IETF Logo Mail Archive

Re: [nfsv4] RFC: Is Open/Claim_Delegate_Prev done before/after Reclaim_complete?

Rick Macklem <rick.macklem@gmail.com> Sun, 07 April 2024 15:48 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B61C14F610 for <nfsv4@ietfa.amsl.com>; Sun, 7 Apr 2024 08:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyZVXshmuF0t for <nfsv4@ietfa.amsl.com>; Sun, 7 Apr 2024 08:48:25 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DD9C14F5F1 for <nfsv4@ietf.org>; Sun, 7 Apr 2024 08:48:25 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-5d3907ff128so3190522a12.3 for <nfsv4@ietf.org>; Sun, 07 Apr 2024 08:48:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712504904; x=1713109704; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=7IZmP9E+v1KSlWvIYTVmYkiCRhSTKOnqhFFofbZDQLc=; b=Y/Anv7CgDcyV7TddQqb50AeyVm6IuRNc3YYgbxIibnx/Vt5B0xsG7caJjT9CtNtHn+ PvBqAl9tP5yZDOFAE3ufMpBQ/flS8N+/oh35MR4LAw7WW0UAVP6p4Lbk0GZeMN2iHtbp qTk25NcImTT4a3mPa3RFzwgAiCrOGrOJggIlFkf8siSStM9ItqIPwX9xGJQVkjgcH0CM 17RjtiK2FN0rWLfKX5c0LNDweJgdP+1SZ9Vb/l+Cq9winU3+EdHROHQ5nEKZtkDWKuas TOYcE9gLTOcKPhzsz0qUIWUf8CqMhkvmpouV1NP/KlBkird9WvVqoz+D8f8fED/GYIMj QLhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712504904; x=1713109704; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7IZmP9E+v1KSlWvIYTVmYkiCRhSTKOnqhFFofbZDQLc=; b=mlSgTX0D6qNKDjBKbXVTkLeAjvBQizWTOCcVZa/5ai7qp85a75udD/mpEFRL4TE6jC mcwCDg73nAEFk+DSiKKS1dGpBUzwhUbJUCZXQT+pm58hC2XhtfKxIj9vTf3k24FHVNxc FV1vkrjcz+n4sTiF212UVvXZMOtxKeK0gIEuS63t6OXQeKnumhT8u+dT2koskhUUYTse /fWIYW8MEPOHxggI0iggq1Xjkk3DOvNzrdGHY/WjTaBsX+mUXR3L2EBfrSjzut30S7+H 6+ESqLWF2EKAiyLdZW4NJzny79r2yTnRxQx0sEy/1NBYqC9K+QjTgjvD8WNXb1Y1ycuG ri6w==
X-Forwarded-Encrypted: i=1; AJvYcCU7URKSDJWuTLXVxYMo0xZDjEEPBy7eiOAeV+GD2imbM4k01pdYyYmBYcsomP+ZftUztwIdV0FPI05Gp1d08g==
X-Gm-Message-State: AOJu0Yy4FzVB0hKNgdij4ZgZ6DpHzFNjOY9Q8wWUOjgxnInV5TiKGVUP 4NQweRciberkc+mFCpUH4Hayqsu+AqNnnGoVb3dPuyXd3OStEzuGonA6zvHmJ7RyP6XErsCOaDw yigvpOj+9lFBixO1W5BSdInjNj22MO5Q=
X-Google-Smtp-Source: AGHT+IF+oRAJFt1CmLEQX0X9slT65w9MZ3SZia+GwTR16orQw8vQnvQXUOFsA6NVIt+80fVlvNfyllciQn2yw0MSEqU=
X-Received: by 2002:a17:90a:eb0d:b0:2a2:d4e6:160d with SMTP id j13-20020a17090aeb0d00b002a2d4e6160dmr5543188pjz.1.1712504904164; Sun, 07 Apr 2024 08:48:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAM5tNy4y36AEyD5SeOZ2F1t8AYhu8-ZKPyNvCd-dmydFg1kJtA@mail.gmail.com> <19e3502ca1859608975bd17dc18e6774bf0bfab3.camel@hammerspace.com> <CAM5tNy41j0BLi0ixu=VA_rT14GxL7ZKKwbSyb1UAgf-xAE8m+g@mail.gmail.com> <0d1c12d3e85a5feb165c13b44b0f25111224166f.camel@hammerspace.com> <CAM5tNy7i3SyY0mLbd+vsmO-jpkZ6Bdr8hz3w5T-PhR8GdbMpnA@mail.gmail.com> <CADaq8jdEUrf7Bp5njeKEbzLFW+vYdvNAaZtqeyfCcVVHmaYMxg@mail.gmail.com> <CAM5tNy61c+4DtkLQBfJnHagd+uc-OpR7HfEL0TCqd-hw-DZeCA@mail.gmail.com>
In-Reply-To: <CAM5tNy61c+4DtkLQBfJnHagd+uc-OpR7HfEL0TCqd-hw-DZeCA@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Sun, 07 Apr 2024 08:48:13 -0700
Message-ID: <CAM5tNy4xK6LK0B1_WQkPQLju0WhPOhf0JHUqy=CXMbDcWr25gw@mail.gmail.com>
To: David Noveck <davenoveck@gmail.com>
Cc: Trond Myklebust <trondmy@hammerspace.com>, "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/F2YRbqrMVP7pa2xbOWtSQtNaI8M>
Subject: Re: [nfsv4] RFC: Is Open/Claim_Delegate_Prev done before/after Reclaim_complete?
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2024 15:48:29 -0000

On Sun, Apr 7, 2024 at 8:33 AM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> On Sun, Apr 7, 2024 at 7:52 AM David Noveck <davenoveck@gmail.com> wrote:
> >>
> >>
> >>
> >> The more I think about it, the more I think you are correct, at least
> >> by default.
> I was referring to the case where the client cannot reacquire the delegation,
> such as when the Open/Claim_delegate_prev gets a reply of NFS4ERR_RECLAIM_BAD.
> (Btw, Sec. 15.1.9.4 states "before the server restart or file system
> migration event".
> If we are going to use NFS4ERR_RECLAIM_BAD instead of NFS4ERR_EXPIRED, these
> words will need to be tweaked.)
>
> I am fine with either error return, but the current wording in Sec.
> 15.1.9.4 defines it for
> specific cases that are not this one.
>
> >
> >
> > Not fully correct.  Some of what I told you is wrong and will be corrected in -04.    The current target for submission is 4/23 but it is likely I canpull that forward by a week.   In any case, I hope the following fragment will be helpful:
> >
> > /*
> >  * Includes multiple types of operations:
> >  *
> >  *    - Non-reclaim operations valid independent of grace period status.
> >  *    - Reclaim operations only used during a grace period.
> >  *    - Reclaim operations only used during a special delegation recovery
> >  *      period.
> >  */
> >
> > enum open_claim_type4 {
> >
> >         CLAIM_NULL              = 0,    /* Non-reclaim operation, */
> >         CLAIM_PREVIOUS          = 1,    /* Reclaim operation -- grace
> >                                                                period only. */
> >         CLAIM_DELEGATE_CUR      = 2,    /* Non-reclaim operation. */
> >         CLAIM_DELEGATE_PREV     = 3,    /* Reclaim operation -- special
> >                                                                       delegation recovery period
> >                                                                       only. */
> Sounds correct to me, assuming that "special delegation recovery period" is
> described somewhere. Otherwise I'd just say something like
> "delegation reclaim - not during
> grace period".
>
> >         /*
> >          * Beyond this point, all values are new to v4.1.
> >          */
> >
> >        /*
> >          * Like CLAIM_NULL, but object identified
> >          * by the current filehandle.
> >          */
> >         CLAIM_FH                = 4,    /* Non-reclaim operation. */
> >
> >         /*
> >          * Like CLAIM_DELEGATE_CUR, but object identified
> >          * by current filehandle.
> >          */
> >         CLAIM_DELEG_CUR_FH      = 5,    /* Non-reclaim operation. */
> >
> >         /*
> >          * Like CLAIM_DELEGATE_PREV, but object identified
> >          * by current filehandle.
> >          */
> >         CLAIM_DELEG_PREV_FH     = 6     /* Reclaim operation -- special
> >                                                                       delgation recovery period
> >                                                                        only. */
> > };
> >
> >> Why?
> >> Because when a client crashes/reboots and there is dirty data in the
> >> RAM cache it gets
> >> tossed, so tossing dirty data in the non-volatile cache when it cannot safely
> >> write it back to the server would be consistent with what happens now.
> >
> >
> > Yes, but the idea is to do better than that, when it can be written safely.
> >>
> >>
> >> For the case where the server is in grace, the client can use
> >> Open/Claim_previous
> >> and then, if the reply indicates an immediate recall of the
> >> delegation, it can write the dirty data
> >> back to the server before doing a Delegreturn.
> >
> >
> > True but that is an unusual case.
> >>
> >>
> >> For the case where the server is not in grace and the Open/Claim_delegate_prev
> >> fails, I think there is another way that the client can safely write
> >> the dirty data back.
> >> - If the client keeps track of the server's value of the change
> >> attribute for the file
> >>   in non-volatile storage.
> >>   - The client can try an
> >> Open/Claim_null/Open_share_access_write/Open_share_deny_write
> >>      followed by a Getattr of change in the same compound.
> >>      - if this succeeds and the change attribute is the same as the
> >> stored one, then I think the client can
> >
> >
> > If the  Open/Claim_delegate_prev fails, it would be because the delegation was revoked, in which
> > case, change attribute will be different.
> Why would the change attribute be different? It changes when there is
> a data/metadata change
> done to the file. Typically, a delegation would be revoked (instead of
> recalled) if there is a conflicting Open
> request and the lease has expired. This does not imply a change in the
> change attribute, does it?
> Of course, if any data/metadata changes are applied to the file by
> other clients (such as the one
> that acquired the conflicting open), then change would change.
> Or, I do not understand what you mean by revoke?
>
> >  Also, in that case, checking change attribute and proceding
> > to write is not safe, since the attribute can change after the check.  You need continuous posession
> > of the delegation which is why clain-delege-prev was created.
> Wouldn't a OPEN4_SHARE_DENY_WRITE be sufficient to guarantee that
> other clients are
> not writing to the file during the write-back? Once change is checked
> and found the same after the Open,
> there shouldn't have been any writes done by other clients already
> done and the deny_write should guarantee
> that no other clients write to the file until the open_stateid is
> closed (or there is something ugly
> like a network partitioning/lease expiration). For this case, all the
> client is trying to do is write the dirty data
> back to the server safely, since it was not able to re-acquire the
> delegation. It will no longer be able to use
> the cached data once the open_stateid is closed.
> I have not tried this yet, so there might be issues that I have not
> recognized w.r.t. doing this.
>
> I agree that reclaiming the delegation is preferable, since caching of
> the file can continue and
> the write-back does not need to be done right away.
>
> >
> >>        safely write the dirty data back to the server using the open_stateid
> >>        - then close the open_stateid
> >>
> >> An option other than tossing the data would be to flag it and let a
> >> sysadmin/user decide if
> >> merging it back to the server's file makes sense. Ugly but doable when
> >> the dirty data is in
> >> client non-volatile storage.
> >
> >
> > He could decide but I'm not sure on what basis he could decide, especially since telling
> > him all the relevant information could be a security hole a megaparsec wide. :-(
> Well, I wore a sysadmin hat for 30+ years and one of my more enjoyable
> work items
> went something like...
> A prof. would email saying they had made a bunch of changes to a file
> and then lost them.
> Can you get the changes back?
> - The attempt usually involved finding the most recent backup of the
> file, along with stuff
>    like an editor tmp file left around to try and get back what I could.
> So, yes, for the user it could easily be a security issue (it happens
> that this caching mechanism
> uses a separate file for each file being cached, so access to the
> cache for the file could be
> the same as the file), but for a sysadmin it is just a bothersome manual action.
Btw, back when everything was UFS, I could sometimes even find some of what
the had accidentally deleted in free blocks. They'd usually do this
when they were
trying to get a paper submitted by a deadline and I'd find out what
the paper was
talking about, so I'd know what to look for in recently free'd data blocks.

It could be fun or it could be a bother, but for a sysadmin that knew how this
caching mechanism worked (each cache file is for a file on the server and is
named by the server's file handle, although the name it was looked up with is
also recorded).  So, finding the cached copy and providing that to someone who
has write permissions on the server's file wouldn't be that difficult.
Basically a bit
of a search on the NFS server to figure out the FH for the file.
Again, definitely something joe user couldn't do, but if I was the
sysadmin for such
clients, I might configure them so the cached data file gets flagged
when a delegation
cannot be re-acquired and has dirty data in it.

rick

>
> rick
>
> >>
> >>
> >> rick
> >>
> >> >
> >> > --
> >> > Trond Myklebust
> >> > Linux NFS client maintainer, Hammerspace
> >> > trond.myklebust@hammerspace.com
> >> >
> >> >
> >>
> >> _______________________________________________
> >> nfsv4 mailing list
> >> nfsv4@ietf.org
> >> https://www.ietf.org/mailman/listinfo/nfsv4

v2.31.3 | Report a Bug | By Email | System Status