootable and
not easy to repair. It was suggested to me that I tried to mount root
partition with the sync option, so I arranged the partition layout in a
way that would make it feasible and added the option to fstab.

Only other problem I found, was that a few times after removing power
when writing a large file, the system would require me to run fsck -y
manually, this is by design, but I decided it was more important to me
that the system could boot unattended, with a minuscule risk of
completely ruining the filesystem, so I wrote a small unsupported patch
for the rc script (sorry if the formatting gets messed up by posting):

The patch has only been tested on OpenBSD 6.5.

---
Index: src/etc/rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.536
diff -u -p -u -p -r1.536 rc
--- src/etc/rc  1 Apr 2019 11:39:46 -0000       1.536
+++ src/etc/rc  20 Aug 2019 22:47:49 -0000
@@ -1,5 +1,8 @@
 #      $OpenBSD: rc,v 1.536 2019/04/01 11:39:46 tedu Exp $

+# NOTE: The do_fsck() function has been patched to run 'fsck -y' if an
+#      automatic file system check fails with exit code 8.
+
 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
 # controlling terminal.
@@ -271,8 +274,14 @@ do_fsck() {
                echo "Reboot failed; help!"
                exit 1
                ;;
-       8)      echo "Automatic file system check failed; help!"
-               exit 1
+       8)      echo "Automatic file system check failed; trying fsck -y"
+               fsck -y
+               case $? in
+               0)      ;;
+               *)      echo "Could not repair file system unattended; help!"
+                       exit 1
+                       ;;
+               esac
                ;;
        12)     echo "Boot interrupted."
                exit 1
---

After mounting root filesystem with sync option and applying the patch,
I was no longer able to make the system unbootable by power loss in my
test setup. It may be possible, but the risk is now so small that it is
not a concern for me and the risk of something else breaking is
probably bigger. During operation in remote location, the system has
always been able to completely boot after a power loss so far.

So while it was not possible for me to not make any unsupported
modifications at all, I think it is a very small change compared to
have read only filesystems. Anyone who knows OpenBSD, will be able to
manage the firewall without special instructions.


Regards,
Mogens Jensen

Reply via email to