Eric Sandeen wrote:
> Christoph Hellwig wrote:
>> But why would the filesystem every unfreeze itself? That defeats the
>> whole point of freezing it.
> I agree. Was just trying to clarify the above point.
> But there have been what, 12 submissions now, with the unfreeze timeout
> in place so it's a persistent theme ;)
> Perhaps a demonstration of just how easy (or not easy) it is to deadlock
> a filesystem by freezing the root might be in order, at least.
> And even if it is relatively easy, I still maintain that it is the
> administrator's role to not inflict damage on the machine being
> administered. There are a lot of potentially dangerous tools at root's
> disposal; why this particular one needs a nanny I'm still not quite sure.
Since this patch hit fsdev, there have been an equal number
of supporters and opponents of the timeout.
I'm not opposed to the timeout on the API, but I don't think
it is needed if we have a system configurable timeout (default
is no timeout) that can be changed by an admin.
My experience is that a timeout is not needed protect against
a stupid admin or against software bugs.
The justification for a timeout as far as I am concerned
is so the admin can log in and reset hung hardware. If we
think there is no chance of forcing the external device that
went to sleep to respond so the system can continue to be used,
then I don't think a timeout has any valid use.
My timeout desire is based on some past SAN behavior and
I'm OK if people argue those devices should just be fixed.
But we argued the same thing and were ignored because bad
device behavior did not stop people from buying them.