Re: [nfsv4] RFC 7530: Filehandle of opened file after the REMOVE

Marcel Telka <marcel@telka.sk> Tue, 13 December 2016 11:35 UTC

Return-Path: <marcel@telka.sk>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D74A1295AF for <nfsv4@ietfa.amsl.com>; Tue, 13 Dec 2016 03:35:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.796
X-Spam-Level:
X-Spam-Status: No, score=-4.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qMjqNXgjPQb for <nfsv4@ietfa.amsl.com>; Tue, 13 Dec 2016 03:35:51 -0800 (PST)
Received: from tortuga.telka.sk (tortuga.telka.sk [185.14.234.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E419A129A65 for <nfsv4@ietf.org>; Tue, 13 Dec 2016 03:35:50 -0800 (PST)
Received: (qmail 26991 invoked from network); 13 Dec 2016 11:35:47 -0000
Received: from localhost (HELO tortuga.telka.sk) (127.0.0.1) by localhost with SMTP; 13 Dec 2016 11:35:47 -0000
Received: from tyhog-gua01a-216.cronon.net (tyhog-gua01a-216.cronon.net [192.166.200.216]) by mail.telka.sk (Horde Framework) with HTTPS; Tue, 13 Dec 2016 11:35:47 +0000
Date: Tue, 13 Dec 2016 11:35:47 +0000
Message-ID: <20161213113547.Horde.wCZotJjSqGlvU03mq8Ptel3@mail.telka.sk>
From: Marcel Telka <marcel@telka.sk>
To: David Noveck <davenoveck@gmail.com>
References: <20161209222500.GB1514@telcontar> <CADaq8jck1P2vcDZjaFSnQRFYUnAyjJCqDgxqdWPDhEjPP7hDmA@mail.gmail.com>
In-Reply-To: <CADaq8jck1P2vcDZjaFSnQRFYUnAyjJCqDgxqdWPDhEjPP7hDmA@mail.gmail.com>
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/RfU4UvKcxl8xHLFxfIamUJwh9J8>
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] RFC 7530: Filehandle of opened file after the REMOVE
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2016 11:35:54 -0000

Citát David Noveck <davenoveck@gmail.com>om>:
>> The above clearly says that for clientB the filehandle for the file
>> after the REMOVE operation MAY be valid.
>
> As I read it, it MAY be either valid or invalid and this applies to
> validity as perceived by any client.
>
>> The clientB just removed the file, so it should not be surprised
>> the filename (obtained in step 2) is no longer valid.
>
> He shouldn't, but if he was a stickler for unix semantics, he would have a
> problem.

I think all unix NFS clients usually expect the unix semantics.
They definitely do so (at least) for their local files...

>
>> What is unclear to me is clientA.  Is it okay for the server to
>> 'forget' the filehandle even for clientA?
>
> It is allowed by the spec.
>
>> If the filehandle won't be valid for clientA (after the REMOVE
>> by clientB), then clientA might lost the access to the file anytime, >
> and it have no easy chance to prevent that (and no way to recover > from
> that).
>
>> This sounds unfortunate and it breaks the traditional unix
>> semantics: the file is there while I hold it opened.
>
> True but people have been OK with this for two reasons:
>
>    1. Most clients will implement NFSv3 sillyrename which is alluded to in
>    the paragraph above the bulltets you quote.  Interestingly, it is a
>    "should" rather than a "SHOULD", since interoperability is not affected.

The paragraph you are referring to is copied (almost verbatim)
from RFC 1813, section 3.3.12.  Unfortunately.  I would prefer to do not
have it here and instead require the server to allow access to the removed
file until the last close.  I'm late, I know.

>    2. In the case of other clients, NFS users may have have been bringing
>    expectations formed on the basis of experiences with NFSv3, and from an
>    NFSv3 perspective, this server behavior is unexceptionable.

Yes, but from the NFSv3 perspective the NFSv4 is not needed at all :-).

Maybe we should add a note that "if the server wants to support the unix
semantics (a removed file is accessible until the last close) then the
continued access to the file via its file handle until the last
CLOSE is essential".

>
>
> A possible extension to NFSv4.2 could provide an attribute to allow the
> client to determine how the server dealt with this issue.

Either that, or just the note I suggested above.  Or even better: both.

Please note that without the continued access to the file via its file
handle until the last CLOSE there seems to be no way how to reliably
implement the unix semantics for NFS clients.  And no, the sillyrename
is not the answer, because if it is, then all clients would need to
create a silly name for every opened file to make sure no other client
(or even a local process at the server) will remove their file while
it is still open by them.  The other problem with this approach
would be: how to prevent other clients to remove my silly name?

>
>> The only way to make sure the file is available until the final
>> CLOSE seems to be to open the file with
>> OPEN4_SHARE_DENY_WRITE or
>> OPEN4_SHARE_DENY_BOTH,
>
> I'm don't think you can be sure of this, since
>
>    1. In speaking of the directory entry it only says "SHOULD NOT"

True.  I misinterpreted SHOULD NOT as SHALL NOT.

>    2. The text doesn't say explicitly that processing should stop at this
>    point, with an error returned.
>    3. there seems to be no text at all regarding continued access to the
>    file by existing opens in the DENY case.  This may need some sort of
>    correction but I'm not sure at this point exactly what sort of correction
>    we could put in, given the need to be compatible with all existing
>    implementations.
>
>
>> which sounds like overkill.
>
> Not exactly:
>
>    1. It prevents stuff you don't want to prevent
>    2. It is not guaranteed to prevent what you really want to prevent.
>
>
>> Am I overlooking something?
>
> I think you are overlooking sillyrename.

Unfortunately, the sillyrename works only for the client that currently
have the file opened.  If the client is removing a file it does not have
opened, it does not do the sillyrename (at least the clients I'm
working with does not do so).

>
> In your example either or both of A and B might by implementing
> silllyrename and it isn't clear how things would work if both A and B did.
> :-(

In my example the clientA have no reason to implement the silllyrename
because it didn't removed the file.

>
> I think it would help if we considered this issue in historical context.
> Making NFSv4 stateful was a wrenching change and it is not surprising if we
> have adapted to that change incompletely.  Some of the IESG commentary
> about RFC3530 expressed reserve or uncertainty (although no actual
> objection) about making this change, saying essentially "Well if you guys
> *really* want to do this, OK".


Thank you.

-- 
+-------------------------------------------+
| Marcel Telka   e-mail:   marcel@telka.sk  |
|                homepage: http://telka.sk/ |
|                jabber:   marcel@jabber.sk |
+-------------------------------------------+