BootLoginWithFullFilesystem

Revision 9 as of 2007-05-31 14:48:57

Clear message

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

This specification is about making boot and login work when the disk runs out of free space

Rationale

At the moment the desktop session doesn't start when there is no free space on the disk and let the user without any easy way to fix his system.

Use Cases

  • Michael just installed some new applications, ran out of disk space and didn't notice. The next login will warn him about the problem and let him to make some space. If Michael reboots first, the machine will still boot and let him log in.

Scope

The Ubuntu distribution. We will aim to make the system work well enough for a user to be able to log in and delete files using the normal graphical file manager.

Examples of problems we consider out of scope:

  • The user may not be able to run firefox to get help.
  • Other applications may not run properly.
  • The user might fill up swap, eg by filling a tmpfs with junk; this is fixable with a reboot.
  • It is possible that some parts of the system or of the user's session will come up in a suboptimal state if the disk was full; this is fixable by making space and then rebooting.
  • The user might not know how to find out which files are using lots of space (and therefore which to consider deleting).

Testing results

At UDS Seville, we did some tests. The current system is remarkably robust. We were able to boot and found only the following two problems:

  • If even the reserved blocks are used on all relevant partitions, gdm cannot write an authority file and login is not possible. gdm already has a fallback feature to write the authority file to a different location, but the currently set alternative location can also be full.
  • The session script attempts to create .gconfd, which can fail. This is only a problem if a user logs in for the first time with a full disk (and then the user's desktop session will not come up properly).

With an ad-hoc solution to the authority file problem, a test system was able to boot properly and the user was able to log in and delete files. A warning notification about low disk space was already displayed but had suboptimal wording and could do with some polish.

  • ScottJamesRemnant: we'd like to see more rigorous testing of the "most things work" hypothesis during the release cycle. For example, finding out what opens files for writing and working out why. Things are definitely expecting to write data, and they shouldn't be. strace and inotify will be helpful here. Please include a plan to test everything installed by default as part of this specification, and document the plan.

Implementation

To address the problems properly:

  • Create a /var/overflow 1 megabyte tmpfs partition. (We don't use /var/run because we don't want a 1777 subdirectory of /var/run which could cause /var/run to fill up.)
  • Make gdm set TMPDIR to this partition if there is less than 1 megabyte available on /tmp.
  • Set gdm's fallback authority location to a suitable place in /var/overflow.
  • Display a better dialog on login explaining that the user needs to free some space and then restart the system.
    • ScottJamesRemnant: some more detail about the implementation of this "dialog" are required. How will it be run? Will it be a dialog or a notification popup? Interaction issues between a dialog and ssh-askpass? Currently a notification appears from gdm complaining about the inability to write configuration changes and there is a warning printed by gnome-session if run from a terminal; these are not ideal. ssh-askpass is out of scope although if it tries to run and fails to do so it is appropriate for it to complain.

/var/overflow

/var/overflow is a 1777 root.root directory with a small tmpfs mounted on it. Its purpose is to allow user sessions and critical applications (such as desktop environments and file managers) to function by using swap for their administrivia in the case the main filesystem is full.

Applications should generally not use this directory directly, as the login sequence will set TMPDIR to /var/overflow if appropriate. Applications without a user interface and which are not part of an interactive session should not use it. /var/overflow should not be used by daemons. It is not guaranteed to exist before booting is completed (in particular, it may not exist until all fixed filesystems have been mounted).

(Text resembling the description above will be forwarded to the Debian policy maintainers and/or to the FHS group.)

Release note

  • Arrangements are now made to ensure that even if the disk is full, the system is functional enough for the user to boot, log in, and be able to view and delete files.

Demo plan

  • install (with a single filesystem) and log in and check that all is well
  • copy some of the example documents into the new user's desktop or home directory
  • sudo dd if=/dev/zero of=/waste-space
  • log out or reboot
  • log in, observe the warning message appears properly, and view and delete some of the example documents
  • if the system is wanted for some other purpose, sudo rm /waste-space and reboot


CategorySpec