2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
|
* CDDL HEADER START
|
|
|
|
|
*
|
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
|
*
|
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
2022-07-12 00:16:13 +03:00
|
|
|
* or https://opensource.org/licenses/CDDL-1.0.
|
2008-11-20 23:01:55 +03:00
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
|
* and limitations under the License.
|
|
|
|
|
*
|
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
|
*
|
|
|
|
|
* CDDL HEADER END
|
|
|
|
|
*/
|
|
|
|
|
/*
|
2010-05-29 00:45:14 +04:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
2016-12-17 01:11:29 +03:00
|
|
|
* Copyright (c) 2012, 2018 by Delphix. All rights reserved.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <sys/zfs_context.h>
|
|
|
|
|
#include <sys/dmu_objset.h>
|
|
|
|
|
#include <sys/dmu_traverse.h>
|
|
|
|
|
#include <sys/dsl_dataset.h>
|
|
|
|
|
#include <sys/dsl_dir.h>
|
|
|
|
|
#include <sys/dsl_pool.h>
|
|
|
|
|
#include <sys/dnode.h>
|
|
|
|
|
#include <sys/spa.h>
|
2018-03-30 22:10:01 +03:00
|
|
|
#include <sys/spa_impl.h>
|
2008-11-20 23:01:55 +03:00
|
|
|
#include <sys/zio.h>
|
|
|
|
|
#include <sys/dmu_impl.h>
|
2010-05-29 00:45:14 +04:00
|
|
|
#include <sys/sa.h>
|
|
|
|
|
#include <sys/sa_impl.h>
|
2008-12-03 23:09:06 +03:00
|
|
|
#include <sys/callb.h>
|
2013-12-09 22:37:51 +04:00
|
|
|
#include <sys/zfeature.h>
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2022-01-15 02:37:55 +03:00
|
|
|
static int32_t zfs_pd_bytes_max = 50 * 1024 * 1024; /* 50MB */
|
|
|
|
|
static int32_t send_holes_without_birth_time = 1;
|
Cleanup: Specify unsignedness on things that should not be signed
In #13871, zfs_vdev_aggregation_limit_non_rotating and
zfs_vdev_aggregation_limit being signed was pointed out as a possible
reason not to eliminate an unnecessary MAX(unsigned, 0) since the
unsigned value was assigned from them.
There is no reason for these module parameters to be signed and upon
inspection, it was found that there are a number of other module
parameters that are signed, but should not be, so we make them unsigned.
Making them unsigned made it clear that some other variables in the code
should also be unsigned, so we also make those unsigned. This prevents
users from setting negative values that could potentially cause bad
behaviors. It also makes the code slightly easier to understand.
Mostly module parameters that deal with timeouts, limits, bitshifts and
percentages are made unsigned by this. Any that are boolean are left
signed, since whether booleans should be considered signed or unsigned
does not matter.
Making zfs_arc_lotsfree_percent unsigned caused a
`zfs_arc_lotsfree_percent >= 0` check to become redundant, so it was
removed. Removing the check was also necessary to prevent a compiler
error from -Werror=type-limits.
Several end of line comments had to be moved to their own lines because
replacing int with uint_t caused us to exceed the 80 character limit
enforced by cstyle.pl.
The following were kept signed because they are passed to
taskq_create(), which expects signed values and modifying the
OpenSolaris/Illumos DDI is out of scope of this patch:
* metaslab_load_pct
* zfs_sync_taskq_batch_pct
* zfs_zil_clean_taskq_nthr_pct
* zfs_zil_clean_taskq_minalloc
* zfs_zil_clean_taskq_maxalloc
* zfs_arc_prune_task_threads
Also, negative values in those parameters was found to be harmless.
The following were left signed because either negative values make
sense, or more analysis was needed to determine whether negative values
should be disallowed:
* zfs_metaslab_switch_threshold
* zfs_pd_bytes_max
* zfs_livelist_min_percent_shared
zfs_multihost_history was made static to be consistent with other
parameters.
A number of module parameters were marked as signed, but in reality
referenced unsigned variables. upgrade_errlog_limit is one of the
numerous examples. In the case of zfs_vdev_async_read_max_active, it was
already uint32_t, but zdb had an extern int declaration for it.
Interestingly, the documentation in zfs.4 was right for
upgrade_errlog_limit despite the module parameter being wrongly marked,
while the documentation for zfs_vdev_async_read_max_active (and friends)
was wrong. It was also wrong for zstd_abort_size, which was unsigned,
but was documented as signed.
Also, the documentation in zfs.4 incorrectly described the following
parameters as ulong when they were int:
* zfs_arc_meta_adjust_restarts
* zfs_override_estimate_recordsize
They are now uint_t as of this patch and thus the man page has been
updated to describe them as uint.
dbuf_state_index was left alone since it does nothing and perhaps should
be removed in another patch.
If any module parameters were missed, they were not found by `grep -r
'ZFS_MODULE_PARAM' | grep ', INT'`. I did find a few that grep missed,
but only because they were in files that had hits.
This patch intentionally did not attempt to address whether some of
these module parameters should be elevated to 64-bit parameters, because
the length of a long on 32-bit is 32-bit.
Lastly, it was pointed out during review that uint_t is a better match
for these variables than uint32_t because FreeBSD kernel parameter
definitions are designed for uint_t, whose bit width can change in
future memory models. As a result, we change the existing parameters
that are uint32_t to use uint_t.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Neal Gompa <ngompa@datto.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13875
2022-09-28 02:42:41 +03:00
|
|
|
static uint_t zfs_traverse_indirect_prefetch_limit = 32;
|
2010-08-27 01:24:34 +04:00
|
|
|
|
|
|
|
|
typedef struct prefetch_data {
|
2008-12-03 23:09:06 +03:00
|
|
|
kmutex_t pd_mtx;
|
|
|
|
|
kcondvar_t pd_cv;
|
2015-03-27 07:31:52 +03:00
|
|
|
int32_t pd_bytes_fetched;
|
2008-12-03 23:09:06 +03:00
|
|
|
int pd_flags;
|
|
|
|
|
boolean_t pd_cancel;
|
|
|
|
|
boolean_t pd_exited;
|
2016-01-07 00:22:48 +03:00
|
|
|
zbookmark_phys_t pd_resume;
|
2010-08-27 01:24:34 +04:00
|
|
|
} prefetch_data_t;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
typedef struct traverse_data {
|
2008-12-03 23:09:06 +03:00
|
|
|
spa_t *td_spa;
|
|
|
|
|
uint64_t td_objset;
|
|
|
|
|
blkptr_t *td_rootbp;
|
|
|
|
|
uint64_t td_min_txg;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t *td_resume;
|
2008-12-03 23:09:06 +03:00
|
|
|
int td_flags;
|
2010-08-27 01:24:34 +04:00
|
|
|
prefetch_data_t *td_pfd;
|
2014-06-06 01:20:08 +04:00
|
|
|
boolean_t td_paused;
|
2015-05-15 02:41:29 +03:00
|
|
|
uint64_t td_hole_birth_enabled_txg;
|
2008-12-03 23:09:06 +03:00
|
|
|
blkptr_cb_t *td_func;
|
|
|
|
|
void *td_arg;
|
Illumos 6370 - ZFS send fails to transmit some holes
6370 ZFS send fails to transmit some holes
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Chris Williamson <chris.williamson@delphix.com>
Reviewed by: Stefan Ring <stefanrin@gmail.com>
Reviewed by: Steven Burgess <sburgess@datto.com>
Reviewed by: Arne Jansen <sensille@gmx.net>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
https://www.illumos.org/issues/6370
https://github.com/illumos/illumos-gate/commit/286ef71
In certain circumstances, "zfs send -i" (incremental send) can produce
a stream which will result in incorrect sparse file contents on the
target.
The problem manifests as regions of the received file that should be
sparse (and read a zero-filled) actually contain data from a file that
was deleted (and which happened to share this file's object ID).
Note: this can happen only with filesystems (not zvols, because they do
not free (and thus can not reuse) object IDs).
Note: This can happen only if, since the incremental source (FromSnap),
a file was deleted and then another file was created, and the new file
is sparse (i.e. has areas that were never written to and should be
implicitly zero-filled).
We suspect that this was introduced by 4370 (applies only if hole_birth
feature is enabled), and made worse by 5243 (applies if hole_birth
feature is disabled, and we never send any holes).
The bug is caused by the hole birth feature. When an object is deleted
and replaced, all the holes in the object have birth time zero. However,
zfs send cannot tell that the holes are new since the file was replaced,
so it doesn't send them in an incremental. As a result, you can end up
with invalid data when you receive incremental send streams. As a
short-term fix, we can always send holes with birth time 0 (unless it's
a zvol or a dataset where we can guarantee that no objects have been
reused).
Ported-by: Steven Burgess <sburgess@datto.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4369
Closes #4050
2016-02-26 04:45:19 +03:00
|
|
|
boolean_t td_realloc_possible;
|
2010-08-27 01:24:34 +04:00
|
|
|
} traverse_data_t;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
static int traverse_dnode(traverse_data_t *td, const blkptr_t *bp,
|
|
|
|
|
const dnode_phys_t *dnp, uint64_t objset, uint64_t object);
|
2013-07-03 00:20:02 +04:00
|
|
|
static void prefetch_dnode_metadata(traverse_data_t *td, const dnode_phys_t *,
|
2013-07-03 00:26:24 +04:00
|
|
|
uint64_t objset, uint64_t object);
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
static int
|
2020-10-09 19:34:54 +03:00
|
|
|
traverse_zil_block(zilog_t *zilog, const blkptr_t *bp, void *arg,
|
|
|
|
|
uint64_t claim_txg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-08-27 01:24:34 +04:00
|
|
|
traverse_data_t *td = arg;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t zb;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-12-09 22:37:51 +04:00
|
|
|
if (BP_IS_HOLE(bp))
|
2010-05-29 00:45:14 +04:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-12-17 01:11:29 +03:00
|
|
|
if (claim_txg == 0 && bp->blk_birth >= spa_min_claim_txg(td->td_spa))
|
|
|
|
|
return (-1);
|
2010-05-29 00:45:14 +04:00
|
|
|
|
|
|
|
|
SET_BOOKMARK(&zb, td->td_objset, ZB_ZIL_OBJECT, ZB_ZIL_LEVEL,
|
|
|
|
|
bp->blk_cksum.zc_word[ZIL_ZC_SEQ]);
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
(void) td->td_func(td->td_spa, zilog, bp, &zb, NULL, td->td_arg);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
static int
|
2020-10-09 19:34:54 +03:00
|
|
|
traverse_zil_record(zilog_t *zilog, const lr_t *lrc, void *arg,
|
|
|
|
|
uint64_t claim_txg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-08-27 01:24:34 +04:00
|
|
|
traverse_data_t *td = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
|
if (lrc->lrc_txtype == TX_WRITE) {
|
|
|
|
|
lr_write_t *lr = (lr_write_t *)lrc;
|
|
|
|
|
blkptr_t *bp = &lr->lr_blkptr;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t zb;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-12-09 22:37:51 +04:00
|
|
|
if (BP_IS_HOLE(bp))
|
2010-05-29 00:45:14 +04:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
if (claim_txg == 0 || bp->blk_birth < claim_txg)
|
2010-05-29 00:45:14 +04:00
|
|
|
return (0);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2022-10-12 21:25:18 +03:00
|
|
|
ASSERT3U(BP_GET_LSIZE(bp), !=, 0);
|
2010-08-27 01:24:34 +04:00
|
|
|
SET_BOOKMARK(&zb, td->td_objset, lr->lr_foid,
|
|
|
|
|
ZB_ZIL_LEVEL, lr->lr_offset / BP_GET_LSIZE(bp));
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
(void) td->td_func(td->td_spa, zilog, bp, &zb, NULL,
|
2010-05-29 00:45:14 +04:00
|
|
|
td->td_arg);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2010-08-27 01:24:34 +04:00
|
|
|
traverse_zil(traverse_data_t *td, zil_header_t *zh)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
|
uint64_t claim_txg = zh->zh_claim_txg;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We only want to visit blocks that have been claimed but not yet
|
2016-12-17 01:11:29 +03:00
|
|
|
* replayed; plus blocks that are already stable in read-only mode.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
2009-01-16 00:59:39 +03:00
|
|
|
if (claim_txg == 0 && spa_writeable(td->td_spa))
|
2008-11-20 23:01:55 +03:00
|
|
|
return;
|
|
|
|
|
|
2016-12-17 01:11:29 +03:00
|
|
|
zilog_t *zilog = zil_alloc(spa_get_dsl(td->td_spa)->dp_meta_objset, zh);
|
2008-12-03 23:09:06 +03:00
|
|
|
(void) zil_parse(zilog, traverse_zil_block, traverse_zil_record, td,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
claim_txg, !(td->td_flags & TRAVERSE_NO_DECRYPT));
|
2008-11-20 23:01:55 +03:00
|
|
|
zil_free(zilog);
|
|
|
|
|
}
|
|
|
|
|
|
2012-12-14 03:24:15 +04:00
|
|
|
typedef enum resume_skip {
|
|
|
|
|
RESUME_SKIP_ALL,
|
|
|
|
|
RESUME_SKIP_NONE,
|
|
|
|
|
RESUME_SKIP_CHILDREN
|
|
|
|
|
} resume_skip_t;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns RESUME_SKIP_ALL if td indicates that we are resuming a traversal and
|
|
|
|
|
* the block indicated by zb does not need to be visited at all. Returns
|
|
|
|
|
* RESUME_SKIP_CHILDREN if we are resuming a post traversal and we reach the
|
|
|
|
|
* resume point. This indicates that this block should be visited but not its
|
|
|
|
|
* children (since they must have been visited in a previous traversal).
|
|
|
|
|
* Otherwise returns RESUME_SKIP_NONE.
|
|
|
|
|
*/
|
|
|
|
|
static resume_skip_t
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
resume_skip_check(const traverse_data_t *td, const dnode_phys_t *dnp,
|
2014-06-25 22:37:59 +04:00
|
|
|
const zbookmark_phys_t *zb)
|
2012-12-14 03:24:15 +04:00
|
|
|
{
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
if (td->td_resume != NULL) {
|
2012-12-14 03:24:15 +04:00
|
|
|
/*
|
|
|
|
|
* If we already visited this bp & everything below,
|
|
|
|
|
* don't bother doing it again.
|
|
|
|
|
*/
|
2015-12-22 04:31:57 +03:00
|
|
|
if (zbookmark_subtree_completed(dnp, zb, td->td_resume))
|
2012-12-14 03:24:15 +04:00
|
|
|
return (RESUME_SKIP_ALL);
|
|
|
|
|
|
2022-02-25 16:26:54 +03:00
|
|
|
if (memcmp(zb, td->td_resume, sizeof (*zb)) == 0) {
|
2012-12-14 03:24:15 +04:00
|
|
|
if (td->td_flags & TRAVERSE_POST)
|
|
|
|
|
return (RESUME_SKIP_CHILDREN);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return (RESUME_SKIP_NONE);
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-15 23:49:27 +03:00
|
|
|
/*
|
|
|
|
|
* Returns B_TRUE, if prefetch read is issued, otherwise B_FALSE.
|
|
|
|
|
*/
|
|
|
|
|
static boolean_t
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
traverse_prefetch_metadata(traverse_data_t *td, const dnode_phys_t *dnp,
|
2014-06-25 22:37:59 +04:00
|
|
|
const blkptr_t *bp, const zbookmark_phys_t *zb)
|
2013-07-03 00:20:02 +04:00
|
|
|
{
|
2022-12-22 23:10:24 +03:00
|
|
|
arc_flags_t flags = ARC_FLAG_NOWAIT | ARC_FLAG_PREFETCH |
|
|
|
|
|
ARC_FLAG_PRESCIENT_PREFETCH;
|
2017-09-28 18:49:13 +03:00
|
|
|
int zio_flags = ZIO_FLAG_CANFAIL | ZIO_FLAG_SPECULATIVE;
|
2013-07-03 00:20:02 +04:00
|
|
|
|
|
|
|
|
if (!(td->td_flags & TRAVERSE_PREFETCH_METADATA))
|
2021-04-15 23:49:27 +03:00
|
|
|
return (B_FALSE);
|
2013-07-03 00:20:02 +04:00
|
|
|
/*
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
* If this bp is before the resume point, it may have already been
|
|
|
|
|
* freed.
|
2013-07-03 00:20:02 +04:00
|
|
|
*/
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
if (resume_skip_check(td, dnp, zb) != RESUME_SKIP_NONE)
|
2021-04-15 23:49:27 +03:00
|
|
|
return (B_FALSE);
|
2013-07-03 00:20:02 +04:00
|
|
|
if (BP_IS_HOLE(bp) || bp->blk_birth <= td->td_min_txg)
|
2021-04-15 23:49:27 +03:00
|
|
|
return (B_FALSE);
|
2013-07-03 00:20:02 +04:00
|
|
|
if (BP_GET_LEVEL(bp) == 0 && BP_GET_TYPE(bp) != DMU_OT_DNODE)
|
2021-04-15 23:49:27 +03:00
|
|
|
return (B_FALSE);
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
ASSERT(!BP_IS_REDACTED(bp));
|
2013-07-03 00:20:02 +04:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if ((td->td_flags & TRAVERSE_NO_DECRYPT) && BP_IS_PROTECTED(bp))
|
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
(void) arc_read(NULL, td->td_spa, bp, NULL, NULL,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ZIO_PRIORITY_ASYNC_READ, zio_flags, &flags, zb);
|
2021-04-15 23:49:27 +03:00
|
|
|
return (B_TRUE);
|
2013-07-03 00:20:02 +04:00
|
|
|
}
|
|
|
|
|
|
2014-06-06 01:34:21 +04:00
|
|
|
static boolean_t
|
|
|
|
|
prefetch_needed(prefetch_data_t *pfd, const blkptr_t *bp)
|
|
|
|
|
{
|
|
|
|
|
ASSERT(pfd->pd_flags & TRAVERSE_PREFETCH_DATA);
|
|
|
|
|
if (BP_IS_HOLE(bp) || BP_IS_EMBEDDED(bp) ||
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
BP_GET_TYPE(bp) == DMU_OT_INTENT_LOG || BP_IS_REDACTED(bp))
|
2014-06-06 01:34:21 +04:00
|
|
|
return (B_FALSE);
|
|
|
|
|
return (B_TRUE);
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-26 03:09:57 +04:00
|
|
|
static int
|
|
|
|
|
traverse_visitbp(traverse_data_t *td, const dnode_phys_t *dnp,
|
2014-06-25 22:37:59 +04:00
|
|
|
const blkptr_t *bp, const zbookmark_phys_t *zb)
|
2010-08-28 03:48:18 +04:00
|
|
|
{
|
2014-06-06 01:20:08 +04:00
|
|
|
int err = 0;
|
2011-05-26 03:09:57 +04:00
|
|
|
arc_buf_t *buf = NULL;
|
2015-03-27 07:04:12 +03:00
|
|
|
prefetch_data_t *pd = td->td_pfd;
|
2012-12-14 03:24:15 +04:00
|
|
|
|
|
|
|
|
switch (resume_skip_check(td, dnp, zb)) {
|
|
|
|
|
case RESUME_SKIP_ALL:
|
|
|
|
|
return (0);
|
|
|
|
|
case RESUME_SKIP_CHILDREN:
|
|
|
|
|
goto post;
|
|
|
|
|
case RESUME_SKIP_NONE:
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
ASSERT(0);
|
|
|
|
|
}
|
2010-08-28 03:48:18 +04:00
|
|
|
|
2013-12-09 22:37:51 +04:00
|
|
|
if (bp->blk_birth == 0) {
|
2015-05-15 02:41:29 +03:00
|
|
|
/*
|
Illumos 6370 - ZFS send fails to transmit some holes
6370 ZFS send fails to transmit some holes
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Chris Williamson <chris.williamson@delphix.com>
Reviewed by: Stefan Ring <stefanrin@gmail.com>
Reviewed by: Steven Burgess <sburgess@datto.com>
Reviewed by: Arne Jansen <sensille@gmx.net>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
https://www.illumos.org/issues/6370
https://github.com/illumos/illumos-gate/commit/286ef71
In certain circumstances, "zfs send -i" (incremental send) can produce
a stream which will result in incorrect sparse file contents on the
target.
The problem manifests as regions of the received file that should be
sparse (and read a zero-filled) actually contain data from a file that
was deleted (and which happened to share this file's object ID).
Note: this can happen only with filesystems (not zvols, because they do
not free (and thus can not reuse) object IDs).
Note: This can happen only if, since the incremental source (FromSnap),
a file was deleted and then another file was created, and the new file
is sparse (i.e. has areas that were never written to and should be
implicitly zero-filled).
We suspect that this was introduced by 4370 (applies only if hole_birth
feature is enabled), and made worse by 5243 (applies if hole_birth
feature is disabled, and we never send any holes).
The bug is caused by the hole birth feature. When an object is deleted
and replaced, all the holes in the object have birth time zero. However,
zfs send cannot tell that the holes are new since the file was replaced,
so it doesn't send them in an incremental. As a result, you can end up
with invalid data when you receive incremental send streams. As a
short-term fix, we can always send holes with birth time 0 (unless it's
a zvol or a dataset where we can guarantee that no objects have been
reused).
Ported-by: Steven Burgess <sburgess@datto.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4369
Closes #4050
2016-02-26 04:45:19 +03:00
|
|
|
* Since this block has a birth time of 0 it must be one of
|
|
|
|
|
* two things: a hole created before the
|
|
|
|
|
* SPA_FEATURE_HOLE_BIRTH feature was enabled, or a hole
|
|
|
|
|
* which has always been a hole in an object.
|
|
|
|
|
*
|
|
|
|
|
* If a file is written sparsely, then the unwritten parts of
|
|
|
|
|
* the file were "always holes" -- that is, they have been
|
|
|
|
|
* holes since this object was allocated. However, we (and
|
|
|
|
|
* our callers) can not necessarily tell when an object was
|
|
|
|
|
* allocated. Therefore, if it's possible that this object
|
|
|
|
|
* was freed and then its object number reused, we need to
|
|
|
|
|
* visit all the holes with birth==0.
|
|
|
|
|
*
|
|
|
|
|
* If it isn't possible that the object number was reused,
|
|
|
|
|
* then if SPA_FEATURE_HOLE_BIRTH was enabled before we wrote
|
|
|
|
|
* all the blocks we will visit as part of this traversal,
|
|
|
|
|
* then this hole must have always existed, so we can skip
|
|
|
|
|
* it. We visit blocks born after (exclusive) td_min_txg.
|
|
|
|
|
*
|
|
|
|
|
* Note that the meta-dnode cannot be reallocated.
|
2015-05-15 02:41:29 +03:00
|
|
|
*/
|
2016-10-08 07:02:24 +03:00
|
|
|
if (!send_holes_without_birth_time &&
|
|
|
|
|
(!td->td_realloc_possible ||
|
|
|
|
|
zb->zb_object == DMU_META_DNODE_OBJECT) &&
|
|
|
|
|
td->td_hole_birth_enabled_txg <= td->td_min_txg)
|
2015-05-15 02:41:29 +03:00
|
|
|
return (0);
|
2013-12-09 22:37:51 +04:00
|
|
|
} else if (bp->blk_birth <= td->td_min_txg) {
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-27 07:04:12 +03:00
|
|
|
if (pd != NULL && !pd->pd_exited && prefetch_needed(pd, bp)) {
|
2015-03-27 07:31:52 +03:00
|
|
|
uint64_t size = BP_GET_LSIZE(bp);
|
2015-03-27 07:04:12 +03:00
|
|
|
mutex_enter(&pd->pd_mtx);
|
2015-03-27 07:31:52 +03:00
|
|
|
ASSERT(pd->pd_bytes_fetched >= 0);
|
|
|
|
|
while (pd->pd_bytes_fetched < size && !pd->pd_exited)
|
2015-06-10 02:39:25 +03:00
|
|
|
cv_wait_sig(&pd->pd_cv, &pd->pd_mtx);
|
2015-03-27 07:31:52 +03:00
|
|
|
pd->pd_bytes_fetched -= size;
|
2015-03-27 07:04:12 +03:00
|
|
|
cv_broadcast(&pd->pd_cv);
|
|
|
|
|
mutex_exit(&pd->pd_mtx);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
if (BP_IS_HOLE(bp) || BP_IS_REDACTED(bp)) {
|
2014-06-06 01:34:21 +04:00
|
|
|
err = td->td_func(td->td_spa, NULL, bp, zb, dnp, td->td_arg);
|
|
|
|
|
if (err != 0)
|
|
|
|
|
goto post;
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-26 03:09:57 +04:00
|
|
|
if (td->td_flags & TRAVERSE_PRE) {
|
2013-07-03 00:26:24 +04:00
|
|
|
err = td->td_func(td->td_spa, NULL, bp, zb, dnp,
|
2011-05-26 03:09:57 +04:00
|
|
|
td->td_arg);
|
|
|
|
|
if (err == TRAVERSE_VISIT_NO_CHILDREN)
|
2010-08-27 01:24:34 +04:00
|
|
|
return (0);
|
2012-12-14 03:24:15 +04:00
|
|
|
if (err != 0)
|
|
|
|
|
goto post;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2011-05-26 03:09:57 +04:00
|
|
|
if (BP_GET_LEVEL(bp) > 0) {
|
2014-12-06 20:24:32 +03:00
|
|
|
uint32_t flags = ARC_FLAG_WAIT;
|
2021-04-15 23:49:27 +03:00
|
|
|
int32_t i, ptidx, pidx;
|
|
|
|
|
uint32_t prefetchlimit;
|
2013-11-13 23:05:17 +04:00
|
|
|
int32_t epb = BP_GET_LSIZE(bp) >> SPA_BLKPTRSHIFT;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t *czb;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ASSERT(!BP_IS_PROTECTED(bp));
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
err = arc_read(NULL, td->td_spa, bp, arc_getbuf_func, &buf,
|
2011-05-26 03:09:57 +04:00
|
|
|
ZIO_PRIORITY_ASYNC_READ, ZIO_FLAG_CANFAIL, &flags, zb);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2014-06-06 01:20:08 +04:00
|
|
|
goto post;
|
2013-11-13 23:05:17 +04:00
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
czb = kmem_alloc(sizeof (zbookmark_phys_t), KM_SLEEP);
|
2013-07-03 00:20:02 +04:00
|
|
|
|
2021-04-15 23:49:27 +03:00
|
|
|
/*
|
|
|
|
|
* When performing a traversal it is beneficial to
|
|
|
|
|
* asynchronously read-ahead the upcoming indirect
|
|
|
|
|
* blocks since they will be needed shortly. However,
|
|
|
|
|
* since a 128k indirect (non-L0) block may contain up
|
|
|
|
|
* to 1024 128-byte block pointers, its preferable to not
|
|
|
|
|
* prefetch them all at once. Issuing a large number of
|
|
|
|
|
* async reads may effect performance, and the earlier
|
|
|
|
|
* the indirect blocks are prefetched the less likely
|
|
|
|
|
* they are to still be resident in the ARC when needed.
|
|
|
|
|
* Therefore, prefetching indirect blocks is limited to
|
|
|
|
|
* zfs_traverse_indirect_prefetch_limit=32 blocks by
|
|
|
|
|
* default.
|
|
|
|
|
*
|
|
|
|
|
* pidx: Index for which next prefetch to be issued.
|
|
|
|
|
* ptidx: Index at which next prefetch to be triggered.
|
|
|
|
|
*/
|
|
|
|
|
ptidx = 0;
|
|
|
|
|
pidx = 1;
|
|
|
|
|
prefetchlimit = zfs_traverse_indirect_prefetch_limit;
|
2013-07-03 00:20:02 +04:00
|
|
|
for (i = 0; i < epb; i++) {
|
2021-04-15 23:49:27 +03:00
|
|
|
if (prefetchlimit && i == ptidx) {
|
|
|
|
|
ASSERT3S(ptidx, <=, pidx);
|
|
|
|
|
for (uint32_t prefetched = 0; pidx < epb &&
|
|
|
|
|
prefetched < prefetchlimit; pidx++) {
|
|
|
|
|
SET_BOOKMARK(czb, zb->zb_objset,
|
|
|
|
|
zb->zb_object, zb->zb_level - 1,
|
|
|
|
|
zb->zb_blkid * epb + pidx);
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
if (traverse_prefetch_metadata(td, dnp,
|
2021-04-15 23:49:27 +03:00
|
|
|
&((blkptr_t *)buf->b_data)[pidx],
|
|
|
|
|
czb) == B_TRUE) {
|
|
|
|
|
prefetched++;
|
|
|
|
|
if (prefetched ==
|
|
|
|
|
MAX(prefetchlimit / 2, 1))
|
|
|
|
|
ptidx = pidx;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2021-04-15 23:49:27 +03:00
|
|
|
/* recursively visitbp() blocks below this */
|
2013-11-13 23:05:17 +04:00
|
|
|
SET_BOOKMARK(czb, zb->zb_objset, zb->zb_object,
|
2011-05-26 03:09:57 +04:00
|
|
|
zb->zb_level - 1,
|
|
|
|
|
zb->zb_blkid * epb + i);
|
2013-11-13 23:05:17 +04:00
|
|
|
err = traverse_visitbp(td, dnp,
|
|
|
|
|
&((blkptr_t *)buf->b_data)[i], czb);
|
2014-06-06 01:20:08 +04:00
|
|
|
if (err != 0)
|
|
|
|
|
break;
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
2013-11-13 23:05:17 +04:00
|
|
|
|
2014-06-25 22:37:59 +04:00
|
|
|
kmem_free(czb, sizeof (zbookmark_phys_t));
|
2013-11-13 23:05:17 +04:00
|
|
|
|
2011-05-26 03:09:57 +04:00
|
|
|
} else if (BP_GET_TYPE(bp) == DMU_OT_DNODE) {
|
2014-12-06 20:24:32 +03:00
|
|
|
uint32_t flags = ARC_FLAG_WAIT;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
uint32_t zio_flags = ZIO_FLAG_CANFAIL;
|
2013-11-13 23:05:17 +04:00
|
|
|
int32_t i;
|
|
|
|
|
int32_t epb = BP_GET_LSIZE(bp) >> DNODE_SHIFT;
|
2016-01-07 00:22:48 +03:00
|
|
|
dnode_phys_t *child_dnp;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/*
|
|
|
|
|
* dnode blocks might have their bonus buffers encrypted, so
|
|
|
|
|
* we must be careful to honor TRAVERSE_NO_DECRYPT
|
|
|
|
|
*/
|
|
|
|
|
if ((td->td_flags & TRAVERSE_NO_DECRYPT) && BP_IS_PROTECTED(bp))
|
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
err = arc_read(NULL, td->td_spa, bp, arc_getbuf_func, &buf,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ZIO_PRIORITY_ASYNC_READ, zio_flags, &flags, zb);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2014-06-06 01:20:08 +04:00
|
|
|
goto post;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2016-01-07 00:22:48 +03:00
|
|
|
child_dnp = buf->b_data;
|
2013-07-03 00:20:02 +04:00
|
|
|
|
2016-01-07 00:22:48 +03:00
|
|
|
for (i = 0; i < epb; i += child_dnp[i].dn_extra_slots + 1) {
|
|
|
|
|
prefetch_dnode_metadata(td, &child_dnp[i],
|
|
|
|
|
zb->zb_objset, zb->zb_blkid * epb + i);
|
2013-07-03 00:20:02 +04:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
|
/* recursively visitbp() blocks below this */
|
2016-01-07 00:22:48 +03:00
|
|
|
for (i = 0; i < epb; i += child_dnp[i].dn_extra_slots + 1) {
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = traverse_dnode(td, bp, &child_dnp[i],
|
2016-01-07 00:22:48 +03:00
|
|
|
zb->zb_objset, zb->zb_blkid * epb + i);
|
2014-06-06 01:20:08 +04:00
|
|
|
if (err != 0)
|
|
|
|
|
break;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2011-05-26 03:09:57 +04:00
|
|
|
} else if (BP_GET_TYPE(bp) == DMU_OT_OBJSET) {
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
uint32_t zio_flags = ZIO_FLAG_CANFAIL;
|
2014-12-06 20:24:32 +03:00
|
|
|
arc_flags_t flags = ARC_FLAG_WAIT;
|
2011-05-26 03:09:57 +04:00
|
|
|
objset_phys_t *osp;
|
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if ((td->td_flags & TRAVERSE_NO_DECRYPT) && BP_IS_PROTECTED(bp))
|
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
err = arc_read(NULL, td->td_spa, bp, arc_getbuf_func, &buf,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ZIO_PRIORITY_ASYNC_READ, zio_flags, &flags, zb);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2014-06-06 01:20:08 +04:00
|
|
|
goto post;
|
2011-05-26 03:09:57 +04:00
|
|
|
|
|
|
|
|
osp = buf->b_data;
|
2016-01-07 00:22:48 +03:00
|
|
|
prefetch_dnode_metadata(td, &osp->os_meta_dnode, zb->zb_objset,
|
2013-07-03 00:20:02 +04:00
|
|
|
DMU_META_DNODE_OBJECT);
|
Illumos 6370 - ZFS send fails to transmit some holes
6370 ZFS send fails to transmit some holes
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Chris Williamson <chris.williamson@delphix.com>
Reviewed by: Stefan Ring <stefanrin@gmail.com>
Reviewed by: Steven Burgess <sburgess@datto.com>
Reviewed by: Arne Jansen <sensille@gmx.net>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
https://www.illumos.org/issues/6370
https://github.com/illumos/illumos-gate/commit/286ef71
In certain circumstances, "zfs send -i" (incremental send) can produce
a stream which will result in incorrect sparse file contents on the
target.
The problem manifests as regions of the received file that should be
sparse (and read a zero-filled) actually contain data from a file that
was deleted (and which happened to share this file's object ID).
Note: this can happen only with filesystems (not zvols, because they do
not free (and thus can not reuse) object IDs).
Note: This can happen only if, since the incremental source (FromSnap),
a file was deleted and then another file was created, and the new file
is sparse (i.e. has areas that were never written to and should be
implicitly zero-filled).
We suspect that this was introduced by 4370 (applies only if hole_birth
feature is enabled), and made worse by 5243 (applies if hole_birth
feature is disabled, and we never send any holes).
The bug is caused by the hole birth feature. When an object is deleted
and replaced, all the holes in the object have birth time zero. However,
zfs send cannot tell that the holes are new since the file was replaced,
so it doesn't send them in an incremental. As a result, you can end up
with invalid data when you receive incremental send streams. As a
short-term fix, we can always send holes with birth time 0 (unless it's
a zvol or a dataset where we can guarantee that no objects have been
reused).
Ported-by: Steven Burgess <sburgess@datto.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4369
Closes #4050
2016-02-26 04:45:19 +03:00
|
|
|
/*
|
|
|
|
|
* See the block comment above for the goal of this variable.
|
|
|
|
|
* If the maxblkid of the meta-dnode is 0, then we know that
|
|
|
|
|
* we've never had more than DNODES_PER_BLOCK objects in the
|
|
|
|
|
* dataset, which means we can't have reused any object ids.
|
|
|
|
|
*/
|
|
|
|
|
if (osp->os_meta_dnode.dn_maxblkid == 0)
|
|
|
|
|
td->td_realloc_possible = B_FALSE;
|
|
|
|
|
|
2018-02-14 01:54:54 +03:00
|
|
|
if (OBJSET_BUF_HAS_USERUSED(buf)) {
|
|
|
|
|
if (OBJSET_BUF_HAS_PROJECTUSED(buf))
|
|
|
|
|
prefetch_dnode_metadata(td,
|
|
|
|
|
&osp->os_projectused_dnode,
|
|
|
|
|
zb->zb_objset, DMU_PROJECTUSED_OBJECT);
|
2016-01-07 00:22:48 +03:00
|
|
|
prefetch_dnode_metadata(td, &osp->os_groupused_dnode,
|
|
|
|
|
zb->zb_objset, DMU_GROUPUSED_OBJECT);
|
|
|
|
|
prefetch_dnode_metadata(td, &osp->os_userused_dnode,
|
|
|
|
|
zb->zb_objset, DMU_USERUSED_OBJECT);
|
2013-07-03 00:20:02 +04:00
|
|
|
}
|
|
|
|
|
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = traverse_dnode(td, bp, &osp->os_meta_dnode, zb->zb_objset,
|
2011-05-26 03:09:57 +04:00
|
|
|
DMU_META_DNODE_OBJECT);
|
2018-02-14 01:54:54 +03:00
|
|
|
if (err == 0 && OBJSET_BUF_HAS_USERUSED(buf)) {
|
|
|
|
|
if (OBJSET_BUF_HAS_PROJECTUSED(buf))
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = traverse_dnode(td, bp,
|
2018-02-14 01:54:54 +03:00
|
|
|
&osp->os_projectused_dnode, zb->zb_objset,
|
|
|
|
|
DMU_PROJECTUSED_OBJECT);
|
|
|
|
|
if (err == 0)
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = traverse_dnode(td, bp,
|
2018-02-14 01:54:54 +03:00
|
|
|
&osp->os_groupused_dnode, zb->zb_objset,
|
|
|
|
|
DMU_GROUPUSED_OBJECT);
|
|
|
|
|
if (err == 0)
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = traverse_dnode(td, bp,
|
2018-02-14 01:54:54 +03:00
|
|
|
&osp->os_userused_dnode, zb->zb_objset,
|
|
|
|
|
DMU_USERUSED_OBJECT);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-26 03:09:57 +04:00
|
|
|
if (buf)
|
2016-06-02 07:04:53 +03:00
|
|
|
arc_buf_destroy(buf, &buf);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2012-12-14 03:24:15 +04:00
|
|
|
post:
|
2014-06-06 01:20:08 +04:00
|
|
|
if (err == 0 && (td->td_flags & TRAVERSE_POST))
|
2013-07-03 00:26:24 +04:00
|
|
|
err = td->td_func(td->td_spa, NULL, bp, zb, dnp, td->td_arg);
|
2014-06-06 01:20:08 +04:00
|
|
|
|
|
|
|
|
if ((td->td_flags & TRAVERSE_HARD) && (err == EIO || err == ECKSUM)) {
|
|
|
|
|
/*
|
|
|
|
|
* Ignore this disk error as requested by the HARD flag,
|
|
|
|
|
* and continue traversal.
|
|
|
|
|
*/
|
|
|
|
|
err = 0;
|
2012-12-14 03:24:15 +04:00
|
|
|
}
|
|
|
|
|
|
2014-06-06 01:20:08 +04:00
|
|
|
/*
|
|
|
|
|
* If we are stopping here, set td_resume.
|
|
|
|
|
*/
|
|
|
|
|
if (td->td_resume != NULL && err != 0 && !td->td_paused) {
|
|
|
|
|
td->td_resume->zb_objset = zb->zb_objset;
|
|
|
|
|
td->td_resume->zb_object = zb->zb_object;
|
|
|
|
|
td->td_resume->zb_level = 0;
|
|
|
|
|
/*
|
|
|
|
|
* If we have stopped on an indirect block (e.g. due to
|
|
|
|
|
* i/o error), we have not visited anything below it.
|
|
|
|
|
* Set the bookmark to the first level-0 block that we need
|
|
|
|
|
* to visit. This way, the resuming code does not need to
|
|
|
|
|
* deal with resuming from indirect blocks.
|
2016-01-07 00:22:48 +03:00
|
|
|
*
|
|
|
|
|
* Note, if zb_level <= 0, dnp may be NULL, so we don't want
|
|
|
|
|
* to dereference it.
|
2014-06-06 01:20:08 +04:00
|
|
|
*/
|
2016-01-07 00:22:48 +03:00
|
|
|
td->td_resume->zb_blkid = zb->zb_blkid;
|
|
|
|
|
if (zb->zb_level > 0) {
|
|
|
|
|
td->td_resume->zb_blkid <<= zb->zb_level *
|
|
|
|
|
(dnp->dn_indblkshift - SPA_BLKPTRSHIFT);
|
|
|
|
|
}
|
2014-06-06 01:20:08 +04:00
|
|
|
td->td_paused = B_TRUE;
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-06-06 01:20:08 +04:00
|
|
|
return (err);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2013-07-03 00:20:02 +04:00
|
|
|
static void
|
|
|
|
|
prefetch_dnode_metadata(traverse_data_t *td, const dnode_phys_t *dnp,
|
2013-07-03 00:26:24 +04:00
|
|
|
uint64_t objset, uint64_t object)
|
2013-07-03 00:20:02 +04:00
|
|
|
{
|
|
|
|
|
int j;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t czb;
|
2013-07-03 00:20:02 +04:00
|
|
|
|
|
|
|
|
for (j = 0; j < dnp->dn_nblkptr; j++) {
|
|
|
|
|
SET_BOOKMARK(&czb, objset, object, dnp->dn_nlevels - 1, j);
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
traverse_prefetch_metadata(td, dnp, &dnp->dn_blkptr[j], &czb);
|
2013-07-03 00:20:02 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (dnp->dn_flags & DNODE_FLAG_SPILL_BLKPTR) {
|
|
|
|
|
SET_BOOKMARK(&czb, objset, object, 0, DMU_SPILL_BLKID);
|
Fix prefetching of indirect blocks while destroying
When traversing a tree of block pointers (e.g. for `zfs destroy <fs>` or
`zfs send`), we prefetch the indirect blocks that will be needed, in
`traverse_prefetch_metadata()`. In the case of `zfs destroy <fs>`, we
do a little traversing each txg, and resume the traversal the next txg.
So the indirect blocks that will be needed, and thus are candidates for
prefetching, does not include blocks that are before the resume point.
The problem is that the logic for determining if the indirect blocks are
before the resume point is incorrect, causing the (up to 1024) L1
indirect blocks that are inside the first L2 to not be prefetched. In
practice, if we are able to read many more than 1024 blocks per txg,
then this will be inconsequential. But if i/o latency is more than a
few milliseconds, almost no L1's will be prefetched, so they will be
read serially, and thus the destroying will be very slow. This can be
observed as `zpool get freeing` decreasing very slowly.
Specifically: When we first examine the L2 that contains the block we'll
be resuming from, we have not yet resumed, so `td_resume` is nonzero.
At this point, all calls to `traverse_prefetch_metadata()` will fail,
even if the L1 in question is after the resume point. It isn't until
the callback is issued for the resume point that we zero out
`td_resume`, but by this point we've already attempted and failed to
prefetch everything under this L2 indirect block.
This commit addresses the issue by reusing the existing
`resume_skip_check()` to determine if the L1's bookmark is before or
after the resume point. To do so, this function is made non-mutating
(the caller now zeros `td_resume`).
Note, this bug likely predates (was not introduced by) #11803.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #14603
2023-03-24 20:20:07 +03:00
|
|
|
traverse_prefetch_metadata(td, dnp, DN_SPILL_BLKPTR(dnp), &czb);
|
2013-07-03 00:20:02 +04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
static int
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
traverse_dnode(traverse_data_t *td, const blkptr_t *bp, const dnode_phys_t *dnp,
|
2013-07-03 00:26:24 +04:00
|
|
|
uint64_t objset, uint64_t object)
|
2009-07-03 02:44:48 +04:00
|
|
|
{
|
2014-06-06 01:20:08 +04:00
|
|
|
int j, err = 0;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t czb;
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2016-01-07 00:22:48 +03:00
|
|
|
if (object != DMU_META_DNODE_OBJECT && td->td_resume != NULL &&
|
|
|
|
|
object < td->td_resume->zb_object)
|
|
|
|
|
return (0);
|
|
|
|
|
|
2015-12-22 04:31:57 +03:00
|
|
|
if (td->td_flags & TRAVERSE_PRE) {
|
|
|
|
|
SET_BOOKMARK(&czb, objset, object, ZB_DNODE_LEVEL,
|
|
|
|
|
ZB_DNODE_BLKID);
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = td->td_func(td->td_spa, NULL, bp, &czb, dnp,
|
2015-12-22 04:31:57 +03:00
|
|
|
td->td_arg);
|
|
|
|
|
if (err == TRAVERSE_VISIT_NO_CHILDREN)
|
|
|
|
|
return (0);
|
|
|
|
|
if (err != 0)
|
|
|
|
|
return (err);
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
for (j = 0; j < dnp->dn_nblkptr; j++) {
|
|
|
|
|
SET_BOOKMARK(&czb, objset, object, dnp->dn_nlevels - 1, j);
|
2013-07-03 00:26:24 +04:00
|
|
|
err = traverse_visitbp(td, dnp, &dnp->dn_blkptr[j], &czb);
|
2014-06-06 01:20:08 +04:00
|
|
|
if (err != 0)
|
|
|
|
|
break;
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2015-12-22 04:31:57 +03:00
|
|
|
if (err == 0 && (dnp->dn_flags & DNODE_FLAG_SPILL_BLKPTR)) {
|
2013-07-03 00:20:02 +04:00
|
|
|
SET_BOOKMARK(&czb, objset, object, 0, DMU_SPILL_BLKID);
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
err = traverse_visitbp(td, dnp, DN_SPILL_BLKPTR(dnp), &czb);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2015-12-22 04:31:57 +03:00
|
|
|
|
|
|
|
|
if (err == 0 && (td->td_flags & TRAVERSE_POST)) {
|
|
|
|
|
SET_BOOKMARK(&czb, objset, object, ZB_DNODE_LEVEL,
|
|
|
|
|
ZB_DNODE_BLKID);
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
err = td->td_func(td->td_spa, NULL, bp, &czb, dnp,
|
2015-12-22 04:31:57 +03:00
|
|
|
td->td_arg);
|
|
|
|
|
if (err == TRAVERSE_VISIT_NO_CHILDREN)
|
|
|
|
|
return (0);
|
|
|
|
|
if (err != 0)
|
|
|
|
|
return (err);
|
|
|
|
|
}
|
2014-06-06 01:20:08 +04:00
|
|
|
return (err);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
static int
|
2010-05-29 00:45:14 +04:00
|
|
|
traverse_prefetcher(spa_t *spa, zilog_t *zilog, const blkptr_t *bp,
|
2014-06-25 22:37:59 +04:00
|
|
|
const zbookmark_phys_t *zb, const dnode_phys_t *dnp, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2021-12-12 18:06:44 +03:00
|
|
|
(void) zilog, (void) dnp;
|
2010-08-27 01:24:34 +04:00
|
|
|
prefetch_data_t *pfd = arg;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
int zio_flags = ZIO_FLAG_CANFAIL | ZIO_FLAG_SPECULATIVE;
|
2017-11-16 04:27:01 +03:00
|
|
|
arc_flags_t aflags = ARC_FLAG_NOWAIT | ARC_FLAG_PREFETCH |
|
|
|
|
|
ARC_FLAG_PRESCIENT_PREFETCH;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-03-27 07:31:52 +03:00
|
|
|
ASSERT(pfd->pd_bytes_fetched >= 0);
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
if (zb->zb_level == ZB_DNODE_LEVEL)
|
2015-12-22 04:31:57 +03:00
|
|
|
return (0);
|
2008-12-03 23:09:06 +03:00
|
|
|
if (pfd->pd_cancel)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINTR));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-06-06 01:34:21 +04:00
|
|
|
if (!prefetch_needed(pfd, bp))
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
mutex_enter(&pfd->pd_mtx);
|
2015-03-27 07:31:52 +03:00
|
|
|
while (!pfd->pd_cancel && pfd->pd_bytes_fetched >= zfs_pd_bytes_max)
|
2015-06-10 02:39:25 +03:00
|
|
|
cv_wait_sig(&pfd->pd_cv, &pfd->pd_mtx);
|
2015-03-27 07:31:52 +03:00
|
|
|
pfd->pd_bytes_fetched += BP_GET_LSIZE(bp);
|
2008-12-03 23:09:06 +03:00
|
|
|
cv_broadcast(&pfd->pd_cv);
|
|
|
|
|
mutex_exit(&pfd->pd_mtx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if ((pfd->pd_flags & TRAVERSE_NO_DECRYPT) && BP_IS_PROTECTED(bp))
|
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
(void) arc_read(NULL, spa, bp, NULL, NULL, ZIO_PRIORITY_ASYNC_READ,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
zio_flags, &aflags, zb);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2008-12-03 23:09:06 +03:00
|
|
|
traverse_prefetch_thread(void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-08-27 01:24:34 +04:00
|
|
|
traverse_data_t *td_main = arg;
|
|
|
|
|
traverse_data_t td = *td_main;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t czb;
|
2015-09-03 15:13:15 +03:00
|
|
|
fstrans_cookie_t cookie = spl_fstrans_mark();
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
td.td_func = traverse_prefetcher;
|
|
|
|
|
td.td_arg = td_main->td_pfd;
|
|
|
|
|
td.td_pfd = NULL;
|
2016-01-07 00:22:48 +03:00
|
|
|
td.td_resume = &td_main->td_pfd->pd_resume;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
SET_BOOKMARK(&czb, td.td_objset,
|
|
|
|
|
ZB_ROOT_OBJECT, ZB_ROOT_LEVEL, ZB_ROOT_BLKID);
|
2013-07-03 00:26:24 +04:00
|
|
|
(void) traverse_visitbp(&td, NULL, td.td_rootbp, &czb);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
mutex_enter(&td_main->td_pfd->pd_mtx);
|
|
|
|
|
td_main->td_pfd->pd_exited = B_TRUE;
|
|
|
|
|
cv_broadcast(&td_main->td_pfd->pd_cv);
|
|
|
|
|
mutex_exit(&td_main->td_pfd->pd_mtx);
|
2015-09-03 15:13:15 +03:00
|
|
|
spl_fstrans_unmark(cookie);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
/*
|
|
|
|
|
* NB: dataset must not be changing on-disk (eg, is a snapshot or we are
|
|
|
|
|
* in syncing context).
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2012-12-14 03:24:15 +04:00
|
|
|
traverse_impl(spa_t *spa, dsl_dataset_t *ds, uint64_t objset, blkptr_t *rootbp,
|
2014-06-25 22:37:59 +04:00
|
|
|
uint64_t txg_start, zbookmark_phys_t *resume, int flags,
|
2012-12-14 03:24:15 +04:00
|
|
|
blkptr_cb_t func, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-08-26 21:58:47 +04:00
|
|
|
traverse_data_t *td;
|
|
|
|
|
prefetch_data_t *pd;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t *czb;
|
2008-12-03 23:09:06 +03:00
|
|
|
int err;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2012-12-14 03:24:15 +04:00
|
|
|
ASSERT(ds == NULL || objset == ds->ds_object);
|
|
|
|
|
ASSERT(!(flags & TRAVERSE_PRE) || !(flags & TRAVERSE_POST));
|
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
td = kmem_alloc(sizeof (traverse_data_t), KM_SLEEP);
|
|
|
|
|
pd = kmem_zalloc(sizeof (prefetch_data_t), KM_SLEEP);
|
|
|
|
|
czb = kmem_alloc(sizeof (zbookmark_phys_t), KM_SLEEP);
|
2010-08-26 21:58:47 +04:00
|
|
|
|
|
|
|
|
td->td_spa = spa;
|
2012-12-14 03:24:15 +04:00
|
|
|
td->td_objset = objset;
|
2010-08-26 21:58:47 +04:00
|
|
|
td->td_rootbp = rootbp;
|
|
|
|
|
td->td_min_txg = txg_start;
|
2012-12-14 03:24:15 +04:00
|
|
|
td->td_resume = resume;
|
2010-08-26 21:58:47 +04:00
|
|
|
td->td_func = func;
|
|
|
|
|
td->td_arg = arg;
|
|
|
|
|
td->td_pfd = pd;
|
|
|
|
|
td->td_flags = flags;
|
2014-06-06 01:20:08 +04:00
|
|
|
td->td_paused = B_FALSE;
|
Illumos 6370 - ZFS send fails to transmit some holes
6370 ZFS send fails to transmit some holes
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Chris Williamson <chris.williamson@delphix.com>
Reviewed by: Stefan Ring <stefanrin@gmail.com>
Reviewed by: Steven Burgess <sburgess@datto.com>
Reviewed by: Arne Jansen <sensille@gmx.net>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
https://www.illumos.org/issues/6370
https://github.com/illumos/illumos-gate/commit/286ef71
In certain circumstances, "zfs send -i" (incremental send) can produce
a stream which will result in incorrect sparse file contents on the
target.
The problem manifests as regions of the received file that should be
sparse (and read a zero-filled) actually contain data from a file that
was deleted (and which happened to share this file's object ID).
Note: this can happen only with filesystems (not zvols, because they do
not free (and thus can not reuse) object IDs).
Note: This can happen only if, since the incremental source (FromSnap),
a file was deleted and then another file was created, and the new file
is sparse (i.e. has areas that were never written to and should be
implicitly zero-filled).
We suspect that this was introduced by 4370 (applies only if hole_birth
feature is enabled), and made worse by 5243 (applies if hole_birth
feature is disabled, and we never send any holes).
The bug is caused by the hole birth feature. When an object is deleted
and replaced, all the holes in the object have birth time zero. However,
zfs send cannot tell that the holes are new since the file was replaced,
so it doesn't send them in an incremental. As a result, you can end up
with invalid data when you receive incremental send streams. As a
short-term fix, we can always send holes with birth time 0 (unless it's
a zvol or a dataset where we can guarantee that no objects have been
reused).
Ported-by: Steven Burgess <sburgess@datto.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4369
Closes #4050
2016-02-26 04:45:19 +03:00
|
|
|
td->td_realloc_possible = (txg_start == 0 ? B_FALSE : B_TRUE);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2015-05-15 02:41:29 +03:00
|
|
|
if (spa_feature_is_active(spa, SPA_FEATURE_HOLE_BIRTH)) {
|
|
|
|
|
VERIFY(spa_feature_enabled_txg(spa,
|
|
|
|
|
SPA_FEATURE_HOLE_BIRTH, &td->td_hole_birth_enabled_txg));
|
|
|
|
|
} else {
|
Illumos 6370 - ZFS send fails to transmit some holes
6370 ZFS send fails to transmit some holes
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed by: Chris Williamson <chris.williamson@delphix.com>
Reviewed by: Stefan Ring <stefanrin@gmail.com>
Reviewed by: Steven Burgess <sburgess@datto.com>
Reviewed by: Arne Jansen <sensille@gmx.net>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
https://www.illumos.org/issues/6370
https://github.com/illumos/illumos-gate/commit/286ef71
In certain circumstances, "zfs send -i" (incremental send) can produce
a stream which will result in incorrect sparse file contents on the
target.
The problem manifests as regions of the received file that should be
sparse (and read a zero-filled) actually contain data from a file that
was deleted (and which happened to share this file's object ID).
Note: this can happen only with filesystems (not zvols, because they do
not free (and thus can not reuse) object IDs).
Note: This can happen only if, since the incremental source (FromSnap),
a file was deleted and then another file was created, and the new file
is sparse (i.e. has areas that were never written to and should be
implicitly zero-filled).
We suspect that this was introduced by 4370 (applies only if hole_birth
feature is enabled), and made worse by 5243 (applies if hole_birth
feature is disabled, and we never send any holes).
The bug is caused by the hole birth feature. When an object is deleted
and replaced, all the holes in the object have birth time zero. However,
zfs send cannot tell that the holes are new since the file was replaced,
so it doesn't send them in an incremental. As a result, you can end up
with invalid data when you receive incremental send streams. As a
short-term fix, we can always send holes with birth time 0 (unless it's
a zvol or a dataset where we can guarantee that no objects have been
reused).
Ported-by: Steven Burgess <sburgess@datto.com>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4369
Closes #4050
2016-02-26 04:45:19 +03:00
|
|
|
td->td_hole_birth_enabled_txg = UINT64_MAX;
|
2015-05-15 02:41:29 +03:00
|
|
|
}
|
|
|
|
|
|
2010-08-26 21:58:47 +04:00
|
|
|
pd->pd_flags = flags;
|
2016-01-07 00:22:48 +03:00
|
|
|
if (resume != NULL)
|
|
|
|
|
pd->pd_resume = *resume;
|
2010-08-26 21:58:47 +04:00
|
|
|
mutex_init(&pd->pd_mtx, NULL, MUTEX_DEFAULT, NULL);
|
|
|
|
|
cv_init(&pd->pd_cv, NULL, CV_DEFAULT, NULL);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
Add visibility in to arc_read
This change is an attempt to add visibility into the arc_read calls
occurring on a system, in real time. To do this, a list was added to the
in memory SPA data structure for a pool, with each element on the list
corresponding to a call to arc_read. These entries are then exported
through the kstat interface, which can then be interpreted in userspace.
For each arc_read call, the following information is exported:
* A unique identifier (uint64_t)
* The time the entry was added to the list (hrtime_t)
(*not* wall clock time; relative to the other entries on the list)
* The objset ID (uint64_t)
* The object number (uint64_t)
* The indirection level (uint64_t)
* The block ID (uint64_t)
* The name of the function originating the arc_read call (char[24])
* The arc_flags from the arc_read call (uint32_t)
* The PID of the reading thread (pid_t)
* The command or name of thread originating read (char[16])
From this exported information one can see, in real time, exactly what
is being read, what function is generating the read, and whether or not
the read was found to be already cached.
There is still some work to be done, but this should serve as a good
starting point.
Specifically, dbuf_read's are not accounted for in the currently
exported information. Thus, a follow up patch should probably be added
to export these calls that never call into arc_read (they only hit the
dbuf hash table). In addition, it might be nice to create a utility
similar to "arcstat.py" to digest the exported information and display
it in a more readable format. Or perhaps, log the information and allow
for it to be "replayed" at a later time.
Signed-off-by: Prakash Surya <surya1@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
2013-09-07 03:09:05 +04:00
|
|
|
SET_BOOKMARK(czb, td->td_objset,
|
|
|
|
|
ZB_ROOT_OBJECT, ZB_ROOT_LEVEL, ZB_ROOT_BLKID);
|
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
/* See comment on ZIL traversal in dsl_scan_visitds. */
|
2015-04-02 06:44:32 +03:00
|
|
|
if (ds != NULL && !ds->ds_is_snapshot && !BP_IS_HOLE(rootbp)) {
|
2022-10-27 19:54:54 +03:00
|
|
|
zio_flag_t zio_flags = ZIO_FLAG_CANFAIL;
|
2014-12-06 20:24:32 +03:00
|
|
|
uint32_t flags = ARC_FLAG_WAIT;
|
2013-09-04 16:00:57 +04:00
|
|
|
objset_phys_t *osp;
|
|
|
|
|
arc_buf_t *buf;
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 19:48:13 +03:00
|
|
|
ASSERT(!BP_IS_REDACTED(rootbp));
|
2010-08-27 01:24:34 +04:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if ((td->td_flags & TRAVERSE_NO_DECRYPT) &&
|
|
|
|
|
BP_IS_PROTECTED(rootbp))
|
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
|
|
|
|
|
|
err = arc_read(NULL, td->td_spa, rootbp, arc_getbuf_func,
|
|
|
|
|
&buf, ZIO_PRIORITY_ASYNC_READ, zio_flags, &flags, czb);
|
2018-01-31 00:39:11 +03:00
|
|
|
if (err != 0) {
|
|
|
|
|
/*
|
|
|
|
|
* If both TRAVERSE_HARD and TRAVERSE_PRE are set,
|
|
|
|
|
* continue to visitbp so that td_func can be called
|
|
|
|
|
* in pre stage, and err will reset to zero.
|
|
|
|
|
*/
|
|
|
|
|
if (!(td->td_flags & TRAVERSE_HARD) ||
|
|
|
|
|
!(td->td_flags & TRAVERSE_PRE))
|
2018-08-15 19:53:44 +03:00
|
|
|
goto out;
|
2018-01-31 00:39:11 +03:00
|
|
|
} else {
|
|
|
|
|
osp = buf->b_data;
|
|
|
|
|
traverse_zil(td, &osp->os_zil_header);
|
|
|
|
|
arc_buf_destroy(buf, &buf);
|
|
|
|
|
}
|
2010-08-27 01:24:34 +04:00
|
|
|
}
|
|
|
|
|
|
2013-07-03 00:20:02 +04:00
|
|
|
if (!(flags & TRAVERSE_PREFETCH_DATA) ||
|
2018-03-30 22:10:01 +03:00
|
|
|
taskq_dispatch(spa->spa_prefetch_taskq, traverse_prefetch_thread,
|
2016-10-29 01:40:14 +03:00
|
|
|
td, TQ_NOQUEUE) == TASKQID_INVALID)
|
2010-08-26 21:58:47 +04:00
|
|
|
pd->pd_exited = B_TRUE;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2013-07-03 00:26:24 +04:00
|
|
|
err = traverse_visitbp(td, NULL, rootbp, czb);
|
2010-08-26 21:58:47 +04:00
|
|
|
|
|
|
|
|
mutex_enter(&pd->pd_mtx);
|
|
|
|
|
pd->pd_cancel = B_TRUE;
|
|
|
|
|
cv_broadcast(&pd->pd_cv);
|
|
|
|
|
while (!pd->pd_exited)
|
2015-06-10 02:39:25 +03:00
|
|
|
cv_wait_sig(&pd->pd_cv, &pd->pd_mtx);
|
2010-08-26 21:58:47 +04:00
|
|
|
mutex_exit(&pd->pd_mtx);
|
2018-08-15 19:53:44 +03:00
|
|
|
out:
|
2010-08-26 21:58:47 +04:00
|
|
|
mutex_destroy(&pd->pd_mtx);
|
|
|
|
|
cv_destroy(&pd->pd_cv);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2014-06-25 22:37:59 +04:00
|
|
|
kmem_free(czb, sizeof (zbookmark_phys_t));
|
2013-11-13 23:05:17 +04:00
|
|
|
kmem_free(pd, sizeof (struct prefetch_data));
|
|
|
|
|
kmem_free(td, sizeof (struct traverse_data));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
return (err);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
/*
|
|
|
|
|
* NB: dataset must not be changing on-disk (eg, is a snapshot or we are
|
|
|
|
|
* in syncing context).
|
|
|
|
|
*/
|
|
|
|
|
int
|
2016-01-07 00:22:48 +03:00
|
|
|
traverse_dataset_resume(dsl_dataset_t *ds, uint64_t txg_start,
|
|
|
|
|
zbookmark_phys_t *resume,
|
|
|
|
|
int flags, blkptr_cb_t func, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2012-12-14 03:24:15 +04:00
|
|
|
return (traverse_impl(ds->ds_dir->dd_pool->dp_spa, ds, ds->ds_object,
|
2016-01-07 00:22:48 +03:00
|
|
|
&dsl_dataset_phys(ds)->ds_bp, txg_start, resume, flags, func, arg));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
traverse_dataset(dsl_dataset_t *ds, uint64_t txg_start,
|
|
|
|
|
int flags, blkptr_cb_t func, void *arg)
|
|
|
|
|
{
|
|
|
|
|
return (traverse_dataset_resume(ds, txg_start, NULL, flags, func, arg));
|
2012-12-14 03:24:15 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
|
traverse_dataset_destroyed(spa_t *spa, blkptr_t *blkptr,
|
2014-06-25 22:37:59 +04:00
|
|
|
uint64_t txg_start, zbookmark_phys_t *resume, int flags,
|
2012-12-14 03:24:15 +04:00
|
|
|
blkptr_cb_t func, void *arg)
|
|
|
|
|
{
|
|
|
|
|
return (traverse_impl(spa, NULL, ZB_DESTROYED_OBJSET,
|
|
|
|
|
blkptr, txg_start, resume, flags, func, arg));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
/*
|
|
|
|
|
* NB: pool must not be changing on-disk (eg, from zdb or sync context).
|
|
|
|
|
*/
|
|
|
|
|
int
|
2010-05-29 00:45:14 +04:00
|
|
|
traverse_pool(spa_t *spa, uint64_t txg_start, int flags,
|
|
|
|
|
blkptr_cb_t func, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2014-06-06 01:20:08 +04:00
|
|
|
int err;
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_pool_t *dp = spa_get_dsl(spa);
|
|
|
|
|
objset_t *mos = dp->dp_meta_objset;
|
2010-05-29 00:45:14 +04:00
|
|
|
boolean_t hard = (flags & TRAVERSE_HARD);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
|
/* visit the MOS */
|
2012-12-14 03:24:15 +04:00
|
|
|
err = traverse_impl(spa, NULL, 0, spa_get_rootblkptr(spa),
|
|
|
|
|
txg_start, NULL, flags, func, arg);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-12-03 23:09:06 +03:00
|
|
|
return (err);
|
|
|
|
|
|
|
|
|
|
/* visit each dataset */
|
2017-11-04 23:25:13 +03:00
|
|
|
for (uint64_t obj = 1; err == 0;
|
2016-01-07 00:22:48 +03:00
|
|
|
err = dmu_object_next(mos, &obj, B_FALSE, txg_start)) {
|
2008-12-03 23:09:06 +03:00
|
|
|
dmu_object_info_t doi;
|
|
|
|
|
|
|
|
|
|
err = dmu_object_info(mos, obj, &doi);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
2014-06-06 01:20:08 +04:00
|
|
|
if (hard)
|
|
|
|
|
continue;
|
|
|
|
|
break;
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2013-10-08 21:13:05 +04:00
|
|
|
if (doi.doi_bonus_type == DMU_OT_DSL_DATASET) {
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dataset_t *ds;
|
2010-05-29 00:45:14 +04:00
|
|
|
uint64_t txg = txg_start;
|
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
2008-12-03 23:09:06 +03:00
|
|
|
err = dsl_dataset_hold_obj(dp, obj, FTAG, &ds);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
|
if (err != 0) {
|
2014-06-06 01:20:08 +04:00
|
|
|
if (hard)
|
|
|
|
|
continue;
|
|
|
|
|
break;
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dataset_phys(ds)->ds_prev_snap_txg > txg)
|
|
|
|
|
txg = dsl_dataset_phys(ds)->ds_prev_snap_txg;
|
2010-05-29 00:45:14 +04:00
|
|
|
err = traverse_dataset(ds, txg, flags, func, arg);
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2014-06-06 01:20:08 +04:00
|
|
|
if (err != 0)
|
|
|
|
|
break;
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
if (err == ESRCH)
|
|
|
|
|
err = 0;
|
2014-06-06 01:20:08 +04:00
|
|
|
return (err);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2010-08-26 22:49:16 +04:00
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(traverse_dataset);
|
|
|
|
|
EXPORT_SYMBOL(traverse_pool);
|
2011-05-04 02:09:28 +04:00
|
|
|
|
2019-09-06 00:49:49 +03:00
|
|
|
ZFS_MODULE_PARAM(zfs, zfs_, pd_bytes_max, INT, ZMOD_RW,
|
|
|
|
|
"Max number of bytes to prefetch");
|
2016-07-08 23:51:50 +03:00
|
|
|
|
Cleanup: Specify unsignedness on things that should not be signed
In #13871, zfs_vdev_aggregation_limit_non_rotating and
zfs_vdev_aggregation_limit being signed was pointed out as a possible
reason not to eliminate an unnecessary MAX(unsigned, 0) since the
unsigned value was assigned from them.
There is no reason for these module parameters to be signed and upon
inspection, it was found that there are a number of other module
parameters that are signed, but should not be, so we make them unsigned.
Making them unsigned made it clear that some other variables in the code
should also be unsigned, so we also make those unsigned. This prevents
users from setting negative values that could potentially cause bad
behaviors. It also makes the code slightly easier to understand.
Mostly module parameters that deal with timeouts, limits, bitshifts and
percentages are made unsigned by this. Any that are boolean are left
signed, since whether booleans should be considered signed or unsigned
does not matter.
Making zfs_arc_lotsfree_percent unsigned caused a
`zfs_arc_lotsfree_percent >= 0` check to become redundant, so it was
removed. Removing the check was also necessary to prevent a compiler
error from -Werror=type-limits.
Several end of line comments had to be moved to their own lines because
replacing int with uint_t caused us to exceed the 80 character limit
enforced by cstyle.pl.
The following were kept signed because they are passed to
taskq_create(), which expects signed values and modifying the
OpenSolaris/Illumos DDI is out of scope of this patch:
* metaslab_load_pct
* zfs_sync_taskq_batch_pct
* zfs_zil_clean_taskq_nthr_pct
* zfs_zil_clean_taskq_minalloc
* zfs_zil_clean_taskq_maxalloc
* zfs_arc_prune_task_threads
Also, negative values in those parameters was found to be harmless.
The following were left signed because either negative values make
sense, or more analysis was needed to determine whether negative values
should be disallowed:
* zfs_metaslab_switch_threshold
* zfs_pd_bytes_max
* zfs_livelist_min_percent_shared
zfs_multihost_history was made static to be consistent with other
parameters.
A number of module parameters were marked as signed, but in reality
referenced unsigned variables. upgrade_errlog_limit is one of the
numerous examples. In the case of zfs_vdev_async_read_max_active, it was
already uint32_t, but zdb had an extern int declaration for it.
Interestingly, the documentation in zfs.4 was right for
upgrade_errlog_limit despite the module parameter being wrongly marked,
while the documentation for zfs_vdev_async_read_max_active (and friends)
was wrong. It was also wrong for zstd_abort_size, which was unsigned,
but was documented as signed.
Also, the documentation in zfs.4 incorrectly described the following
parameters as ulong when they were int:
* zfs_arc_meta_adjust_restarts
* zfs_override_estimate_recordsize
They are now uint_t as of this patch and thus the man page has been
updated to describe them as uint.
dbuf_state_index was left alone since it does nothing and perhaps should
be removed in another patch.
If any module parameters were missed, they were not found by `grep -r
'ZFS_MODULE_PARAM' | grep ', INT'`. I did find a few that grep missed,
but only because they were in files that had hits.
This patch intentionally did not attempt to address whether some of
these module parameters should be elevated to 64-bit parameters, because
the length of a long on 32-bit is 32-bit.
Lastly, it was pointed out during review that uint_t is a better match
for these variables than uint32_t because FreeBSD kernel parameter
definitions are designed for uint_t, whose bit width can change in
future memory models. As a result, we change the existing parameters
that are uint32_t to use uint_t.
Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Neal Gompa <ngompa@datto.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13875
2022-09-28 02:42:41 +03:00
|
|
|
ZFS_MODULE_PARAM(zfs, zfs_, traverse_indirect_prefetch_limit, UINT, ZMOD_RW,
|
2021-04-15 23:49:27 +03:00
|
|
|
"Traverse prefetch number of blocks pointed by indirect block");
|
|
|
|
|
|
2019-09-06 00:49:49 +03:00
|
|
|
#if defined(_KERNEL)
|
2016-10-08 07:02:24 +03:00
|
|
|
module_param_named(ignore_hole_birth, send_holes_without_birth_time, int, 0644);
|
2019-09-06 00:49:49 +03:00
|
|
|
MODULE_PARM_DESC(ignore_hole_birth,
|
|
|
|
|
"Alias for send_holes_without_birth_time");
|
|
|
|
|
#endif
|
2016-10-08 07:02:24 +03:00
|
|
|
|
2022-01-21 19:07:15 +03:00
|
|
|
/* CSTYLED */
|
2019-09-06 00:49:49 +03:00
|
|
|
ZFS_MODULE_PARAM(zfs, , send_holes_without_birth_time, INT, ZMOD_RW,
|
2016-10-08 07:02:24 +03:00
|
|
|
"Ignore hole_birth txg for zfs send");
|