Ah, yes - all four hard drives are connected to the motherboard's onboard SATA II ports. There is one additional drive I have neglected to mention thus far (the boot drive) but that is connected via the motherboard's IDE channel, and has remained untouched since the install... I don't really consider it part of the problem, but I thought I should mention it just in case... you never know...

As for the drivers... well, I'm not sure of the command to determine that directly, but going under System > Administration > Device Driver Utility yields the following information under the "Storage" entry:

Components: "ATI Technologies Inc. SB600 IDE"
Driver: pci-ide
--Driver Information--
Driver: pci-ide
Instance: 1
Attach Status: Attached
--Hardware Information--
Vendor ID: 0x1002
Device ID: 0x438c
Class Code: 0001018a
DevPath: /***@0,0/pci-***@14,1

and

Components: "ATI Technologies Inc. SB600 Non-Raid-5 SATA"
Driver: pci-ide
--Driver Information--
Driver: pci-ide
Instance: 0
Attach Status: Attached
--Hardware Information--
Vendor ID: 0x1002
Device ID: 0x4380
Class Code: 0001018f
DevPath: /***@0,0/pci-***@12

Furthermore, there is one Driver Problem detected but the error is under the "USB" entry. There are seven items listed:

Components: ATI Technologies Inc. SB600 USB Controller (EHCI)
Driver: ehci

Components: ATI Technologies Inc. SB600 USB (OHCI4)
Driver: ohci

Components: ATI Technologies Inc. SB600 USB (OHCI3)
Driver: ohci

Components: ATI Technologies Inc. SB600 USB (OHCI2)
Driver: ohci

Components: ATI Technologies Inc. SB600 USB (OHCI1)
Driver: ohci (Driver Misconfigured)

Components: ATI Technologies Inc. SB600 USB (OHCI0)
Driver: ohci

Components: Microsoft Corp. Wheel Mouse Optical
Driver: hid

As you can tell, the OHCI1 device isn't properly configured, but I don't know how to configure it (there's only a "Help" "Submit...", and "Close" button to click, no "Install Driver"). And, to tell you the truth, I'm not even sure it's worth mentioning because I don't have anything but my mouse plugged into USB, and even so... it's a mouse... plugged into USB... hardly something that is going to bring my machine to a grinding halt every time a SATA II disk gets yanked from a RAID-Z array (at least, I should hope the two don't have anything in common!).

And... wait... you mean to tell me that I can't just untick the checkbox that says "Hey, freeze my system when a drive dies" to solve this problem? Ugh. And here I was hoping for a quick fix... ;)

Anyway, how does the above sound? What else can I give you?

-Todd

PS: Thanks, by the way, for the support - I'm not sure where else to turn to for this kind of stuff!


This message posted from opensolaris.org

jcm> Don't _ever_ try that sort of thing with IDE. As I mentioned
jcm> above, IDE is not designed to be able to cope with [unplugging
jcm> a cable]

It shouldn't have to be designed for it, if there's controller
redundancy. On Linux, one drive per IDE bus (not using any ``slave''
drives) seems like it should be enough for any electrical issue, but
is not quite good enough in my experience, when there are two PATA
busses per chip. but one hard drive per chip seems to be mostly okay.
In this SATA-based case, not even that much separation was necessary
for Linux to survive on the same hardware, but I agree with you and
haven't found that level with PATA either.

OTOH, if the IDE drivers are written such that a confusing interaction
with one controller chip brings down the whole machine, then I expect
the IDE drivers to do better. If they don't, why advise people to buy
twice as much hardware ``because, you know, controllers can also fail,
so you should have some controller redundancy''---the advice is worse
than a waste of money, it's snake oil---a false sense of security.

jcm> You could start by taking us seriously when we tell you that
jcm> what you've been doing is not a good idea, and find other ways
jcm> to simulate drive failures.

well, you could suggest a method.

except that the whole point of the story is, Linux, without any
blather about ``green-line'' and ``self-healing,'' without any
concerted platform-wide effort toward availability at all, simply
works more reliably.

thp> So aside from telling me to "[never] try this sort of thing
thp> with IDE" does anyone else have any other ideas on how to
thp> prevent OpenSolaris from locking up whenever an IDE drive is
thp> abruptly disconnected from a ZFS RAID-Z array?

yeah, get a Sil3124 card, which will run in native SATA mode and be
more likely to work. Then, redo your test and let us know what
happens.

The not-fully-voiced suggestion to run your ATI SB600 in native/AHCI
mode instead of pci-ide/compatibility mode is probably a bad one
because of bug 6665032: the chip is only reliable in compatibility
mode. You could trade your ATI board for an nVidia board for about
the same price as the Sil3124 add-on card. AIUI from Linux wiki:

http://ata.wiki.kernel.org/index.php/SATA_hardware_features

...says the old nVidia chips use nv_sata driver, and the new ones use
the ahci driver, so both of these are different from pci-ide and more
likely to work. Get an old one (MCP61 or older), and a new one (MCP65
or newer), repeat your test and let us know what happens.

If the Sil3124 doesn't work, and nv_sata doesn't work, and AHCI on
newer-nVidia doesn't work, then hook the drives up to Linux running
IET on basically any old chip, and mount them from Solaris using the
built-in iSCSI initiator.

If you use iSCSI, you will find:

you will get a pause like with NT. Also, if one of the iSCSI targets
is down, 'zpool status' might hang _every time_ you run it, not just
the first time when the failure is detected. The pool itself will
only hang the first time. Also, you cannot boot unless all iSCSI
targets are available, but you can continue running if some go away
after booting.

Overall IMHO it's not as good as LVM2, but it's more robust than
plugging the drives into Solaris. It also gives you the ability to
run smartctl on the drives (by running it natively on Linux) with full
support for all commands, while someone here who I told to run
smartctl reported that on Solaris 'smartctl -a' worked but 'smartctl
-t' did not. I still have performance problems with iSCSI. I'm not
sure yet if they're unresolvable: there are a lot of tweakables with
iSCSI, like disabling Nagle's algorithm, and enabling RED on the
initiator switchport, but first I need to buy faster CPU's for the
targets.

mh> Dying or dead disks will still normally be able to
mh> communicate with the driver to some extent, so they are still
mh> "there".

The dead disks I have which don't spin also don't respond to
IDENTIFY(0) so they don't really communicate with the driver at all.
now, possibly, *possibly* they are still responsive after they fail,
and become unresponsive after the first time they're
rebooted---because I think they load part of their firmware off the
platters. Also, ATAPI standard says that while ``still
communicating'' drives are allowed to take up to 30sec to answer each
command, which is probably too long to freeze a whole system. and
still, just because ``possibly,'' it doesn't make sense to replace a
tested-working system with a tested-broken system, not even after
someone tells a complicated story trying to convince you the broken
system is actually secretly working, just completely impossible to
test, so you have to accept it based on stardust and fantasy.

js> yanking the drives like that can seriously damage the
js> drives or your motherboard.

no, it can't.

And if I want a software developer's opinion on what will electrically
damage my machine, I'll be sure to let you know first.

jcm> If you absolutely must do something like this, then please use
jcm> what's known as "coordinated hotswap" using the cfgadm(1m)
jcm> command.

jcm> Viz:

jcm> (detect fault in disk c2t3d0, in some way)

jcm> # cfgadm -c unconfigure c2::dsk/c2t3d0 # cfgadm -c disconnect
jcm> c2::dsk/c2t3d0

so....dont dont DONT do it because its STUPID and it might FRY YOUR
DISK AND MOTHERBOARD. but, if you must do it, please warn our
software first?

I shouldn't have to say it, but aside from being absurd this
warning-command completely defeats the purpose of the test.

jcm> Yes, but you're running a new operating system, new
jcm> filesystem... that's a mountain of difference right in front
jcm> of you.

so we do agree that Linux's not freezing in the same scenario
indicates the difference is inside that mountain, which, however
large, is composed entirely of SOFTWARE.

re> The behavior of ZFS to an error reported by an underlying
re> device driver is tunable by the zpool failmode property. By
re> default, it is set to "wait."

I think you like speculation well enough, so long as it's optimistic.

which is the tunable setting that causes other pools, ones not even
including failed devices, to freeze?

Why is the failmode property involved at all in a pool that still has
enough replicas to keep functioning?

cg> We really need to fix (B). It seems the "easy" fixes are:

cg> - Configure faster timeouts and fewer retries on redundant
cg> devices, similar to drive manufacturers' RAID edition
cg> firmware. This could be via driver config file, or (better)
cg> automatically via ZFS, similar to write cache behaviour.

cg> - Propagate timeouts quickly between layers (immediate soft
cg> fail without retry) or perhaps just to the fault management
cg> system

It's also important that things unrelated to the failure aren't
frozen. This was how I heard the ``green line'' marketing campaign
when it was pitched to me, and I found it really compelling because I
felt Linux had too little of this virtue. However compelling, I just
don't find it even slightly acquainted with reality.

I can understand ``unrelated'' is a tricky concept when the boot pool
is involved, but for example when it isn't involved: I've had problems
where one exported data pool's becoming FAULTED stops NFS service from
all other pools. The pool that FAULTED contained no Solaris binaries.

and the zpool status hangs people keep discovering.

I think this is a good test in general: configure two
almost-completely independent stacks through the same kernel:


NFS export NFS export

filesystem filesystem
pool pool

ZFS/NFS

driver driver

controller controller

disks disks


Simulate whatever you regard as a ``catastrophic'' or ``unplanned'' or
``really stupid'' failure, and see how big the shared region in the
middle can be without affecting the other stack. Right now, my
experience is even the stack above does not work. Maybe mountd gets
blocked or something, I don't know. Optimistically, we would of
course like this stack below to remain failure-separate:


NFS export NFS export

filesystem filesystem
pool pool

ZFS/NFS

driver

controller

disks disks


The OP is implying, on Linux that stack DOES keep failures separate.
However, even if ``hot plug'' (or ``hot unplug'' for demanding Linux
users) is not supported, at least this stack below should still be
failure-independent:


NFS export NFS export

filesystem filesystem
pool pool

ZFS/NFS

driver

controller controller

disks disks


I suspect it isn't because the less-demanding stack I started with
isn't failure-independent. There is probably more than one problem
making these failures spread more widely than they should, but so far
we can't even agree on what we wish were working.

I do think the failures need to be isolated better first, independent
of time. It's not ``a failure of a drive on the left should propogate
up the stack faster so that the stack on the right unfreezes before
anyone gets too upset.'' The stack on the right shouldn't freeze at
all.

Howdy James,

While responding to halstead's post (see below), I had to restart several times to complete some testing. I'm not sure if that's important to these commands or not, but I just wanted to put it out there anyway.
This is the output from both commands:

***@mediaserver:~# fmadm faulty
--------------- ------------------------------------ -------------- ---------
TIME EVENT-ID MSG-ID SEVERITY
--------------- ------------------------------------ -------------- ---------
Aug 27 01:07:08 0d9c30f1-b2c7-66b6-f58d-9c6bcb95392a ZFS-8000-FD Major

Fault class : fault.fs.zfs.vdev.io
Description : The number of I/O errors associated with a ZFS device exceeded
acceptable levels. Refer to http://sun.com/msg/ZFS-8000-FD
for more information.
Response : The device has been offlined and marked as faulted. An attempt
will be made to activate a hot spare if available.
Impact : Fault tolerance of the pool may be compromised.
Action : Run 'zpool status -x' and replace the bad device.



***@mediaserver:~# fmdump -v
TIME UUID SUNW-MSG-ID
Aug 27 01:07:08.2040 0d9c30f1-b2c7-66b6-f58d-9c6bcb95392a ZFS-8000-FD
100% fault.fs.zfs.vdev.io

Problem in: zfs://pool=mediapool/vdev=bfaa3595c0bf719
Affects: zfs://pool=mediapool/vdev=bfaa3595c0bf719
FRU: -
Location: -
This is the output from cfgadm -lav

***@mediaserver:~# cfgadm -lav
Ap_Id Receptacle Occupant Condition Information
When Type Busy Phys_Id
usb2/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13:1
usb2/2 connected configured ok
Mfg: Microsoft Product: Microsoft 3-Button Mouse with IntelliEye(TM)
NConfigs: 1 Config: 0 <no cfg str descr>
unavailable usb-mouse n /devices/***@0,0/pci1458,***@13:2
usb3/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,2:1
usb3/2 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,2:2
usb4/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,3:1
usb4/2 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,3:2
usb5/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,4:1
usb5/2 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,4:2
usb6/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:1
usb6/2 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:2
usb6/3 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:3
usb6/4 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:4
usb6/5 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:5
usb6/6 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:6
usb6/7 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:7
usb6/8 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:8
usb6/9 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:9
usb6/10 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,5:10
usb7/1 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,1:1
usb7/2 empty unconfigured ok
unavailable unknown n /devices/***@0,0/pci1458,***@13,1:2

You'll notice that the only thing listed is my USB mouse... is that expected?
If you really want, I can list the output from /var/adm/messages, but it doesn't seem to add anything new to what I've already copied and pasted.
I would if I had some sort of set-up that supposedly promised me redundant PCI/PCI-E cards... You might think it's stupid, but how else could one be sure that the back-up PCI/PCI-E card would take over when the primary one died?

Unplugging one of them seems like a fine test to me - It's definitely the worst case scenario, and if the rig survives that, then I _know_ I would be able to rely on it for redundancy should one of the cards fail (which would most likely occur in a less spectacular fashion than a quick yank anyways)
Thanks for the command listings - they'll certainly prove useful if I should ever find myself in a situation where I have to manually swap a disk like you described. Unfortunately though, I'm with Miles Nordin (see below) on this one - I don't want to warn OpenSolaris of what I'm about to do... That would defeat the purpose of the test. Even with technologies (like S.M.A.R.T.) that are designed to give you a bit of a heads-up, as Heikki Suonsivu and Google have noted, they're not very reliable at all (research.google.com/archive/disk_failures.pdf).

And I want this test to be as rough as it gets. I don't want to play nice with this system... I want to drag it through the most tortuous worst-case scenario tests I can imagine, and if it survives with all my test data intact, then (and only then) will I begin to trust it.
Oohh... Thank you. Good Links. I'm bookmarking these for future reading. They'll definitely be helpful if we end up choosing to deploy OpenSolaris + ZFS for our media servers.

-Todd


This message posted from opensolaris.org

Hi Todd,

Having finally gotten the time to read through this entire thread, I think Ralf said it best. ZFS can provide data integrity, but you're reliant on hardware and drivers for data availability.

In this case either your SATA controller, or the drivers for it don't cope at all well with a device going offline, so what you need is a SATA card that can handle that. Provided you have a controller that can cope with the disk errors, it should be able to return the appropriate status information to ZFS, which will in turn ensure your data is ok.

The technique obviously works or Sun's x4500 servers wouldn't be doing anywhere near as well as they are. The problem we all seem to be having is finding white box hardware that supports it.

I suspect your best bet would be to pick up a SAS controller based on the LSI chipsets used in the new x4540 server. There's been a fair bit of discussion here on these, and while there's a limitation in that you will have to manually keep track of drive names, I would expect it to handle disk failures (and pulling disks) much better, but you would probably be well advised asking the folks on the forums running those SAS controllers whether they've been able to pull disks sucessfully.

I think the solution you need is definately to get a better disk controller, and your choice is either a plain SAS controller, or a raid controller that can present individual disks in pass through mode since they *definately* are designed to handle failures.

Ross


This message posted from opensolaris.org