2019-07-26 09:51:27 -03:00
|
|
|
:orphan:
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
Making Filesystems Exportable
|
|
|
|
=============================
|
|
|
|
|
2007-10-21 16:42:19 -07:00
|
|
|
Overview
|
|
|
|
--------
|
|
|
|
|
|
|
|
All filesystem operations require a dentry (or two) as a starting
|
2005-04-16 15:20:36 -07:00
|
|
|
point. Local applications have a reference-counted hold on suitable
|
2007-10-21 16:42:19 -07:00
|
|
|
dentries via open file descriptors or cwd/root. However remote
|
2005-04-16 15:20:36 -07:00
|
|
|
applications that access a filesystem via a remote filesystem protocol
|
|
|
|
such as NFS may not be able to hold such a reference, and so need a
|
|
|
|
different way to refer to a particular dentry. As the alternative
|
|
|
|
form of reference needs to be stable across renames, truncates, and
|
|
|
|
server-reboot (among other things, though these tend to be the most
|
|
|
|
problematic), there is no simple answer like 'filename'.
|
|
|
|
|
|
|
|
The mechanism discussed here allows each filesystem implementation to
|
2007-10-21 16:42:19 -07:00
|
|
|
specify how to generate an opaque (outside of the filesystem) byte
|
2005-04-16 15:20:36 -07:00
|
|
|
string for any dentry, and how to find an appropriate dentry for any
|
|
|
|
given opaque byte string.
|
|
|
|
This byte string will be called a "filehandle fragment" as it
|
|
|
|
corresponds to part of an NFS filehandle.
|
|
|
|
|
|
|
|
A filesystem which supports the mapping between filehandle fragments
|
2007-10-21 16:42:19 -07:00
|
|
|
and dentries will be termed "exportable".
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dcache Issues
|
|
|
|
-------------
|
|
|
|
|
|
|
|
The dcache normally contains a proper prefix of any given filesystem
|
|
|
|
tree. This means that if any filesystem object is in the dcache, then
|
|
|
|
all of the ancestors of that filesystem object are also in the dcache.
|
|
|
|
As normal access is by filename this prefix is created naturally and
|
|
|
|
maintained easily (by each object maintaining a reference count on
|
|
|
|
its parent).
|
|
|
|
|
|
|
|
However when objects are included into the dcache by interpreting a
|
|
|
|
filehandle fragment, there is no automatic creation of a path prefix
|
|
|
|
for the object. This leads to two related but distinct features of
|
|
|
|
the dcache that are not needed for normal filesystem access.
|
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
1. The dcache must sometimes contain objects that are not part of the
|
2005-04-16 15:20:36 -07:00
|
|
|
proper prefix. i.e that are not connected to the root.
|
2019-07-26 09:51:27 -03:00
|
|
|
2. The dcache must be prepared for a newly found (via ->lookup) directory
|
2005-04-16 15:20:36 -07:00
|
|
|
to already have a (non-connected) dentry, and must be able to move
|
|
|
|
that dentry into place (based on the parent and name in the
|
|
|
|
->lookup). This is particularly needed for directories as
|
|
|
|
it is a dcache invariant that directories only have one dentry.
|
|
|
|
|
|
|
|
To implement these features, the dcache has:
|
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
a. A dentry flag DCACHE_DISCONNECTED which is set on
|
2005-04-16 15:20:36 -07:00
|
|
|
any dentry that might not be part of the proper prefix.
|
|
|
|
This is set when anonymous dentries are created, and cleared when a
|
|
|
|
dentry is noticed to be a child of a dentry which is in the proper
|
VFS: don't keep disconnected dentries on d_anon
The original purpose of the per-superblock d_anon list was to
keep disconnected dentries in the cache between consecutive
requests to the NFS server. Dentries can be disconnected if
a client holds a file open and repeatedly performs IO on it,
and if the server drops the dentry, whether due to memory
pressure, server restart, or "echo 3 > /proc/sys/vm/drop_caches".
This purpose was thwarted by commit 75a6f82a0d10 ("freeing unlinked
file indefinitely delayed") which caused disconnected dentries
to be freed as soon as their refcount reached zero.
This means that, when a dentry being used by nfsd gets disconnected, a
new one needs to be allocated for every request (unless requests
overlap). As the dentry has no name, no parent, and no children,
there is little of value to cache. As small memory allocations are
typically fast (from per-cpu free lists) this likely has little cost.
This means that the original purpose of s_anon is no longer relevant:
there is no longer any need to keep disconnected dentries on a list so
they appear to be hashed.
However, s_anon now has a new use. When you mount an NFS filesystem,
the dentry stored in s_root is just a placebo. The "real" root dentry
is allocated using d_obtain_root() and so it kept on the s_anon list.
I don't know the reason for this, but suspect it related to NFSv4
where a mount of "server:/some/path" require NFS to look up the root
filehandle on the server, then walk down "/some" and "/path" to get
the filehandle to mount.
Whatever the reason, NFS depends on the s_anon list and on
shrink_dcache_for_umount() pruning all dentries on this list. So we
cannot simply remove s_anon.
We could just leave the code unchanged, but apart from that being
potentially confusing, the (unfair) bit-spin-lock which protects
s_anon can become a bottle neck when lots of disconnected dentries are
being created.
So this patch renames s_anon to s_roots, and stops storing
disconnected dentries on the list. Only dentries obtained with
d_obtain_root() are now stored on this list. There are many fewer of
these (only NFS and NILFS2 use the call, and only during filesystem
mount) so contention on the bit-lock will not be a problem.
Possibly an alternate solution should be found for NFS and NILFS2, but
that would require understanding their needs first.
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-12-21 09:45:40 +11:00
|
|
|
prefix. If the refcount on a dentry with this flag set
|
|
|
|
becomes zero, the dentry is immediately discarded, rather than being
|
|
|
|
kept in the dcache. If a dentry that is not already in the dcache
|
|
|
|
is repeatedly accessed by filehandle (as NFSD might do), an new dentry
|
|
|
|
will be a allocated for each access, and discarded at the end of
|
|
|
|
the access.
|
|
|
|
|
|
|
|
Note that such a dentry can acquire children, name, ancestors, etc.
|
|
|
|
without losing DCACHE_DISCONNECTED - that flag is only cleared when
|
|
|
|
subtree is successfully reconnected to root. Until then dentries
|
|
|
|
in such subtree are retained only as long as there are references;
|
|
|
|
refcount reaching zero means immediate eviction, same as for unhashed
|
|
|
|
dentries. That guarantees that we won't need to hunt them down upon
|
|
|
|
umount.
|
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
b. A primitive for creation of secondary roots - d_obtain_root(inode).
|
VFS: don't keep disconnected dentries on d_anon
The original purpose of the per-superblock d_anon list was to
keep disconnected dentries in the cache between consecutive
requests to the NFS server. Dentries can be disconnected if
a client holds a file open and repeatedly performs IO on it,
and if the server drops the dentry, whether due to memory
pressure, server restart, or "echo 3 > /proc/sys/vm/drop_caches".
This purpose was thwarted by commit 75a6f82a0d10 ("freeing unlinked
file indefinitely delayed") which caused disconnected dentries
to be freed as soon as their refcount reached zero.
This means that, when a dentry being used by nfsd gets disconnected, a
new one needs to be allocated for every request (unless requests
overlap). As the dentry has no name, no parent, and no children,
there is little of value to cache. As small memory allocations are
typically fast (from per-cpu free lists) this likely has little cost.
This means that the original purpose of s_anon is no longer relevant:
there is no longer any need to keep disconnected dentries on a list so
they appear to be hashed.
However, s_anon now has a new use. When you mount an NFS filesystem,
the dentry stored in s_root is just a placebo. The "real" root dentry
is allocated using d_obtain_root() and so it kept on the s_anon list.
I don't know the reason for this, but suspect it related to NFSv4
where a mount of "server:/some/path" require NFS to look up the root
filehandle on the server, then walk down "/some" and "/path" to get
the filehandle to mount.
Whatever the reason, NFS depends on the s_anon list and on
shrink_dcache_for_umount() pruning all dentries on this list. So we
cannot simply remove s_anon.
We could just leave the code unchanged, but apart from that being
potentially confusing, the (unfair) bit-spin-lock which protects
s_anon can become a bottle neck when lots of disconnected dentries are
being created.
So this patch renames s_anon to s_roots, and stops storing
disconnected dentries on the list. Only dentries obtained with
d_obtain_root() are now stored on this list. There are many fewer of
these (only NFS and NILFS2 use the call, and only during filesystem
mount) so contention on the bit-lock will not be a problem.
Possibly an alternate solution should be found for NFS and NILFS2, but
that would require understanding their needs first.
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-12-21 09:45:40 +11:00
|
|
|
Those do _not_ bear DCACHE_DISCONNECTED. They are placed on the
|
|
|
|
per-superblock list (->s_roots), so they can be located at umount
|
|
|
|
time for eviction purposes.
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
c. Helper routines to allocate anonymous dentries, and to help attach
|
2005-04-16 15:20:36 -07:00
|
|
|
loose directory dentries at lookup time. They are:
|
2019-07-26 09:51:27 -03:00
|
|
|
|
2014-02-18 12:31:31 -05:00
|
|
|
d_obtain_alias(inode) will return a dentry for the given inode.
|
2005-04-16 15:20:36 -07:00
|
|
|
If the inode already has a dentry, one of those is returned.
|
2019-07-26 09:51:27 -03:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
If it doesn't, a new anonymous (IS_ROOT and
|
2019-07-26 09:51:27 -03:00
|
|
|
DCACHE_DISCONNECTED) dentry is allocated and attached.
|
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
In the case of a directory, care is taken that only one dentry
|
|
|
|
can ever be attached.
|
2019-07-26 09:51:27 -03:00
|
|
|
|
2014-10-12 22:24:21 -04:00
|
|
|
d_splice_alias(inode, dentry) will introduce a new dentry into the tree;
|
|
|
|
either the passed-in dentry or a preexisting alias for the given inode
|
|
|
|
(such as an anonymous one created by d_obtain_alias), if appropriate.
|
|
|
|
It returns NULL when the passed-in dentry is used, following the calling
|
|
|
|
convention of ->lookup.
|
2019-07-26 09:51:27 -03:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
Filesystem Issues
|
|
|
|
-----------------
|
|
|
|
|
|
|
|
For a filesystem to be exportable it must:
|
2019-07-26 09:51:27 -03:00
|
|
|
|
|
|
|
1. provide the filehandle fragment routines described below.
|
|
|
|
2. make sure that d_splice_alias is used rather than d_add
|
2005-04-16 15:20:36 -07:00
|
|
|
when ->lookup finds an inode for a given parent and name.
|
2011-07-26 03:40:45 +01:00
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
If inode is NULL, d_splice_alias(inode, dentry) is equivalent to::
|
2011-07-26 03:40:45 +01:00
|
|
|
|
|
|
|
d_add(dentry, inode), NULL
|
|
|
|
|
|
|
|
Similarly, d_splice_alias(ERR_PTR(err), dentry) = ERR_PTR(err)
|
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
Typically the ->lookup routine will simply end with a::
|
2007-10-21 16:42:19 -07:00
|
|
|
|
|
|
|
return d_splice_alias(inode, dentry);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2019-07-26 09:51:27 -03:00
|
|
|
A file system implementation declares that instances of the filesystem
|
2005-04-16 15:20:36 -07:00
|
|
|
are exportable by setting the s_export_op field in the struct
|
|
|
|
super_block. This field must point to a "struct export_operations"
|
2007-10-21 16:42:19 -07:00
|
|
|
struct which has the following members:
|
|
|
|
|
2023-10-23 21:07:59 +03:00
|
|
|
encode_fh (mandatory)
|
2023-05-02 15:48:15 +03:00
|
|
|
Takes a dentry and creates a filehandle fragment which may later be used
|
2023-10-23 21:07:59 +03:00
|
|
|
to find or create a dentry for the same object.
|
2007-10-21 16:42:19 -07:00
|
|
|
|
|
|
|
fh_to_dentry (mandatory)
|
|
|
|
Given a filehandle fragment, this should find the implied object and
|
2014-02-18 12:31:31 -05:00
|
|
|
create a dentry for it (possibly with d_obtain_alias).
|
2007-10-21 16:42:19 -07:00
|
|
|
|
|
|
|
fh_to_parent (optional but strongly recommended)
|
|
|
|
Given a filehandle fragment, this should find the parent of the
|
2014-02-18 12:31:31 -05:00
|
|
|
implied object and create a dentry for it (possibly with
|
|
|
|
d_obtain_alias). May fail if the filehandle fragment is too small.
|
2007-10-21 16:42:19 -07:00
|
|
|
|
|
|
|
get_parent (optional but strongly recommended)
|
|
|
|
When given a dentry for a directory, this should return a dentry for
|
|
|
|
the parent. Quite possibly the parent dentry will have been allocated
|
|
|
|
by d_alloc_anon. The default get_parent function just returns an error
|
|
|
|
so any filehandle lookup that requires finding a parent will fail.
|
|
|
|
->lookup("..") is *not* used as a default as it can leave ".." entries
|
|
|
|
in the dcache which are too messy to work with.
|
|
|
|
|
|
|
|
get_name (optional)
|
|
|
|
When given a parent dentry and a child dentry, this should find a name
|
|
|
|
in the directory identified by the parent dentry, which leads to the
|
|
|
|
object identified by the child dentry. If no get_name function is
|
|
|
|
supplied, a default implementation is provided which uses vfs_readdir
|
|
|
|
to find potential names, and matches inode numbers to find the correct
|
|
|
|
match.
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2020-11-30 17:03:14 -05:00
|
|
|
flags
|
|
|
|
Some filesystems may need to be handled differently than others. The
|
|
|
|
export_operations struct also includes a flags field that allows the
|
|
|
|
filesystem to communicate such information to nfsd. See the Export
|
|
|
|
Operations Flags section below for more explanation.
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
A filehandle fragment consists of an array of 1 or more 4byte words,
|
|
|
|
together with a one byte "type".
|
|
|
|
The decode_fh routine should not depend on the stated size that is
|
|
|
|
passed to it. This size may be larger than the original filehandle
|
|
|
|
generated by encode_fh, in which case it will have been padded with
|
|
|
|
nuls. Rather, the encode_fh routine should choose a "type" which
|
|
|
|
indicates the decode_fh how much of the filehandle is valid, and how
|
|
|
|
it should be interpreted.
|
2020-11-30 17:03:14 -05:00
|
|
|
|
|
|
|
Export Operations Flags
|
|
|
|
-----------------------
|
|
|
|
In addition to the operation vector pointers, struct export_operations also
|
|
|
|
contains a "flags" field that allows the filesystem to communicate to nfsd
|
|
|
|
that it may want to do things differently when dealing with it. The
|
|
|
|
following flags are defined:
|
|
|
|
|
|
|
|
EXPORT_OP_NOWCC - disable NFSv3 WCC attributes on this filesystem
|
|
|
|
RFC 1813 recommends that servers always send weak cache consistency
|
|
|
|
(WCC) data to the client after each operation. The server should
|
|
|
|
atomically collect attributes about the inode, do an operation on it,
|
|
|
|
and then collect the attributes afterward. This allows the client to
|
|
|
|
skip issuing GETATTRs in some situations but means that the server
|
|
|
|
is calling vfs_getattr for almost all RPCs. On some filesystems
|
|
|
|
(particularly those that are clustered or networked) this is expensive
|
|
|
|
and atomicity is difficult to guarantee. This flag indicates to nfsd
|
|
|
|
that it should skip providing WCC attributes to the client in NFSv3
|
|
|
|
replies when doing operations on this filesystem. Consider enabling
|
|
|
|
this on filesystems that have an expensive ->getattr inode operation,
|
|
|
|
or when atomicity between pre and post operation attribute collection
|
|
|
|
is impossible to guarantee.
|
2020-11-30 17:03:15 -05:00
|
|
|
|
|
|
|
EXPORT_OP_NOSUBTREECHK - disallow subtree checking on this fs
|
|
|
|
Many NFS operations deal with filehandles, which the server must then
|
|
|
|
vet to ensure that they live inside of an exported tree. When the
|
|
|
|
export consists of an entire filesystem, this is trivial. nfsd can just
|
|
|
|
ensure that the filehandle live on the filesystem. When only part of a
|
|
|
|
filesystem is exported however, then nfsd must walk the ancestors of the
|
|
|
|
inode to ensure that it's within an exported subtree. This is an
|
|
|
|
expensive operation and not all filesystems can support it properly.
|
|
|
|
This flag exempts the filesystem from subtree checking and causes
|
|
|
|
exportfs to get back an error if it tries to enable subtree checking
|
|
|
|
on it.
|
nfsd: close cached files prior to a REMOVE or RENAME that would replace target
It's not uncommon for some workloads to do a bunch of I/O to a file and
delete it just afterward. If knfsd has a cached open file however, then
the file may still be open when the dentry is unlinked. If the
underlying filesystem is nfs, then that could trigger it to do a
sillyrename.
On a REMOVE or RENAME scan the nfsd_file cache for open files that
correspond to the inode, and proactively unhash and put their
references. This should prevent any delete-on-last-close activity from
occurring, solely due to knfsd's open file cache.
This must be done synchronously though so we use the variants that call
flush_delayed_fput. There are deadlock possibilities if you call
flush_delayed_fput while holding locks, however. In the case of
nfsd_rename, we don't even do the lookups of the dentries to be renamed
until we've locked for rename.
Once we've figured out what the target dentry is for a rename, check to
see whether there are cached open files associated with it. If there
are, then unwind all of the locking, close them all, and then reattempt
the rename.
None of this is really necessary for "typical" filesystems though. It's
mostly of use for NFS, so declare a new export op flag and use that to
determine whether to close the files beforehand.
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Lance Shelton <lance.shelton@hammerspace.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2020-11-30 17:03:16 -05:00
|
|
|
|
|
|
|
EXPORT_OP_CLOSE_BEFORE_UNLINK - always close cached files before unlinking
|
|
|
|
On some exportable filesystems (such as NFS) unlinking a file that
|
|
|
|
is still open can cause a fair bit of extra work. For instance,
|
|
|
|
the NFS client will do a "sillyrename" to ensure that the file
|
|
|
|
sticks around while it's still open. When reexporting, that open
|
|
|
|
file is held by nfsd so we usually end up doing a sillyrename, and
|
|
|
|
then immediately deleting the sillyrenamed file just afterward when
|
|
|
|
the link count actually goes to zero. Sometimes this delete can race
|
|
|
|
with other operations (for instance an rmdir of the parent directory).
|
|
|
|
This flag causes nfsd to close any open files for this inode _before_
|
|
|
|
calling into the vfs to do an unlink or a rename that would replace
|
|
|
|
an existing file.
|
2023-08-25 15:04:23 -04:00
|
|
|
|
|
|
|
EXPORT_OP_REMOTE_FS - Backing storage for this filesystem is remote
|
|
|
|
PF_LOCAL_THROTTLE exists for loopback NFSD, where a thread needs to
|
|
|
|
write to one bdi (the final bdi) in order to free up writes queued
|
|
|
|
to another bdi (the client bdi). Such threads get a private balance
|
|
|
|
of dirty pages so that dirty pages for the client bdi do not imact
|
|
|
|
the daemon writing to the final bdi. For filesystems whose durable
|
|
|
|
storage is not local (such as exported NFS filesystems), this
|
|
|
|
constraint has negative consequences. EXPORT_OP_REMOTE_FS enables
|
|
|
|
an export to disable writeback throttling.
|
|
|
|
|
|
|
|
EXPORT_OP_NOATOMIC_ATTR - Filesystem does not update attributes atomically
|
|
|
|
EXPORT_OP_NOATOMIC_ATTR indicates that the exported filesystem
|
|
|
|
cannot provide the semantics required by the "atomic" boolean in
|
|
|
|
NFSv4's change_info4. This boolean indicates to a client whether the
|
|
|
|
returned before and after change attributes were obtained atomically
|
|
|
|
with the respect to the requested metadata operation (UNLINK,
|
|
|
|
OPEN/CREATE, MKDIR, etc).
|
|
|
|
|
|
|
|
EXPORT_OP_FLUSH_ON_CLOSE - Filesystem flushes file data on close(2)
|
|
|
|
On most filesystems, inodes can remain under writeback after the
|
|
|
|
file is closed. NFSD relies on client activity or local flusher
|
|
|
|
threads to handle writeback. Certain filesystems, such as NFS, flush
|
|
|
|
all of an inode's dirty data on last close. Exports that behave this
|
|
|
|
way should set EXPORT_OP_FLUSH_ON_CLOSE so that NFSD knows to skip
|
|
|
|
waiting for writeback when closing such files.
|
2023-09-12 17:53:18 -04:00
|
|
|
|
|
|
|
EXPORT_OP_ASYNC_LOCK - Indicates a capable filesystem to do async lock
|
|
|
|
requests from lockd. Only set EXPORT_OP_ASYNC_LOCK if the filesystem has
|
|
|
|
it's own ->lock() functionality as core posix_lock_file() implementation
|
|
|
|
has no async lock request handling yet. For more information about how to
|
|
|
|
indicate an async lock request from a ->lock() file_operations struct, see
|
|
|
|
fs/locks.c and comment for the function vfs_lock_file().
|