disko icon indicating copy to clipboard operation
disko copied to clipboard

Published 20 hours ago verified publisher icon nix-community

feat: prompt before formatting

Open crabdancing opened this issue 1 year ago • 6 comments

disko is dangerous. In particular, it will happily destroy any disk if you accidentally set the mode disko instead of mount. I've ended up making this mistake twice, and having to copy files again to correct it. For someone without a backup, the effects could be even worse.

Making disko ask for confirmation by default, with a -y flag to force it to continue without prompting, would be ideal for avoiding most mistakes.

crabdancing avatar Aug 03 '24 04:08 crabdancing

What is the behavior if I add a new disk, eg. new EBS volume. We need to run with mode=disko on the new EBS volume but want to keep the older disk to be intact and untouched. Is there a way to make that happen? or you would just comment out the previous disk block before running with mode=disko.

I've to test this out. I was just about to do this in a production system but think i'll re-think.

related: https://github.com/nix-community/disko/issues/533

geekodour avatar Aug 12 '24 02:08 geekodour

Disko can run incrementally, I used this to create new zfs datasets. However I would test if it works for your use case on a system where you don't care about the data, I found a bug in the process where it deleted lost a zpool. Meaning there might be many edge cases we have not discovered yet.

Mic92 avatar Aug 12 '24 04:08 Mic92

It would be interesting to contemplate implementing the disko primitives in a terraform provider. Then you gain the tf planning mechanism, state, and other niceties.

sedlund avatar Aug 12 '24 07:08 sedlund

Disko can run incrementally

Yes, with --mode format. But that mode isn't very dangerous anyway, it will never delete anything. The issue mentions --mode disko, which wipes everything without asking by default.

Making disko ask for confirmation by default, with a -y flag to force it to continue without prompting, would be ideal for avoiding most mistakes.

I am very much in favor of this.

One note for implementation: nixos-anywhere runs diskoScript directly. As nixos-anywhere does not lock the version of disko it uses (which comes from the nixosConfiguration), we need to be careful about potential compatibility issues. A simple solution would be to put this check into the CLI, not into the diskoScript.

iFreilicht avatar Sep 20 '24 20:09 iFreilicht

quick overview of #772 (closed)

5 implementation ideas:

add one or more of the following to the CLI.

  1. add a --confirm flag to the CLI requring a yes | no | abort for each disk. This is backwards compatible.
  2. add a --yes flag to the CLI to force auto-confirm. This would mean changing the default to prompt per disk. This is a breaking change.
  3. add a --disk <disk-name> where disk-name is one of the disko.devices.disk.<disk-name> to limit the scope to run only for that disk. Good for when adding a new disk to an existing disk-config.nix. This is also backwards compatible.
  4. same as 3 but --device /dev/sda which limits the command to only that device. This is also backwards compatible.
  5. same as 3 and 4... add a --partition <part-name> for adding a new partition. This could cover logical partitions and subvolumes as well. This is also backwards compatible.

adam248 avatar Sep 21 '24 06:09 adam248

@adam248 your ticket was not a duplicate of this one. Please re-open it. This ticket is about a clearly-defined, simple solution for --mode disko to simply ask for confirmation once before wiping everything. Your ticket is about granular confirmation/feedback to all formatting actions. Let's discuss the options for that there.

iFreilicht avatar Sep 21 '24 11:09 iFreilicht