Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Dec 2016 09:14:30 -0700
From:      Alan Somers <asomers@freebsd.org>
To:        Dirk-Willem van Gulik <dirkx@webweaving.org>
Cc:        FreeBSD Hackers <hackers@freebsd.org>
Subject:   Re: ZFS - directory entry
Message-ID:  <CAOtMX2i5_tL=jXcq2T5F2CkiQUVK9DoYofUsktNGXOHkmLaYRg@mail.gmail.com>
In-Reply-To: <BEAC6EE9-C50F-4FB9-B215-D5A6691E2DD9@webweaving.org>
References:  <BEAC6EE9-C50F-4FB9-B215-D5A6691E2DD9@webweaving.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, Dec 14, 2016 at 8:27 AM, Dirk-Willem van Gulik
<dirkx@webweaving.org> wrote:
> A rather odd directory entry (in /root, the home dir of root/toor) appeared on a bog standard FreeBSD 10.2 (p18) lightly loaded machine under ZFS during/post a backup:
>
> $ ls -la /root | tail -q
> ----------   1 root  wheel  9223372036854775807 Jan  1  1970 ?%+?kD?H???x,?5?Dh;*s!?h???jw??????\h?:????????``?13?@?????OA????????Puux????<T]???R??Qv?g???]??%?R?
>
> OS and ZFS is installed with a bog standard sysinstall. ‘SMART’ nor smartd have reported anything. nothing in dmesg, syslog of boot log. Any suggestions as how to debug or get to the root of this ?
>
> And in particular - what is a risk of a reboot (to get a kernel with debug, etc) causing the issue to ‘go away’ - and hence stopping the forensic ?
>
> Dw.
>
> sudo zpool list -v
> NAME         SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
> tank        25.2T  9.27T  16.0T         -    17%    36%  1.53x  ONLINE  -
>   raidz3    25.2T  9.27T  16.0T         -    17%    36%
>     ada0p3      -      -      -         -      -      -
>     ada1p3      -      -      -         -      -      -
>     ada2p3      -      -      -         -      -      -
>     ada3p3      -      -      -         -      -      -
>     ada4p3      -      -      -         -      -      -
>     ada5p3      -      -      -         -      -      -
>     ada6p3      -      -      -         -      -      -

Two things to try:
1) zpool scrub.  This will reveal any corrupt metadata objects
2) Maybe the filename is created in an encoding not supported by your
current terminal.  Try "LANG=en_US.UTF-8 ls -l"
3) Use zdb to examine the file.  First, do "ls -li /root" to get the
object id.  It's the same as the inode number.  Then, assuming /root
is in the tank/root filesystem, do "zdb -ddddd tank/root <object id>".
That might reveal some clues.

-Alan

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2i5_tL=jXcq2T5F2CkiQUVK9DoYofUsktNGXOHkmLaYRg>