mon: implement safety interlock for deleting pools

This is a very easy way for users to accidentally to a *lot* of damage.
Make it an annoying manual process to actually do this.

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/mon/OSDMonitor.cc b/src/mon/OSDMonitor.cc
index 226229591d3e4e9c4dcfce8eba59c64411d071a3..96e2aa12ea741caf369c87ca2c0a69a8e198abad 100644 (file)
--- a/src/mon/OSDMonitor.cc
+++ b/src/mon/OSDMonitor.cc
@@ -61,6 +61,7 @@ static ostream& _prefix(std::ostream *_dout, Monitor *mon, OSDMap& osdmap) {
 /************ MAPS ****************/
 OSDMonitor::OSDMonitor(Monitor *mn, Paxos *p)
   : PaxosService(mn, p),
+    delete_pool_nonce(0),
     thrash_map(0), thrash_last_up_osd(-1)
 {
   // we need to trim this too
@@ -2779,19 +2780,50 @@ bool OSDMonitor::prepare_command(MMonCommand *m)
        paxos->wait_for_commit(new Monitor::C_Command(mon, m, 0, rs, paxos->get_version()));
        return true;
       } else if (m->cmd[2] == "delete" && m->cmd.size() >= 4) {
-       //hey, let's delete a pool!
+       // osd pool delete <poolname> <poolname again> <nonce>
+       // hey, let's delete a pool!
        int64_t pool = osdmap.lookup_pg_pool_name(m->cmd[3].c_str());
        if (pool < 0) {
          ss << "pool '" << m->cmd[3] << "' does not exist";
          err = 0;
-       } else {
-         int ret = _prepare_remove_pool(pool);
-         if (ret == 0)
-           ss << "pool '" << m->cmd[3] << "' deleted";
-         getline(ss, rs);
-         paxos->wait_for_commit(new Monitor::C_Command(mon, m, ret, rs, paxos->get_version()));
-         return true;
+         goto out;
+       }
+       if (m->cmd.size() < 6) {
+         delete_pool_nonce = rand();
+         delete_pool_nonce_timeout = ceph_clock_now(g_ceph_context);
+         delete_pool_nonce_timeout += 30;
+         ss << "WARNING: this will efficiently **DESTROY** an entire pool of data.  if you are ABSOLUTELY CERTAIN"
+            << " that this is what you want to do, retry listing the pool name twice, followed by " << delete_pool_nonce
+            << " within 30 seconds.";
+         err = -EPERM;
+         goto out;
        }
+       assert(m->cmd.size() >= 6);
+       if (m->cmd[4] != m->cmd[3]) {
+         ss << "ERROR: you must list the pool name you want to **DESTROY** twice";
+         err = -EPERM;
+         goto out;
+       }
+       unsigned safety = atol(m->cmd[5].c_str());
+       if (safety != delete_pool_nonce) {
+         ss << "ERROR: did not confirm pool deletion with correct confirmation; " << safety << " != " << delete_pool_nonce << "; try again";
+         err = -EPERM;
+         goto out;
+       }
+       if (ceph_clock_now(g_ceph_context) > delete_pool_nonce_timeout) {
+         ss << "ERROR: did not confirm pool deletion within 30 seconds; try again";
+         err = -EPERM;
+         goto out;
+       }
+       assert(safety == delete_pool_nonce);
+       delete_pool_nonce = 0;
+       delete_pool_nonce_timeout = utime_t();
+       int ret = _prepare_remove_pool(pool);
+       if (ret == 0)
+         ss << "pool '" << m->cmd[3] << "' deleted";
+       getline(ss, rs);
+       paxos->wait_for_commit(new Monitor::C_Command(mon, m, ret, rs, paxos->get_version()));
+       return true;
       } else if (m->cmd[2] == "rename" && m->cmd.size() == 5) {
        int64_t pool = osdmap.lookup_pg_pool_name(m->cmd[3].c_str());
        if (pool < 0) {

diff --git a/src/mon/OSDMonitor.h b/src/mon/OSDMonitor.h
index 9529f731c84e7f52374110d504a8f3bec2f9eaa8..e389c65e825f155af3dca648f98bbfdc5350cbfe 100644 (file)
--- a/src/mon/OSDMonitor.h
+++ b/src/mon/OSDMonitor.h
@@ -123,6 +123,9 @@ private:
 
   map<int,double> osd_weight;
 
+  unsigned delete_pool_nonce;        // safety interlock for removing pools
+  utime_t delete_pool_nonce_timeout;
+
   void check_failures(utime_t now);
   bool check_failure(utime_t now, int target_osd, failure_info_t& fi);