<div class="gmail_quote">On Sun, Nov 27, 2011 at 8:08 PM, Douglas McClendon <span dir="ltr"><<a href="mailto:dmc.lists@filteredperception.org">dmc.lists@filteredperception.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div class="im">On 11/27/2011 04:31 PM, Frederick Grose wrote:<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> On Sat, Oct 29, 2011 at 4:49 PM, Alasdair G Kergon <<a href="mailto:agk@redhat.com" target="_blank">agk@redhat.com</a><br></div><div class="im"> <mailto:<a href="mailto:agk@redhat.com" target="_blank">agk@redhat.com</a>>> wrote:<br> <br> markmc did some code that shows how to read the format a few years<br> ago here:<br> <a href="http://people.gnome.org/~markmc/code/merge-dm-snapshot.c" target="_blank">http://people.gnome.org/~<u></u>markmc/code/merge-dm-snapshot.<u></u>c</a><br></div> <<a href="http://people.gnome.org/%7Emarkmc/code/merge-dm-snapshot.c" target="_blank">http://people.gnome.org/%<u></u>7Emarkmc/code/merge-dm-<u></u>snapshot.c</a>><div class="im"><br> <br> Otherwise look at dm-snap-persistent.c in the kernel tree.<br> <br> Alasdair<br> <br> <br> Users can easily exhaust a LiveUSB snapshot overlay by writing<br> too many changes to the OS filesystem, such as by performing<br> a yum update.<br> <br> Would such an 'exhausted' overlay be amenable to some sort of<br> data recovery or forensics?<br> <br> If so, how so; if not, why not?<br> </div></blockquote> <br> Can you not mount the exhausted dm snapshot? If you mean data recovery or forensics beyond that, please elaborate.<br> <br> I know I've had issues 'read-only' mounting ext3(2?3?4?) filesystems before (on actually read-only block devices). Maybe some flags that I've forgotten get past that, but worst case you can always fake a writable device with a 2nd overlay/snapshot going to a writable device, i.e. if you wanted to let fsck repair things.<br> <br> -dmc</blockquote><div><br></div><div><font face="'courier new', monospace">A typical scenario goes like this:</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">A LiveCD is loaded onto a USB device with a relatively small</font></div> <div><font face="'courier new', monospace">persistent overlay and no separate home.img filesystem. The user</font></div><div><font face="'courier new', monospace">proceeds to use the system and save some information. They may</font></div> <div><font face="'courier new', monospace">execute a df command and see that there is lots of space</font></div><div><font face="'courier new', monospace">available on the rootfs. Then they decide to execute a yum</font></div> <div><font face="'courier new', monospace">update or yum install when there is insufficient space available.</font></div><div><font face="'courier new', monospace">(They do not know about dmsetup status.) Their session will now</font></div> <div><font face="'courier new', monospace">not shutdown normally. dmsetup status now shows</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">live-rw: 0 8388608 snapshot Invalid.</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">The device fails to complete a subsequent boot attempt. The</font></div><div><font face="'courier new', monospace">startup log shows</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">mount: /dev/mapper/live-rw: can't read superblock</font></div><div><font face="'courier new', monospace"><br> </font></div><div><font face="'courier new', monospace">e2fsck /dev/dm-0 shows</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Buffer I/O error on device dm-0, logical block 0 (and 1, 2, 3, 0)</font></div> <div><font face="'courier new', monospace">e2fsck: Attempt to read block from the filesystem resulted in</font></div><div><font face="'courier new', monospace">short read while trying to open /dev/dm-0</font></div> <div><font face="'courier new', monospace">Could this be a zero-length partition?</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">I recreated the above scenario on Fedora-16-Live-Desktop</font></div> <div><font face="'courier new', monospace">installed with an overlay-size-mb of 100. After updating to ~70%</font></div><div><font face="'courier new', monospace">of the overlay, I wrote with</font></div> <div><font face="'courier new', monospace">dd if=/dev/zero of=/boot/load bs=1M count=10</font></div><div><font face="'courier new', monospace">3 times to exhaust the overlay.</font></div><div><font face="'courier new', monospace"><br> </font></div><div><font face="'courier new', monospace">With the defective device mounted on a good system, and loop</font></div><div><font face="'courier new', monospace">devices set up for ext3fs.img and the overlay file,</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">dmsetup create item --table "0 8388608 snapshot 7:1 7:2 P 8"</font></div><div><font face="'courier new', monospace">reports</font></div> <div><font face="'courier new', monospace">item: 0 8388608 snapshot Invalid</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">e2fsck /dev/dm-0 reports</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace"><div>e2fsck 1.41.14 (22-Dec-2010)</div><div>e2fsck: Attempt to read block from filesystem resulted in short</div> <div>read while trying to open /dev/dm-0</div><div>Could this be a zero-length partition?</div><div><br></div></font></div><div><font face="'courier new', monospace">A hex editor view of the overlay file shows lots of content with</font></div> <div><font face="'courier new', monospace">lots of zeros at the end of the file.</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">My questions are these:</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Might there be a way to edit the overlay </font><span style="font-family: 'courier new', monospace; ">file to restore its</span></div> <div><span style="font-family: 'courier new', monospace; ">utility for the information written before </span><span style="font-family: 'courier new', monospace; ">the damaging write?</span></div><div><font face="'courier new', monospace"><br> </font></div><div><font face="'courier new', monospace">If so, how so; if not, why not?</font></div><div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Suitable references would do as well.</font></div> <div><font face="'courier new', monospace"><br></font></div><div><font face="'courier new', monospace">Thanks! --Fred</font></div><div><span style="font-family: 'courier new', monospace; "><br> </span></div><div><font face="'courier new', monospace"><br></font></div></div>