Detect IO errors during device removal

[behlendorf]

Motivation and Context

The zpool remove command should never be able to damage a pool
during device removal for situations where it's detectable and avoidable.
This particular issue was uncovered by long runs of ztest which would
occasionally produce pools with a handful of non-reconstructable blocks.
@tcaputi identified the root cause as scenario 1 described below.

Description

While device removal cannot verify the checksums of individual
blocks during device removal, it can reasonably detect hard IO
errors from the leaf vdevs. Failure to perform this error
checking can result in device removal completing successfully,
but moving no data which will permanently corrupt the pool.

• Situation 1: faulted/degraded vdevs

In the configuration shown below, the removal of mirror-0 will
permanently corrupt the pool. Device removal will preferentially
copy data from 'vdev1 -> vdev3' and from 'vdev2 -> vdev4'. Which
in this case will result in nothing being copied since one vdev
in each of those groups in unavailable. However, device removal
will complete successfully since all IO errors are ignored.

  tank                DEGRADED     0     0     0
    mirror-0          DEGRADED     0     0     0
      /var/tmp/vdev1  FAULTED      0     0     0  external fault
      /var/tmp/vdev2  ONLINE       0     0     0
    mirror-1          DEGRADED     0     0     0
      /var/tmp/vdev3  ONLINE       0     0     0
      /var/tmp/vdev4  FAULTED      0     0     0  external fault

This issue is resolved by updating the source child selection
logic to exclude unreadable leaf vdevs. Additionally, unwritable
destination child vdevs which can never succeed are skipped to
prevent generating a large number of write IO errors.

• Situation 2: individual hard IO errors

During removal if an unexpected hard IO error is encountered when
either reading or writing the child vdev the entire removal
operation is cancelled. While it may be possible to reconstruct
the data after removal that cannot be guaranteed. The only
strictly safe thing to do is to cancel the removal.

As a future improvement we may want to instead suspend the removal
process and allow the damaged region to be retried. But that work
is left for another time, hard IO errors during the removal process
are expected to be exceptionally rare.

How Has This Been Tested?

A test case for each scenario described above was added. Prior to
this change the pool would be corrupted, afterwards it is not.

A 14 hour run of ztest resulted in no failures due to a pool which
could not be reconstructed. Normally, I'd see one of these failures
after about ~10 hours. I'll do a longer run of ztest for additonal
verification.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[tonyhutter]

The $WORDS_FILE* cases look to be optional. Can they be removed?

[behlendorf]

This was an Illumos thing, I can drop it and do something generic.

[codecov]

Codecov Report

Merging #8161 into master will increase coverage by 0.17%.
The diff coverage is 87.5%.

@@            Coverage Diff             @@
##           master    #8161      +/-   ##
==========================================
+ Coverage   78.45%   78.62%   +0.17%     
==========================================
  Files         378      378              
  Lines      114765   114793      +28     
==========================================
+ Hits        90035    90260     +225     
+ Misses      24730    24533     -197

Flag	Coverage Δ
#kernel	78.95% <87.09%> (+0.31%)	⬆️
#user	67.67% <50%> (+0.27%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c40a112...ba25605. Read the comment docs.

[sdimitro]

I just have a question and a few nits for now. But this looks good to me as a first pass.
Thanks for writing those regression tests btw. This is great!

[sdimitro]

Similar to my comment on that other test file you can explain this in a high-level comment close to the top of the file.

[tcaputi]

This is generally a good incremental improvement, and it certainly fixes some pretty glaring issues. Before 0.8.0 is released we might want to look at the UI piece of this again and make sure it makes sense.

[behlendorf]

Update: after several days of running ztest I can confirm this has resolved the observed issue.