2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
2017-02-03 01:13:41 +03:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
/*
|
2010-05-29 00:45:14 +04:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
2017-03-21 04:36:00 +03:00
|
|
|
* Copyright (c) 2012, 2017 by Delphix. All rights reserved.
|
2013-08-02 00:02:10 +04:00
|
|
|
* Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
|
2015-04-01 16:07:48 +03:00
|
|
|
* Copyright (c) 2013, Joyent, Inc. All rights reserved.
|
2015-04-02 06:44:32 +03:00
|
|
|
* Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
|
2015-05-06 19:07:55 +03:00
|
|
|
* Copyright (c) 2015, STRATO AG, Inc. All rights reserved.
|
2014-03-22 13:07:14 +04:00
|
|
|
* Copyright (c) 2016 Actifio, Inc. All rights reserved.
|
2017-02-03 01:13:41 +03:00
|
|
|
* Copyright 2017 Nexenta Systems, Inc.
|
2017-11-11 00:37:10 +03:00
|
|
|
* Copyright (c) 2017 Open-E, Inc. All Rights Reserved.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
/* Portions Copyright 2010 Robert Milkowski */
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
#include <sys/zfeature.h>
|
2008-11-20 23:01:55 +03:00
|
|
|
#include <sys/cred.h>
|
|
|
|
#include <sys/zfs_context.h>
|
|
|
|
#include <sys/dmu_objset.h>
|
|
|
|
#include <sys/dsl_dir.h>
|
|
|
|
#include <sys/dsl_dataset.h>
|
|
|
|
#include <sys/dsl_prop.h>
|
|
|
|
#include <sys/dsl_pool.h>
|
|
|
|
#include <sys/dsl_synctask.h>
|
|
|
|
#include <sys/dsl_deleg.h>
|
|
|
|
#include <sys/dnode.h>
|
|
|
|
#include <sys/dbuf.h>
|
|
|
|
#include <sys/zvol.h>
|
|
|
|
#include <sys/dmu_tx.h>
|
|
|
|
#include <sys/zap.h>
|
|
|
|
#include <sys/zil.h>
|
|
|
|
#include <sys/dmu_impl.h>
|
|
|
|
#include <sys/zfs_ioctl.h>
|
2010-05-29 00:45:14 +04:00
|
|
|
#include <sys/sa.h>
|
2010-08-27 01:24:34 +04:00
|
|
|
#include <sys/zfs_onexit.h>
|
2013-09-04 16:00:57 +04:00
|
|
|
#include <sys/dsl_destroy.h>
|
2015-05-06 19:07:55 +03:00
|
|
|
#include <sys/vdev.h>
|
2016-06-07 19:16:52 +03:00
|
|
|
#include <sys/policy.h>
|
2016-10-04 21:46:10 +03:00
|
|
|
#include <sys/spa_impl.h>
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
#include <sys/dmu_send.h>
|
2010-08-27 01:24:34 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Needed to close a window in dnode_move() that allows the objset to be freed
|
|
|
|
* before it can be safely accessed.
|
|
|
|
*/
|
|
|
|
krwlock_t os_lock;
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
/*
|
2017-01-03 20:31:18 +03:00
|
|
|
* Tunable to overwrite the maximum number of threads for the parallelization
|
2015-05-06 19:07:55 +03:00
|
|
|
* of dmu_objset_find_dp, needed to speed up the import of pools with many
|
|
|
|
* datasets.
|
|
|
|
* Default is 4 times the number of leaf vdevs.
|
|
|
|
*/
|
|
|
|
int dmu_find_threads = 0;
|
|
|
|
|
2016-05-17 04:02:29 +03:00
|
|
|
/*
|
|
|
|
* Backfill lower metadnode objects after this many have been freed.
|
|
|
|
* Backfilling negatively impacts object creation rates, so only do it
|
|
|
|
* if there are enough holes to fill.
|
|
|
|
*/
|
|
|
|
int dmu_rescan_dnode_threshold = 1 << DN_MAX_INDBLKSHIFT;
|
|
|
|
|
2017-11-11 00:37:10 +03:00
|
|
|
static char *upgrade_tag = "upgrade_tag";
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
static void dmu_objset_find_dp_cb(void *arg);
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
static void dmu_objset_upgrade(objset_t *os, dmu_objset_upgrade_cb_t cb);
|
|
|
|
static void dmu_objset_upgrade_stop(objset_t *os);
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
void
|
|
|
|
dmu_objset_init(void)
|
|
|
|
{
|
|
|
|
rw_init(&os_lock, NULL, RW_DEFAULT, NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_fini(void)
|
|
|
|
{
|
|
|
|
rw_destroy(&os_lock);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
spa_t *
|
|
|
|
dmu_objset_spa(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os->os_spa);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
zilog_t *
|
|
|
|
dmu_objset_zil(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os->os_zil);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
dsl_pool_t *
|
|
|
|
dmu_objset_pool(objset_t *os)
|
|
|
|
{
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if ((ds = os->os_dsl_dataset) != NULL && ds->ds_dir)
|
2008-11-20 23:01:55 +03:00
|
|
|
return (ds->ds_dir->dd_pool);
|
|
|
|
else
|
2010-05-29 00:45:14 +04:00
|
|
|
return (spa_get_dsl(os->os_spa));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
dsl_dataset_t *
|
|
|
|
dmu_objset_ds(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os->os_dsl_dataset);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
dmu_objset_type_t
|
|
|
|
dmu_objset_type(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os->os_phys->os_type);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_name(objset_t *os, char *buf)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_name(os->os_dsl_dataset, buf);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dmu_objset_id(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
return (ds ? ds->ds_object : 0);
|
|
|
|
}
|
|
|
|
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
uint64_t
|
|
|
|
dmu_objset_dnodesize(objset_t *os)
|
|
|
|
{
|
|
|
|
return (os->os_dnodesize);
|
|
|
|
}
|
|
|
|
|
2014-05-23 20:21:07 +04:00
|
|
|
zfs_sync_type_t
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_syncprop(objset_t *os)
|
|
|
|
{
|
|
|
|
return (os->os_sync);
|
|
|
|
}
|
|
|
|
|
2014-05-23 20:21:07 +04:00
|
|
|
zfs_logbias_op_t
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_logbias(objset_t *os)
|
|
|
|
{
|
|
|
|
return (os->os_logbias);
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
static void
|
|
|
|
checksum_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval != ZIO_CHECKSUM_INHERIT);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_checksum = zio_checksum_select(newval, ZIO_CHECKSUM_ON_VALUE);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
compression_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval != ZIO_COMPRESS_INHERIT);
|
|
|
|
|
2015-07-06 04:55:32 +03:00
|
|
|
os->os_compress = zio_compress_select(os->os_spa, newval,
|
|
|
|
ZIO_COMPRESS_ON);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
copies_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval > 0);
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(newval <= spa_max_replication(os->os_spa));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_copies = newval;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dedup_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
spa_t *spa = os->os_spa;
|
|
|
|
enum zio_checksum checksum;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval != ZIO_CHECKSUM_INHERIT);
|
|
|
|
|
|
|
|
checksum = zio_checksum_dedup_select(spa, newval, ZIO_CHECKSUM_OFF);
|
|
|
|
|
|
|
|
os->os_dedup_checksum = checksum & ZIO_CHECKSUM_MASK;
|
|
|
|
os->os_dedup_verify = !!(checksum & ZIO_CHECKSUM_VERIFY);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
static void
|
|
|
|
primary_cache_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval == ZFS_CACHE_ALL || newval == ZFS_CACHE_NONE ||
|
|
|
|
newval == ZFS_CACHE_METADATA);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_primary_cache = newval;
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
secondary_cache_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval == ZFS_CACHE_ALL || newval == ZFS_CACHE_NONE ||
|
|
|
|
newval == ZFS_CACHE_METADATA);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_secondary_cache = newval;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
sync_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval == ZFS_SYNC_STANDARD || newval == ZFS_SYNC_ALWAYS ||
|
|
|
|
newval == ZFS_SYNC_DISABLED);
|
|
|
|
|
|
|
|
os->os_sync = newval;
|
|
|
|
if (os->os_zil)
|
|
|
|
zil_set_sync(os->os_zil, newval);
|
|
|
|
}
|
|
|
|
|
2014-05-23 20:21:07 +04:00
|
|
|
static void
|
|
|
|
redundant_metadata_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Inheritance and range checking should have been done by now.
|
|
|
|
*/
|
|
|
|
ASSERT(newval == ZFS_REDUNDANT_METADATA_ALL ||
|
|
|
|
newval == ZFS_REDUNDANT_METADATA_MOST);
|
|
|
|
|
|
|
|
os->os_redundant_metadata = newval;
|
|
|
|
}
|
|
|
|
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
static void
|
|
|
|
dnodesize_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
|
|
|
|
switch (newval) {
|
|
|
|
case ZFS_DNSIZE_LEGACY:
|
|
|
|
os->os_dnodesize = DNODE_MIN_SIZE;
|
|
|
|
break;
|
|
|
|
case ZFS_DNSIZE_AUTO:
|
|
|
|
/*
|
|
|
|
* Choose a dnode size that will work well for most
|
|
|
|
* workloads if the user specified "auto". Future code
|
|
|
|
* improvements could dynamically select a dnode size
|
|
|
|
* based on observed workload patterns.
|
|
|
|
*/
|
|
|
|
os->os_dnodesize = DNODE_MIN_SIZE * 2;
|
|
|
|
break;
|
|
|
|
case ZFS_DNSIZE_1K:
|
|
|
|
case ZFS_DNSIZE_2K:
|
|
|
|
case ZFS_DNSIZE_4K:
|
|
|
|
case ZFS_DNSIZE_8K:
|
|
|
|
case ZFS_DNSIZE_16K:
|
|
|
|
os->os_dnodesize = newval;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
static void
|
|
|
|
logbias_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
|
|
|
|
ASSERT(newval == ZFS_LOGBIAS_LATENCY ||
|
|
|
|
newval == ZFS_LOGBIAS_THROUGHPUT);
|
|
|
|
os->os_logbias = newval;
|
|
|
|
if (os->os_zil)
|
|
|
|
zil_set_logbias(os->os_zil, newval);
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
|
|
|
|
2014-11-03 23:15:08 +03:00
|
|
|
static void
|
|
|
|
recordsize_changed_cb(void *arg, uint64_t newval)
|
|
|
|
{
|
|
|
|
objset_t *os = arg;
|
|
|
|
|
|
|
|
os->os_recordsize = newval;
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
|
|
|
dmu_objset_byteswap(void *buf, size_t size)
|
|
|
|
{
|
|
|
|
objset_phys_t *osp = buf;
|
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
ASSERT(size == OBJSET_OLD_PHYS_SIZE || size == sizeof (objset_phys_t));
|
2008-11-20 23:01:55 +03:00
|
|
|
dnode_byteswap(&osp->os_meta_dnode);
|
|
|
|
byteswap_uint64_array(&osp->os_zil_header, sizeof (zil_header_t));
|
|
|
|
osp->os_type = BSWAP_64(osp->os_type);
|
2009-07-03 02:44:48 +04:00
|
|
|
osp->os_flags = BSWAP_64(osp->os_flags);
|
|
|
|
if (size == sizeof (objset_phys_t)) {
|
|
|
|
dnode_byteswap(&osp->os_userused_dnode);
|
|
|
|
dnode_byteswap(&osp->os_groupused_dnode);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
/*
|
|
|
|
* The hash is a CRC-based hash of the objset_t pointer and the object number.
|
|
|
|
*/
|
|
|
|
static uint64_t
|
|
|
|
dnode_hash(const objset_t *os, uint64_t obj)
|
|
|
|
{
|
|
|
|
uintptr_t osv = (uintptr_t)os;
|
|
|
|
uint64_t crc = -1ULL;
|
|
|
|
|
|
|
|
ASSERT(zfs_crc64_table[128] == ZFS_CRC64_POLY);
|
|
|
|
/*
|
|
|
|
* The low 6 bits of the pointer don't have much entropy, because
|
|
|
|
* the objset_t is larger than 2^6 bytes long.
|
|
|
|
*/
|
|
|
|
crc = (crc >> 8) ^ zfs_crc64_table[(crc ^ (osv >> 6)) & 0xFF];
|
|
|
|
crc = (crc >> 8) ^ zfs_crc64_table[(crc ^ (obj >> 0)) & 0xFF];
|
|
|
|
crc = (crc >> 8) ^ zfs_crc64_table[(crc ^ (obj >> 8)) & 0xFF];
|
|
|
|
crc = (crc >> 8) ^ zfs_crc64_table[(crc ^ (obj >> 16)) & 0xFF];
|
|
|
|
|
|
|
|
crc ^= (osv>>14) ^ (obj>>24);
|
|
|
|
|
|
|
|
return (crc);
|
|
|
|
}
|
|
|
|
|
|
|
|
unsigned int
|
|
|
|
dnode_multilist_index_func(multilist_t *ml, void *obj)
|
|
|
|
{
|
|
|
|
dnode_t *dn = obj;
|
|
|
|
return (dnode_hash(dn->dn_objset, dn->dn_object) %
|
|
|
|
multilist_get_num_sublists(ml));
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
|
|
|
dmu_objset_open_impl(spa_t *spa, dsl_dataset_t *ds, blkptr_t *bp,
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t **osp)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os;
|
2008-12-03 23:09:06 +03:00
|
|
|
int i, err;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
ASSERT(ds == NULL || MUTEX_HELD(&ds->ds_opening_lock));
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
os = kmem_zalloc(sizeof (objset_t), KM_SLEEP);
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_dsl_dataset = ds;
|
|
|
|
os->os_spa = spa;
|
|
|
|
os->os_rootbp = bp;
|
|
|
|
if (!BP_IS_HOLE(os->os_rootbp)) {
|
2014-12-06 20:24:32 +03:00
|
|
|
arc_flags_t aflags = ARC_FLAG_WAIT;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t zb;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
enum zio_flag zio_flags = ZIO_FLAG_CANFAIL;
|
2010-05-29 00:45:14 +04:00
|
|
|
SET_BOOKMARK(&zb, ds ? ds->ds_object : DMU_META_OBJSET,
|
|
|
|
ZB_ROOT_OBJECT, ZB_ROOT_LEVEL, ZB_ROOT_BLKID);
|
|
|
|
|
|
|
|
if (DMU_OS_IS_L2CACHEABLE(os))
|
2014-12-06 20:24:32 +03:00
|
|
|
aflags |= ARC_FLAG_L2CACHE;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (ds != NULL && ds->ds_dir->dd_crypto_obj != 0) {
|
|
|
|
ASSERT3U(BP_GET_COMPRESS(bp), ==, ZIO_COMPRESS_OFF);
|
|
|
|
ASSERT(BP_IS_AUTHENTICATED(bp));
|
|
|
|
zio_flags |= ZIO_FLAG_RAW;
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
dprintf_bp(os->os_rootbp, "reading %s", "");
|
2013-07-03 00:26:24 +04:00
|
|
|
err = arc_read(NULL, spa, os->os_rootbp,
|
2010-05-29 00:45:14 +04:00
|
|
|
arc_getbuf_func, &os->os_phys_buf,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ZIO_PRIORITY_SYNC_READ, zio_flags, &aflags, &zb);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
2010-05-29 00:45:14 +04:00
|
|
|
kmem_free(os, sizeof (objset_t));
|
2008-12-03 23:09:06 +03:00
|
|
|
/* convert checksum errors into IO errors */
|
|
|
|
if (err == ECKSUM)
|
2013-03-08 22:41:28 +04:00
|
|
|
err = SET_ERROR(EIO);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
}
|
2009-07-03 02:44:48 +04:00
|
|
|
|
|
|
|
/* Increase the blocksize if we are permitted. */
|
|
|
|
if (spa_version(spa) >= SPA_VERSION_USERSPACE &&
|
2010-05-29 00:45:14 +04:00
|
|
|
arc_buf_size(os->os_phys_buf) < sizeof (objset_phys_t)) {
|
2016-07-11 20:45:52 +03:00
|
|
|
arc_buf_t *buf = arc_alloc_buf(spa, &os->os_phys_buf,
|
|
|
|
ARC_BUFC_METADATA, sizeof (objset_phys_t));
|
2009-07-03 02:44:48 +04:00
|
|
|
bzero(buf->b_data, sizeof (objset_phys_t));
|
2010-05-29 00:45:14 +04:00
|
|
|
bcopy(os->os_phys_buf->b_data, buf->b_data,
|
|
|
|
arc_buf_size(os->os_phys_buf));
|
2016-06-02 07:04:53 +03:00
|
|
|
arc_buf_destroy(os->os_phys_buf, &os->os_phys_buf);
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys_buf = buf;
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys = os->os_phys_buf->b_data;
|
|
|
|
os->os_flags = os->os_phys->os_flags;
|
2008-11-20 23:01:55 +03:00
|
|
|
} else {
|
2009-07-03 02:44:48 +04:00
|
|
|
int size = spa_version(spa) >= SPA_VERSION_USERSPACE ?
|
|
|
|
sizeof (objset_phys_t) : OBJSET_OLD_PHYS_SIZE;
|
2016-07-11 20:45:52 +03:00
|
|
|
os->os_phys_buf = arc_alloc_buf(spa, &os->os_phys_buf,
|
|
|
|
ARC_BUFC_METADATA, size);
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys = os->os_phys_buf->b_data;
|
|
|
|
bzero(os->os_phys, size);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note: the changed_cb will be called once before the register
|
|
|
|
* func returns, thus changing the checksum/compression from the
|
2008-12-03 23:09:06 +03:00
|
|
|
* default (fletcher2/off). Snapshots don't need to know about
|
|
|
|
* checksum/compression/copies.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
2014-06-06 01:19:08 +04:00
|
|
|
if (ds != NULL) {
|
2016-01-07 00:22:48 +03:00
|
|
|
boolean_t needlock = B_FALSE;
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
os->os_encrypted = (ds->ds_dir->dd_crypto_obj != 0);
|
|
|
|
|
2016-01-07 00:22:48 +03:00
|
|
|
/*
|
|
|
|
* Note: it's valid to open the objset if the dataset is
|
|
|
|
* long-held, in which case the pool_config lock will not
|
|
|
|
* be held.
|
|
|
|
*/
|
|
|
|
if (!dsl_pool_config_held(dmu_objset_pool(os))) {
|
|
|
|
needlock = B_TRUE;
|
|
|
|
dsl_pool_config_enter(dmu_objset_pool(os), FTAG);
|
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_PRIMARYCACHE),
|
2010-05-29 00:45:14 +04:00
|
|
|
primary_cache_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_SECONDARYCACHE),
|
2010-05-29 00:45:14 +04:00
|
|
|
secondary_cache_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2015-04-02 06:44:32 +03:00
|
|
|
if (!ds->ds_is_snapshot) {
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_CHECKSUM),
|
2010-05-29 00:45:14 +04:00
|
|
|
checksum_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_COMPRESSION),
|
2010-05-29 00:45:14 +04:00
|
|
|
compression_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_COPIES),
|
2010-05-29 00:45:14 +04:00
|
|
|
copies_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_DEDUP),
|
2010-05-29 00:45:14 +04:00
|
|
|
dedup_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_LOGBIAS),
|
2010-05-29 00:45:14 +04:00
|
|
|
logbias_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_SYNC),
|
2010-05-29 00:45:14 +04:00
|
|
|
sync_changed_cb, os);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2014-05-23 20:21:07 +04:00
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(
|
|
|
|
ZFS_PROP_REDUNDANT_METADATA),
|
|
|
|
redundant_metadata_changed_cb, os);
|
|
|
|
}
|
2014-11-03 23:15:08 +03:00
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_RECORDSIZE),
|
|
|
|
recordsize_changed_cb, os);
|
|
|
|
}
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
if (err == 0) {
|
|
|
|
err = dsl_prop_register(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_DNODESIZE),
|
|
|
|
dnodesize_changed_cb, os);
|
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
2016-01-07 00:22:48 +03:00
|
|
|
if (needlock)
|
|
|
|
dsl_pool_config_exit(dmu_objset_pool(os), FTAG);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
2016-06-02 07:04:53 +03:00
|
|
|
arc_buf_destroy(os->os_phys_buf, &os->os_phys_buf);
|
2010-05-29 00:45:14 +04:00
|
|
|
kmem_free(os, sizeof (objset_t));
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
}
|
2014-06-06 01:19:08 +04:00
|
|
|
} else {
|
2008-11-20 23:01:55 +03:00
|
|
|
/* It's the meta-objset. */
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_checksum = ZIO_CHECKSUM_FLETCHER_4;
|
2015-07-06 04:55:32 +03:00
|
|
|
os->os_compress = ZIO_COMPRESS_ON;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
os->os_encrypted = B_FALSE;
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_copies = spa_max_replication(spa);
|
|
|
|
os->os_dedup_checksum = ZIO_CHECKSUM_OFF;
|
2014-05-23 20:21:07 +04:00
|
|
|
os->os_dedup_verify = B_FALSE;
|
|
|
|
os->os_logbias = ZFS_LOGBIAS_LATENCY;
|
|
|
|
os->os_sync = ZFS_SYNC_STANDARD;
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_primary_cache = ZFS_CACHE_ALL;
|
|
|
|
os->os_secondary_cache = ZFS_CACHE_ALL;
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
os->os_dnodesize = DNODE_MIN_SIZE;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
if (ds == NULL || !ds->ds_is_snapshot)
|
2010-08-27 01:24:34 +04:00
|
|
|
os->os_zil_header = os->os_phys->os_zil_header;
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_zil = zil_alloc(os, &os->os_zil_header);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
for (i = 0; i < TXG_SIZE; i++) {
|
2017-03-21 04:36:00 +03:00
|
|
|
os->os_dirty_dnodes[i] = multilist_create(sizeof (dnode_t),
|
|
|
|
offsetof(dnode_t, dn_dirty_link[i]),
|
|
|
|
dnode_multilist_index_func);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
list_create(&os->os_dnodes, sizeof (dnode_t),
|
2008-11-20 23:01:55 +03:00
|
|
|
offsetof(dnode_t, dn_link));
|
2010-05-29 00:45:14 +04:00
|
|
|
list_create(&os->os_downgraded_dbufs, sizeof (dmu_buf_impl_t),
|
2008-11-20 23:01:55 +03:00
|
|
|
offsetof(dmu_buf_impl_t, db_link));
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
list_link_init(&os->os_evicting_node);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_init(&os->os_lock, NULL, MUTEX_DEFAULT, NULL);
|
2017-03-21 04:36:00 +03:00
|
|
|
mutex_init(&os->os_userused_lock, NULL, MUTEX_DEFAULT, NULL);
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_init(&os->os_obj_lock, NULL, MUTEX_DEFAULT, NULL);
|
|
|
|
mutex_init(&os->os_user_ptr_lock, NULL, MUTEX_DEFAULT, NULL);
|
OpenZFS 8199 - multi-threaded dmu_object_alloc()
dmu_object_alloc() is single-threaded, so when multiple threads are
creating files in a single filesystem, they spend a lot of time waiting
for the os_obj_lock. To improve performance of multi-threaded file
creation, we must make dmu_object_alloc() typically not grab any
filesystem-wide locks.
The solution is to have a "next object to allocate" for each CPU. Each
of these "next object"s is in a different block of the dnode object, so
that concurrent allocation holds dnodes in different dbufs. When a
thread's "next object" reaches the end of a chunk of objects (by default
4 blocks worth -- 128 dnodes), it will be reset to the per-objset
os_obj_next, which will be increased by a chunk of objects (128). Only
when manipulating the os_obj_next will we need to grab the os_obj_lock.
This decreases lock contention dramatically, because each thread only
needs to grab the os_obj_lock briefly, once per 128 allocations.
This results in a 70% performance improvement to multi-threaded object
creation (where each thread is creating objects in its own directory),
from 67,000/sec to 115,000/sec, with 8 CPUs.
Work sponsored by Intel Corp.
Authored by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Ned Bass <bass6@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Ported-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
OpenZFS-issue: https://www.illumos.org/issues/8199
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/374
Closes #4703
Closes #6117
2016-05-13 07:16:36 +03:00
|
|
|
os->os_obj_next_percpu_len = boot_ncpus;
|
|
|
|
os->os_obj_next_percpu = kmem_zalloc(os->os_obj_next_percpu_len *
|
|
|
|
sizeof (os->os_obj_next_percpu[0]), KM_SLEEP);
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
dnode_special_open(os, &os->os_phys->os_meta_dnode,
|
|
|
|
DMU_META_DNODE_OBJECT, &os->os_meta_dnode);
|
2010-05-29 00:45:14 +04:00
|
|
|
if (arc_buf_size(os->os_phys_buf) >= sizeof (objset_phys_t)) {
|
2015-04-02 06:44:32 +03:00
|
|
|
dnode_special_open(os, &os->os_phys->os_userused_dnode,
|
|
|
|
DMU_USERUSED_OBJECT, &os->os_userused_dnode);
|
|
|
|
dnode_special_open(os, &os->os_phys->os_groupused_dnode,
|
|
|
|
DMU_GROUPUSED_OBJECT, &os->os_groupused_dnode);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
mutex_init(&os->os_upgrade_lock, NULL, MUTEX_DEFAULT, NULL);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
*osp = os;
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
int
|
|
|
|
dmu_objset_from_ds(dsl_dataset_t *ds, objset_t **osp)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
int err = 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-01-07 00:22:48 +03:00
|
|
|
/*
|
|
|
|
* We shouldn't be doing anything with dsl_dataset_t's unless the
|
|
|
|
* pool_config lock is held, or the dataset is long-held.
|
|
|
|
*/
|
|
|
|
ASSERT(dsl_pool_config_held(ds->ds_dir->dd_pool) ||
|
|
|
|
dsl_dataset_long_held(ds));
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_enter(&ds->ds_opening_lock);
|
2014-06-06 01:19:08 +04:00
|
|
|
if (ds->ds_objset == NULL) {
|
|
|
|
objset_t *os;
|
2017-01-27 22:43:42 +03:00
|
|
|
rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
err = dmu_objset_open_impl(dsl_dataset_get_spa(ds),
|
2014-06-06 01:19:08 +04:00
|
|
|
ds, dsl_dataset_get_blkptr(ds), &os);
|
2017-01-27 22:43:42 +03:00
|
|
|
rrw_exit(&ds->ds_bp_rwlock, FTAG);
|
2014-06-06 01:19:08 +04:00
|
|
|
|
|
|
|
if (err == 0) {
|
|
|
|
mutex_enter(&ds->ds_lock);
|
|
|
|
ASSERT(ds->ds_objset == NULL);
|
|
|
|
ds->ds_objset = os;
|
|
|
|
mutex_exit(&ds->ds_lock);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2014-06-06 01:19:08 +04:00
|
|
|
*osp = ds->ds_objset;
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&ds->ds_opening_lock);
|
2010-05-29 00:45:14 +04:00
|
|
|
return (err);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/*
|
|
|
|
* Holds the pool while the objset is held. Therefore only one objset
|
|
|
|
* can be held at a time.
|
|
|
|
*/
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_hold_flags(const char *name, boolean_t decrypt, void *tag,
|
|
|
|
objset_t **osp)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_t *dp;
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds;
|
2008-11-20 23:01:55 +03:00
|
|
|
int err;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ds_hold_flags_t flags = (decrypt) ? DS_HOLD_FLAG_DECRYPT : 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
err = dsl_pool_hold(name, tag, &dp);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
err = dsl_dataset_hold_flags(dp, name, flags, tag, &ds);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
|
|
|
dsl_pool_rele(dp, tag);
|
2010-05-29 00:45:14 +04:00
|
|
|
return (err);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
|
|
|
err = dmu_objset_from_ds(ds, osp);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_rele(ds, tag);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_rele(dp, tag);
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
int
|
|
|
|
dmu_objset_hold(const char *name, void *tag, objset_t **osp)
|
|
|
|
{
|
|
|
|
return (dmu_objset_hold_flags(name, B_FALSE, tag, osp));
|
|
|
|
}
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
static int
|
|
|
|
dmu_objset_own_impl(dsl_dataset_t *ds, dmu_objset_type_t type,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
boolean_t readonly, boolean_t decrypt, void *tag, objset_t **osp)
|
2015-05-06 19:07:55 +03:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = dmu_objset_from_ds(ds, osp);
|
|
|
|
if (err != 0) {
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
return (err);
|
2015-05-06 19:07:55 +03:00
|
|
|
} else if (type != DMU_OST_ANY && type != (*osp)->os_phys->os_type) {
|
|
|
|
return (SET_ERROR(EINVAL));
|
|
|
|
} else if (!readonly && dsl_dataset_is_snapshot(ds)) {
|
|
|
|
return (SET_ERROR(EROFS));
|
2017-11-08 22:12:59 +03:00
|
|
|
} else if (!readonly && decrypt &&
|
|
|
|
dsl_dir_incompatible_encryption_version(ds->ds_dir)) {
|
|
|
|
return (SET_ERROR(EROFS));
|
2015-05-06 19:07:55 +03:00
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
/* if we are decrypting, we can now check MACs in os->os_phys_buf */
|
|
|
|
if (decrypt && arc_is_unauthenticated((*osp)->os_phys_buf)) {
|
|
|
|
err = arc_untransform((*osp)->os_phys_buf, (*osp)->os_spa,
|
|
|
|
ds->ds_object, B_FALSE);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
ASSERT0(arc_is_unauthenticated((*osp)->os_phys_buf));
|
|
|
|
}
|
|
|
|
|
|
|
|
return (0);
|
2015-05-06 19:07:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/*
|
|
|
|
* dsl_pool must not be held when this is called.
|
|
|
|
* Upon successful return, there will be a longhold on the dataset,
|
|
|
|
* and the dsl_pool will not be held.
|
|
|
|
*/
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_own(const char *name, dmu_objset_type_t type,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
boolean_t readonly, boolean_t decrypt, void *tag, objset_t **osp)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_t *dp;
|
2008-11-20 23:01:55 +03:00
|
|
|
dsl_dataset_t *ds;
|
|
|
|
int err;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ds_hold_flags_t flags = (decrypt) ? DS_HOLD_FLAG_DECRYPT : 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
err = dsl_pool_hold(name, FTAG, &dp);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
err = dsl_dataset_own(dp, name, flags, tag, &ds);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
|
|
|
dsl_pool_rele(dp, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
err = dmu_objset_own_impl(ds, type, readonly, decrypt, tag, osp);
|
|
|
|
if (err != 0) {
|
|
|
|
dsl_dataset_disown(ds, flags, tag);
|
|
|
|
dsl_pool_rele(dp, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2017-09-12 23:15:11 +03:00
|
|
|
/* user accounting requires the dataset to be decrypted */
|
|
|
|
if (dmu_objset_userobjspace_upgradable(*osp) &&
|
|
|
|
(ds->ds_dir->dd_crypto_obj == 0 || decrypt))
|
2016-10-04 21:46:10 +03:00
|
|
|
dmu_objset_userobjspace_upgrade(*osp);
|
|
|
|
|
2017-11-11 00:37:10 +03:00
|
|
|
dsl_pool_rele(dp, FTAG);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
int
|
|
|
|
dmu_objset_own_obj(dsl_pool_t *dp, uint64_t obj, dmu_objset_type_t type,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
boolean_t readonly, boolean_t decrypt, void *tag, objset_t **osp)
|
2015-05-06 19:07:55 +03:00
|
|
|
{
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
int err;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ds_hold_flags_t flags = (decrypt) ? DS_HOLD_FLAG_DECRYPT : 0;
|
2015-05-06 19:07:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
err = dsl_dataset_own_obj(dp, obj, flags, tag, &ds);
|
2015-05-06 19:07:55 +03:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
err = dmu_objset_own_impl(ds, type, readonly, decrypt, tag, osp);
|
|
|
|
if (err != 0) {
|
|
|
|
dsl_dataset_disown(ds, flags, tag);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (0);
|
2015-05-06 19:07:55 +03:00
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_rele_flags(objset_t *os, boolean_t decrypt, void *tag)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ds_hold_flags_t flags = (decrypt) ? DS_HOLD_FLAG_DECRYPT : 0;
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_t *dp = dmu_objset_pool(os);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_dataset_rele_flags(os->os_dsl_dataset, flags, tag);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_rele(dp, tag);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
void
|
|
|
|
dmu_objset_rele(objset_t *os, void *tag)
|
|
|
|
{
|
|
|
|
dmu_objset_rele_flags(os, B_FALSE, tag);
|
|
|
|
}
|
|
|
|
|
2013-07-27 21:50:07 +04:00
|
|
|
/*
|
|
|
|
* When we are called, os MUST refer to an objset associated with a dataset
|
|
|
|
* that is owned by 'tag'; that is, is held and long held by 'tag' and ds_owner
|
|
|
|
* == tag. We will then release and reacquire ownership of the dataset while
|
|
|
|
* holding the pool config_rwlock to avoid intervening namespace or ownership
|
|
|
|
* changes may occur.
|
|
|
|
*
|
|
|
|
* This exists solely to accommodate zfs_ioc_userspace_upgrade()'s desire to
|
|
|
|
* release the hold on its dataset and acquire a new one on the dataset of the
|
|
|
|
* same name so that it can be partially torn down and reconstructed.
|
|
|
|
*/
|
|
|
|
void
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_refresh_ownership(objset_t *os, boolean_t decrypt, void *tag)
|
2013-07-27 21:50:07 +04:00
|
|
|
{
|
|
|
|
dsl_pool_t *dp;
|
|
|
|
dsl_dataset_t *ds, *newds;
|
2016-06-16 00:28:36 +03:00
|
|
|
char name[ZFS_MAX_DATASET_NAME_LEN];
|
2013-07-27 21:50:07 +04:00
|
|
|
|
|
|
|
ds = os->os_dsl_dataset;
|
|
|
|
VERIFY3P(ds, !=, NULL);
|
|
|
|
VERIFY3P(ds->ds_owner, ==, tag);
|
|
|
|
VERIFY(dsl_dataset_long_held(ds));
|
|
|
|
|
|
|
|
dsl_dataset_name(ds, name);
|
|
|
|
dp = dmu_objset_pool(os);
|
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_disown(os, decrypt, tag);
|
|
|
|
VERIFY0(dsl_dataset_own(dp, name,
|
|
|
|
(decrypt) ? DS_HOLD_FLAG_DECRYPT : 0, tag, &newds));
|
2013-07-27 21:50:07 +04:00
|
|
|
VERIFY3P(newds, ==, os->os_dsl_dataset);
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
void
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_disown(objset_t *os, boolean_t decrypt, void *tag)
|
2010-05-29 00:45:14 +04:00
|
|
|
{
|
2016-10-04 21:46:10 +03:00
|
|
|
/*
|
|
|
|
* Stop upgrading thread
|
|
|
|
*/
|
|
|
|
dmu_objset_upgrade_stop(os);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_dataset_disown(os->os_dsl_dataset,
|
|
|
|
(decrypt) ? DS_HOLD_FLAG_DECRYPT : 0, tag);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
void
|
2008-11-20 23:01:55 +03:00
|
|
|
dmu_objset_evict_dbufs(objset_t *os)
|
|
|
|
{
|
2015-04-02 06:44:32 +03:00
|
|
|
dnode_t *dn_marker;
|
2008-11-20 23:01:55 +03:00
|
|
|
dnode_t *dn;
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
dn_marker = kmem_alloc(sizeof (dnode_t), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
mutex_enter(&os->os_lock);
|
|
|
|
dn = list_head(&os->os_dnodes);
|
|
|
|
while (dn != NULL) {
|
|
|
|
/*
|
|
|
|
* Skip dnodes without holds. We have to do this dance
|
|
|
|
* because dnode_add_ref() only works if there is already a
|
|
|
|
* hold. If the dnode has no holds, then it has no dbufs.
|
|
|
|
*/
|
|
|
|
if (dnode_add_ref(dn, FTAG)) {
|
|
|
|
list_insert_after(&os->os_dnodes, dn, dn_marker);
|
|
|
|
mutex_exit(&os->os_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
dnode_evict_dbufs(dn);
|
|
|
|
dnode_rele(dn, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
mutex_enter(&os->os_lock);
|
|
|
|
dn = list_next(&os->os_dnodes, dn_marker);
|
|
|
|
list_remove(&os->os_dnodes, dn_marker);
|
|
|
|
} else {
|
|
|
|
dn = list_next(&os->os_dnodes, dn);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
mutex_exit(&os->os_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
kmem_free(dn_marker, sizeof (dnode_t));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
if (DMU_USERUSED_DNODE(os) != NULL) {
|
|
|
|
dnode_evict_dbufs(DMU_GROUPUSED_DNODE(os));
|
|
|
|
dnode_evict_dbufs(DMU_USERUSED_DNODE(os));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2015-04-02 06:44:32 +03:00
|
|
|
dnode_evict_dbufs(DMU_META_DNODE(os));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
/*
|
|
|
|
* Objset eviction processing is split into into two pieces.
|
|
|
|
* The first marks the objset as evicting, evicts any dbufs that
|
|
|
|
* have a refcount of zero, and then queues up the objset for the
|
|
|
|
* second phase of eviction. Once os->os_dnodes has been cleared by
|
|
|
|
* dnode_buf_pageout()->dnode_destroy(), the second phase is executed.
|
|
|
|
* The second phase closes the special dnodes, dequeues the objset from
|
|
|
|
* the list of those undergoing eviction, and finally frees the objset.
|
|
|
|
*
|
|
|
|
* NOTE: Due to asynchronous eviction processing (invocation of
|
|
|
|
* dnode_buf_pageout()), it is possible for the meta dnode for the
|
|
|
|
* objset to have no holds even though os->os_dnodes is not empty.
|
|
|
|
*/
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_evict(objset_t *os)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-08-28 15:45:09 +04:00
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
|
|
|
|
2017-11-04 23:25:13 +03:00
|
|
|
for (int t = 0; t < TXG_SIZE; t++)
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(!dmu_objset_is_dirty(os, t));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-11-05 02:00:58 +03:00
|
|
|
if (ds)
|
|
|
|
dsl_prop_unregister_all(ds, os);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if (os->os_sa)
|
|
|
|
sa_tear_down(os);
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_evict_dbufs(os);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
mutex_enter(&os->os_lock);
|
|
|
|
spa_evicting_os_register(os->os_spa, os);
|
|
|
|
if (list_is_empty(&os->os_dnodes)) {
|
|
|
|
mutex_exit(&os->os_lock);
|
|
|
|
dmu_objset_evict_done(os);
|
|
|
|
} else {
|
|
|
|
mutex_exit(&os->os_lock);
|
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_evict_done(objset_t *os)
|
|
|
|
{
|
|
|
|
ASSERT3P(list_head(&os->os_dnodes), ==, NULL);
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
dnode_special_close(&os->os_meta_dnode);
|
|
|
|
if (DMU_USERUSED_DNODE(os)) {
|
|
|
|
dnode_special_close(&os->os_userused_dnode);
|
|
|
|
dnode_special_close(&os->os_groupused_dnode);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
zil_free(os->os_zil);
|
|
|
|
|
2016-06-02 07:04:53 +03:00
|
|
|
arc_buf_destroy(os->os_phys_buf, &os->os_phys_buf);
|
2010-08-27 01:24:34 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This is a barrier to prevent the objset from going away in
|
|
|
|
* dnode_move() until we can safely ensure that the objset is still in
|
|
|
|
* use. We consider the objset valid before the barrier and invalid
|
|
|
|
* after the barrier.
|
|
|
|
*/
|
|
|
|
rw_enter(&os_lock, RW_READER);
|
|
|
|
rw_exit(&os_lock);
|
|
|
|
|
OpenZFS 8199 - multi-threaded dmu_object_alloc()
dmu_object_alloc() is single-threaded, so when multiple threads are
creating files in a single filesystem, they spend a lot of time waiting
for the os_obj_lock. To improve performance of multi-threaded file
creation, we must make dmu_object_alloc() typically not grab any
filesystem-wide locks.
The solution is to have a "next object to allocate" for each CPU. Each
of these "next object"s is in a different block of the dnode object, so
that concurrent allocation holds dnodes in different dbufs. When a
thread's "next object" reaches the end of a chunk of objects (by default
4 blocks worth -- 128 dnodes), it will be reset to the per-objset
os_obj_next, which will be increased by a chunk of objects (128). Only
when manipulating the os_obj_next will we need to grab the os_obj_lock.
This decreases lock contention dramatically, because each thread only
needs to grab the os_obj_lock briefly, once per 128 allocations.
This results in a 70% performance improvement to multi-threaded object
creation (where each thread is creating objects in its own directory),
from 67,000/sec to 115,000/sec, with 8 CPUs.
Work sponsored by Intel Corp.
Authored by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Ned Bass <bass6@llnl.gov>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Ported-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
OpenZFS-issue: https://www.illumos.org/issues/8199
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/374
Closes #4703
Closes #6117
2016-05-13 07:16:36 +03:00
|
|
|
kmem_free(os->os_obj_next_percpu,
|
|
|
|
os->os_obj_next_percpu_len * sizeof (os->os_obj_next_percpu[0]));
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_destroy(&os->os_lock);
|
2017-03-21 04:36:00 +03:00
|
|
|
mutex_destroy(&os->os_userused_lock);
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_destroy(&os->os_obj_lock);
|
|
|
|
mutex_destroy(&os->os_user_ptr_lock);
|
2016-11-26 23:30:44 +03:00
|
|
|
mutex_destroy(&os->os_upgrade_lock);
|
2017-03-21 04:36:00 +03:00
|
|
|
for (int i = 0; i < TXG_SIZE; i++) {
|
|
|
|
multilist_destroy(os->os_dirty_dnodes[i]);
|
|
|
|
}
|
2015-04-02 06:44:32 +03:00
|
|
|
spa_evicting_os_deregister(os->os_spa, os);
|
2010-05-29 00:45:14 +04:00
|
|
|
kmem_free(os, sizeof (objset_t));
|
|
|
|
}
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
timestruc_t
|
|
|
|
dmu_objset_snap_cmtime(objset_t *os)
|
|
|
|
{
|
|
|
|
return (dsl_dir_snap_cmtime(os->os_dsl_dataset->ds_dir));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_objset_create_impl_dnstats(spa_t *spa, dsl_dataset_t *ds, blkptr_t *bp,
|
|
|
|
dmu_objset_type_t type, int levels, int blksz, int ibs, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os;
|
2008-11-20 23:01:55 +03:00
|
|
|
dnode_t *mdn;
|
|
|
|
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
2013-09-04 16:00:57 +04:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (blksz == 0)
|
|
|
|
blksz = DNODE_BLOCK_SIZE;
|
2017-09-12 23:15:11 +03:00
|
|
|
if (ibs == 0)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ibs = DN_MAX_INDBLKSHIFT;
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
if (ds != NULL)
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dmu_objset_from_ds(ds, &os));
|
2010-08-27 01:24:34 +04:00
|
|
|
else
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dmu_objset_open_impl(spa, NULL, bp, &os));
|
2010-08-27 01:24:34 +04:00
|
|
|
|
|
|
|
mdn = DMU_META_DNODE(os);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dnode_allocate(mdn, DMU_OT_DNODE, blksz, ibs, DMU_OT_NONE, 0,
|
|
|
|
DNODE_MIN_SLOTS, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't want to have to increase the meta-dnode's nlevels
|
|
|
|
* later, because then we could do it in quescing context while
|
|
|
|
* we are also accessing it in open context.
|
|
|
|
*
|
|
|
|
* This precaution is not necessary for the MOS (ds == NULL),
|
|
|
|
* because the MOS is only updated in syncing context.
|
|
|
|
* This is most fortunate: the MOS is the only objset that
|
|
|
|
* needs to be synced multiple times as spa_sync() iterates
|
|
|
|
* to convergence, so minimizing its dn_nlevels matters.
|
|
|
|
*/
|
|
|
|
if (ds != NULL) {
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (levels == 0) {
|
|
|
|
levels = 1;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Determine the number of levels necessary for the
|
|
|
|
* meta-dnode to contain DN_MAX_OBJECT dnodes. Note
|
|
|
|
* that in order to ensure that we do not overflow
|
|
|
|
* 64 bits, there has to be a nlevels that gives us a
|
|
|
|
* number of blocks > DN_MAX_OBJECT but < 2^64.
|
|
|
|
* Therefore, (mdn->dn_indblkshift - SPA_BLKPTRSHIFT)
|
|
|
|
* (10) must be less than (64 - log2(DN_MAX_OBJECT))
|
|
|
|
* (16).
|
|
|
|
*/
|
|
|
|
while ((uint64_t)mdn->dn_nblkptr <<
|
|
|
|
(mdn->dn_datablkshift - DNODE_SHIFT + (levels - 1) *
|
|
|
|
(mdn->dn_indblkshift - SPA_BLKPTRSHIFT)) <
|
|
|
|
DN_MAX_OBJECT)
|
|
|
|
levels++;
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
mdn->dn_next_nlevels[tx->tx_txg & TXG_MASK] =
|
|
|
|
mdn->dn_nlevels = levels;
|
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT(type != DMU_OST_NONE);
|
|
|
|
ASSERT(type != DMU_OST_ANY);
|
|
|
|
ASSERT(type < DMU_OST_NUMTYPES);
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys->os_type = type;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Enable user accounting if it is enabled and this is not an
|
|
|
|
* encrypted receive.
|
|
|
|
*/
|
|
|
|
if (dmu_objset_userused_enabled(os) &&
|
|
|
|
(!os->os_encrypted || !dmu_objset_is_receiving(os))) {
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys->os_flags |= OBJSET_FLAG_USERACCOUNTING_COMPLETE;
|
2016-10-04 21:46:10 +03:00
|
|
|
if (dmu_objset_userobjused_enabled(os)) {
|
|
|
|
ds->ds_feature_activation_needed[
|
|
|
|
SPA_FEATURE_USEROBJ_ACCOUNTING] = B_TRUE;
|
|
|
|
os->os_phys->os_flags |=
|
|
|
|
OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE;
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_flags = os->os_phys->os_flags;
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
dsl_dataset_dirty(ds, tx);
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/* called from dsl for meta-objset */
|
|
|
|
objset_t *
|
|
|
|
dmu_objset_create_impl(spa_t *spa, dsl_dataset_t *ds, blkptr_t *bp,
|
|
|
|
dmu_objset_type_t type, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
return (dmu_objset_create_impl_dnstats(spa, ds, bp, type, 0, 0, 0, tx));
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
typedef struct dmu_objset_create_arg {
|
|
|
|
const char *doca_name;
|
|
|
|
cred_t *doca_cred;
|
|
|
|
void (*doca_userfunc)(objset_t *os, void *arg,
|
|
|
|
cred_t *cr, dmu_tx_t *tx);
|
|
|
|
void *doca_userarg;
|
|
|
|
dmu_objset_type_t doca_type;
|
|
|
|
uint64_t doca_flags;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_crypto_params_t *doca_dcp;
|
2013-09-04 16:00:57 +04:00
|
|
|
} dmu_objset_create_arg_t;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*ARGSUSED*/
|
|
|
|
static int
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_create_check(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_create_arg_t *doca = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dir_t *pdd;
|
|
|
|
const char *tail;
|
|
|
|
int error;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (strchr(doca->doca_name, '@') != NULL)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-06-16 00:28:36 +03:00
|
|
|
if (strlen(doca->doca_name) >= ZFS_MAX_DATASET_NAME_LEN)
|
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dir_hold(dp, doca->doca_name, FTAG, &pdd, &tail);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
if (tail == NULL) {
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EEXIST));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
error = dmu_objset_create_crypt_check(pdd, doca->doca_dcp);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
error = dsl_fs_ss_limit_check(pdd, 1, ZFS_PROP_FILESYSTEM_LIMIT, NULL,
|
|
|
|
doca->doca_cred);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
return (error);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_create_sync(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_create_arg_t *doca = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dir_t *pdd;
|
|
|
|
const char *tail;
|
2013-08-28 15:45:09 +04:00
|
|
|
dsl_dataset_t *ds;
|
2013-09-04 16:00:57 +04:00
|
|
|
uint64_t obj;
|
2013-08-28 15:45:09 +04:00
|
|
|
blkptr_t *bp;
|
2013-09-04 16:00:57 +04:00
|
|
|
objset_t *os;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
zio_t *rzio;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dir_hold(dp, doca->doca_name, FTAG, &pdd, &tail));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
obj = dsl_dataset_create_sync(pdd, tail, NULL, doca->doca_flags,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
doca->doca_cred, doca->doca_dcp, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
VERIFY0(dsl_dataset_hold_obj_flags(pdd->dd_pool, obj,
|
|
|
|
DS_HOLD_FLAG_DECRYPT, FTAG, &ds));
|
2017-01-27 22:43:42 +03:00
|
|
|
rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
|
2013-08-28 15:45:09 +04:00
|
|
|
bp = dsl_dataset_get_blkptr(ds);
|
2013-09-04 16:00:57 +04:00
|
|
|
os = dmu_objset_create_impl(pdd->dd_pool->dp_spa,
|
|
|
|
ds, bp, doca->doca_type, tx);
|
2017-01-27 22:43:42 +03:00
|
|
|
rrw_exit(&ds->ds_bp_rwlock, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (doca->doca_userfunc != NULL) {
|
|
|
|
doca->doca_userfunc(os, doca->doca_userarg,
|
|
|
|
doca->doca_cred, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/*
|
2017-09-12 23:15:11 +03:00
|
|
|
* The doca_userfunc() may write out some data that needs to be
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
* encrypted if the dataset is encrypted (specifically the root
|
|
|
|
* directory). This data must be written out before the encryption
|
|
|
|
* key mapping is removed by dsl_dataset_rele_flags(). Force the
|
|
|
|
* I/O to occur immediately by invoking the relevant sections of
|
|
|
|
* dsl_pool_sync().
|
|
|
|
*/
|
|
|
|
if (os->os_encrypted) {
|
|
|
|
dsl_dataset_t *tmpds = NULL;
|
|
|
|
boolean_t need_sync_done = B_FALSE;
|
|
|
|
|
2017-09-12 23:15:11 +03:00
|
|
|
mutex_enter(&ds->ds_lock);
|
|
|
|
ds->ds_owner = FTAG;
|
|
|
|
mutex_exit(&ds->ds_lock);
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
rzio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED);
|
2017-09-12 23:15:11 +03:00
|
|
|
tmpds = txg_list_remove_this(&dp->dp_dirty_datasets, ds,
|
|
|
|
tx->tx_txg);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (tmpds != NULL) {
|
|
|
|
dsl_dataset_sync(ds, rzio, tx);
|
|
|
|
need_sync_done = B_TRUE;
|
|
|
|
}
|
|
|
|
VERIFY0(zio_wait(rzio));
|
|
|
|
|
|
|
|
dmu_objset_do_userquota_updates(os, tx);
|
|
|
|
taskq_wait(dp->dp_sync_taskq);
|
|
|
|
|
|
|
|
rzio = zio_root(dp->dp_spa, NULL, NULL, ZIO_FLAG_MUSTSUCCEED);
|
2017-09-12 23:15:11 +03:00
|
|
|
tmpds = txg_list_remove_this(&dp->dp_dirty_datasets, ds,
|
|
|
|
tx->tx_txg);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (tmpds != NULL) {
|
|
|
|
dmu_buf_rele(ds->ds_dbuf, ds);
|
|
|
|
dsl_dataset_sync(ds, rzio, tx);
|
|
|
|
}
|
|
|
|
VERIFY0(zio_wait(rzio));
|
|
|
|
|
|
|
|
if (need_sync_done)
|
|
|
|
dsl_dataset_sync_done(ds, tx);
|
2017-09-12 23:15:11 +03:00
|
|
|
|
|
|
|
mutex_enter(&ds->ds_lock);
|
|
|
|
ds->ds_owner = NULL;
|
|
|
|
mutex_exit(&ds->ds_lock);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
spa_history_log_internal_ds(ds, "create", tx, "");
|
2014-03-22 13:07:14 +04:00
|
|
|
zvol_create_minors(dp->dp_spa, doca->doca_name, B_TRUE);
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_dataset_rele_flags(ds, DS_HOLD_FLAG_DECRYPT, FTAG);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_create(const char *name, dmu_objset_type_t type, uint64_t flags,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_crypto_params_t *dcp, dmu_objset_create_sync_func_t func, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_create_arg_t doca;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_crypto_params_t tmp_dcp = { 0 };
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
doca.doca_name = name;
|
|
|
|
doca.doca_cred = CRED();
|
|
|
|
doca.doca_flags = flags;
|
|
|
|
doca.doca_userfunc = func;
|
|
|
|
doca.doca_userarg = arg;
|
|
|
|
doca.doca_type = type;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/*
|
|
|
|
* Some callers (mostly for testing) do not provide a dcp on their
|
|
|
|
* own but various code inside the sync task will require it to be
|
|
|
|
* allocated. Rather than adding NULL checks throughout this code
|
|
|
|
* or adding dummy dcp's to all of the callers we simply create a
|
|
|
|
* dummy one here and use that. This zero dcp will have the same
|
|
|
|
* effect as asking for inheritence of all encryption params.
|
|
|
|
*/
|
|
|
|
doca.doca_dcp = (dcp != NULL) ? dcp : &tmp_dcp;
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (dsl_sync_task(name,
|
2014-11-03 23:28:43 +03:00
|
|
|
dmu_objset_create_check, dmu_objset_create_sync, &doca,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
6, ZFS_SPACE_CHECK_NORMAL));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
typedef struct dmu_objset_clone_arg {
|
|
|
|
const char *doca_clone;
|
|
|
|
const char *doca_origin;
|
|
|
|
cred_t *doca_cred;
|
|
|
|
} dmu_objset_clone_arg_t;
|
|
|
|
|
|
|
|
/*ARGSUSED*/
|
|
|
|
static int
|
|
|
|
dmu_objset_clone_check(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_clone_arg_t *doca = arg;
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_t *pdd;
|
|
|
|
const char *tail;
|
2013-09-04 16:00:57 +04:00
|
|
|
int error;
|
|
|
|
dsl_dataset_t *origin;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (strchr(doca->doca_clone, '@') != NULL)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2013-09-04 16:00:57 +04:00
|
|
|
|
2016-06-16 00:28:36 +03:00
|
|
|
if (strlen(doca->doca_clone) >= ZFS_MAX_DATASET_NAME_LEN)
|
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dir_hold(dp, doca->doca_clone, FTAG, &pdd, &tail);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
2010-05-29 00:45:14 +04:00
|
|
|
if (tail == NULL) {
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EEXIST));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2015-07-11 02:45:01 +03:00
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
error = dsl_fs_ss_limit_check(pdd, 1, ZFS_PROP_FILESYSTEM_LIMIT, NULL,
|
|
|
|
doca->doca_cred);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
|
|
|
return (SET_ERROR(EDQUOT));
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dataset_hold(dp, doca->doca_origin, FTAG, &origin);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2010-08-27 01:24:34 +04:00
|
|
|
return (error);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
}
|
2010-08-27 01:24:34 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/* You can only clone snapshots, not the head datasets. */
|
2015-04-02 06:44:32 +03:00
|
|
|
if (!origin->ds_is_snapshot) {
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(origin, FTAG);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
error = dmu_objset_clone_crypt_check(pdd, origin->ds_dir);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dataset_rele(origin, FTAG);
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(origin, FTAG);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2010-08-27 01:24:34 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (0);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
static void
|
|
|
|
dmu_objset_clone_sync(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_clone_arg_t *doca = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dir_t *pdd;
|
|
|
|
const char *tail;
|
|
|
|
dsl_dataset_t *origin, *ds;
|
|
|
|
uint64_t obj;
|
2016-06-16 00:28:36 +03:00
|
|
|
char namebuf[ZFS_MAX_DATASET_NAME_LEN];
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dir_hold(dp, doca->doca_clone, FTAG, &pdd, &tail));
|
|
|
|
VERIFY0(dsl_dataset_hold(dp, doca->doca_origin, FTAG, &origin));
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
obj = dsl_dataset_create_sync(pdd, tail, origin, 0,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
doca->doca_cred, NULL, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dataset_hold_obj(pdd->dd_pool, obj, FTAG, &ds));
|
|
|
|
dsl_dataset_name(origin, namebuf);
|
|
|
|
spa_history_log_internal_ds(ds, "clone", tx,
|
|
|
|
"origin=%s (%llu)", namebuf, origin->ds_object);
|
2014-03-22 13:07:14 +04:00
|
|
|
zvol_create_minors(dp->dp_spa, doca->doca_clone, B_TRUE);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
dsl_dataset_rele(origin, FTAG);
|
|
|
|
dsl_dir_rele(pdd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_clone(const char *clone, const char *origin)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_clone_arg_t doca;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
doca.doca_clone = clone;
|
|
|
|
doca.doca_origin = origin;
|
|
|
|
doca.doca_cred = CRED();
|
2010-08-27 01:24:34 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (dsl_sync_task(clone,
|
2014-11-03 23:28:43 +03:00
|
|
|
dmu_objset_clone_check, dmu_objset_clone_sync, &doca,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
6, ZFS_SPACE_CHECK_NORMAL));
|
2013-08-28 15:45:09 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_objset_snapshot_one(const char *fsname, const char *snapname)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
char *longsnap = kmem_asprintf("%s@%s", fsname, snapname);
|
|
|
|
nvlist_t *snaps = fnvlist_alloc();
|
|
|
|
|
|
|
|
fnvlist_add_boolean(snaps, longsnap);
|
|
|
|
strfree(longsnap);
|
2013-09-04 16:00:57 +04:00
|
|
|
err = dsl_dataset_snapshot(snaps, NULL, NULL);
|
|
|
|
fnvlist_free(snaps);
|
2013-08-28 15:45:09 +04:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
static void
|
|
|
|
dmu_objset_upgrade_task_cb(void *data)
|
|
|
|
{
|
|
|
|
objset_t *os = data;
|
|
|
|
|
|
|
|
mutex_enter(&os->os_upgrade_lock);
|
|
|
|
os->os_upgrade_status = EINTR;
|
|
|
|
if (!os->os_upgrade_exit) {
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
|
|
|
|
|
|
|
os->os_upgrade_status = os->os_upgrade_cb(os);
|
|
|
|
mutex_enter(&os->os_upgrade_lock);
|
|
|
|
}
|
|
|
|
os->os_upgrade_exit = B_TRUE;
|
|
|
|
os->os_upgrade_id = 0;
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
2017-11-11 00:37:10 +03:00
|
|
|
dsl_dataset_long_rele(dmu_objset_ds(os), upgrade_tag);
|
2016-10-04 21:46:10 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_objset_upgrade(objset_t *os, dmu_objset_upgrade_cb_t cb)
|
|
|
|
{
|
|
|
|
if (os->os_upgrade_id != 0)
|
|
|
|
return;
|
|
|
|
|
2017-11-11 00:37:10 +03:00
|
|
|
ASSERT(dsl_pool_config_held(dmu_objset_pool(os)));
|
|
|
|
dsl_dataset_long_hold(dmu_objset_ds(os), upgrade_tag);
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
mutex_enter(&os->os_upgrade_lock);
|
|
|
|
if (os->os_upgrade_id == 0 && os->os_upgrade_status == 0) {
|
|
|
|
os->os_upgrade_exit = B_FALSE;
|
|
|
|
os->os_upgrade_cb = cb;
|
|
|
|
os->os_upgrade_id = taskq_dispatch(
|
|
|
|
os->os_spa->spa_upgrade_taskq,
|
|
|
|
dmu_objset_upgrade_task_cb, os, TQ_SLEEP);
|
2017-11-11 00:37:10 +03:00
|
|
|
if (os->os_upgrade_id == TASKQID_INVALID) {
|
|
|
|
dsl_dataset_long_rele(dmu_objset_ds(os), upgrade_tag);
|
2016-10-04 21:46:10 +03:00
|
|
|
os->os_upgrade_status = ENOMEM;
|
2017-11-11 00:37:10 +03:00
|
|
|
}
|
2016-10-04 21:46:10 +03:00
|
|
|
}
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_objset_upgrade_stop(objset_t *os)
|
|
|
|
{
|
|
|
|
mutex_enter(&os->os_upgrade_lock);
|
|
|
|
os->os_upgrade_exit = B_TRUE;
|
|
|
|
if (os->os_upgrade_id != 0) {
|
|
|
|
taskqid_t id = os->os_upgrade_id;
|
|
|
|
|
|
|
|
os->os_upgrade_id = 0;
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
|
|
|
|
2017-11-11 00:37:10 +03:00
|
|
|
if ((taskq_cancel_id(os->os_spa->spa_upgrade_taskq, id)) == 0) {
|
|
|
|
dsl_dataset_long_rele(dmu_objset_ds(os), upgrade_tag);
|
|
|
|
}
|
2017-09-12 23:15:11 +03:00
|
|
|
txg_wait_synced(os->os_spa->spa_dsl_pool, 0);
|
2016-10-04 21:46:10 +03:00
|
|
|
} else {
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
static void
|
2017-03-21 04:36:00 +03:00
|
|
|
dmu_objset_sync_dnodes(multilist_sublist_t *list, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
while ((dn = multilist_sublist_head(list)) != NULL) {
|
2008-11-20 23:01:55 +03:00
|
|
|
ASSERT(dn->dn_object != DMU_META_DNODE_OBJECT);
|
|
|
|
ASSERT(dn->dn_dbuf->db_data_pending);
|
|
|
|
/*
|
2009-07-03 02:44:48 +04:00
|
|
|
* Initialize dn_zio outside dnode_sync() because the
|
|
|
|
* meta-dnode needs to set it ouside dnode_sync().
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
|
|
|
dn->dn_zio = dn->dn_dbuf->db_data_pending->dr_zio;
|
|
|
|
ASSERT(dn->dn_zio);
|
|
|
|
|
|
|
|
ASSERT3U(dn->dn_nlevels, <=, DN_MAX_LEVELS);
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_sublist_remove(list, dn);
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_t *newlist = dn->dn_objset->os_synced_dnodes;
|
|
|
|
if (newlist != NULL) {
|
2009-07-03 02:44:48 +04:00
|
|
|
(void) dnode_add_ref(dn, newlist);
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_insert(newlist, dn);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
dnode_sync(dn, tx);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ARGSUSED */
|
|
|
|
static void
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_write_ready(zio_t *zio, arc_buf_t *abuf, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2008-12-03 23:09:06 +03:00
|
|
|
blkptr_t *bp = zio->io_bp;
|
2010-05-29 00:45:14 +04:00
|
|
|
objset_t *os = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
dnode_phys_t *dnp = &os->os_phys->os_meta_dnode;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
uint64_t fill = 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-06-06 01:19:08 +04:00
|
|
|
ASSERT(!BP_IS_EMBEDDED(bp));
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT3U(BP_GET_TYPE(bp), ==, DMU_OT_OBJSET);
|
|
|
|
ASSERT0(BP_GET_LEVEL(bp));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
2009-07-03 02:44:48 +04:00
|
|
|
* Update rootbp fill count: it should be the number of objects
|
|
|
|
* allocated in the object set (not counting the "special"
|
|
|
|
* objects that are stored in the objset_phys_t -- the meta
|
|
|
|
* dnode and user/group accounting objects).
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
2017-11-04 23:25:13 +03:00
|
|
|
for (int i = 0; i < dnp->dn_nblkptr; i++)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
fill += BP_GET_FILL(&dnp->dn_blkptr[i]);
|
|
|
|
|
|
|
|
BP_SET_FILL(bp, fill);
|
|
|
|
|
2017-01-27 22:43:42 +03:00
|
|
|
if (os->os_dsl_dataset != NULL)
|
|
|
|
rrw_enter(&os->os_dsl_dataset->ds_bp_rwlock, RW_WRITER, FTAG);
|
|
|
|
*os->os_rootbp = *bp;
|
|
|
|
if (os->os_dsl_dataset != NULL)
|
|
|
|
rrw_exit(&os->os_dsl_dataset->ds_bp_rwlock, FTAG);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ARGSUSED */
|
|
|
|
static void
|
|
|
|
dmu_objset_write_done(zio_t *zio, arc_buf_t *abuf, void *arg)
|
|
|
|
{
|
|
|
|
blkptr_t *bp = zio->io_bp;
|
|
|
|
blkptr_t *bp_orig = &zio->io_bp_orig;
|
|
|
|
objset_t *os = arg;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
if (zio->io_flags & ZIO_FLAG_IO_REWRITE) {
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(BP_EQUAL(bp, bp_orig));
|
2008-12-03 23:09:06 +03:00
|
|
|
} else {
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
|
|
|
dmu_tx_t *tx = os->os_synctx;
|
|
|
|
|
|
|
|
(void) dsl_dataset_block_kill(ds, bp_orig, tx, B_TRUE);
|
|
|
|
dsl_dataset_block_born(ds, bp, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2017-01-27 22:43:42 +03:00
|
|
|
kmem_free(bp, sizeof (*bp));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
typedef struct sync_dnodes_arg {
|
|
|
|
multilist_t *sda_list;
|
|
|
|
int sda_sublist_idx;
|
|
|
|
multilist_t *sda_newlist;
|
|
|
|
dmu_tx_t *sda_tx;
|
|
|
|
} sync_dnodes_arg_t;
|
|
|
|
|
|
|
|
static void
|
|
|
|
sync_dnodes_task(void *arg)
|
|
|
|
{
|
|
|
|
sync_dnodes_arg_t *sda = arg;
|
|
|
|
|
|
|
|
multilist_sublist_t *ms =
|
|
|
|
multilist_sublist_lock(sda->sda_list, sda->sda_sublist_idx);
|
|
|
|
|
|
|
|
dmu_objset_sync_dnodes(ms, sda->sda_tx);
|
|
|
|
|
|
|
|
multilist_sublist_unlock(ms);
|
|
|
|
|
|
|
|
kmem_free(sda, sizeof (*sda));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
/* called from dsl */
|
|
|
|
void
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_sync(objset_t *os, zio_t *pio, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
int txgoff;
|
2014-06-25 22:37:59 +04:00
|
|
|
zbookmark_phys_t zb;
|
2010-05-29 00:45:14 +04:00
|
|
|
zio_prop_t zp;
|
2008-11-20 23:01:55 +03:00
|
|
|
zio_t *zio;
|
|
|
|
list_t *list;
|
|
|
|
dbuf_dirty_record_t *dr;
|
2017-01-27 22:43:42 +03:00
|
|
|
blkptr_t *blkptr_copy = kmem_alloc(sizeof (*os->os_rootbp), KM_SLEEP);
|
|
|
|
*blkptr_copy = *os->os_rootbp;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
dprintf_ds(os->os_dsl_dataset, "txg=%llu\n", tx->tx_txg);
|
|
|
|
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
/* XXX the write_done callback should really give us the tx... */
|
|
|
|
os->os_synctx = tx;
|
|
|
|
|
|
|
|
if (os->os_dsl_dataset == NULL) {
|
|
|
|
/*
|
|
|
|
* This is the MOS. If we have upgraded,
|
|
|
|
* spa_max_replication() could change, so reset
|
|
|
|
* os_copies here.
|
|
|
|
*/
|
|
|
|
os->os_copies = spa_max_replication(os->os_spa);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Create the root block IO
|
|
|
|
*/
|
2010-05-29 00:45:14 +04:00
|
|
|
SET_BOOKMARK(&zb, os->os_dsl_dataset ?
|
|
|
|
os->os_dsl_dataset->ds_object : DMU_META_OBJSET,
|
|
|
|
ZB_ROOT_OBJECT, ZB_ROOT_LEVEL, ZB_ROOT_BLKID);
|
2013-07-03 00:26:24 +04:00
|
|
|
arc_release(os->os_phys_buf, &os->os_phys_buf);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2017-03-23 19:07:27 +03:00
|
|
|
dmu_write_policy(os, NULL, 0, 0, &zp);
|
2009-07-03 02:44:48 +04:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/*
|
|
|
|
* If we are either claiming the ZIL or doing a raw receive write out
|
|
|
|
* the os_phys_buf raw. Neither of these actions will effect the MAC
|
|
|
|
* at this point.
|
|
|
|
*/
|
2018-02-01 23:37:24 +03:00
|
|
|
if (os->os_next_write_raw[tx->tx_txg & TXG_MASK]) {
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
ASSERT(os->os_encrypted);
|
2018-02-01 23:37:24 +03:00
|
|
|
os->os_next_write_raw[tx->tx_txg & TXG_MASK] = B_FALSE;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
arc_convert_to_raw(os->os_phys_buf,
|
|
|
|
os->os_dsl_dataset->ds_object, ZFS_HOST_BYTEORDER,
|
|
|
|
DMU_OT_OBJSET, NULL, NULL, NULL);
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
zio = arc_write(pio, os->os_spa, tx->tx_txg,
|
2017-01-27 22:43:42 +03:00
|
|
|
blkptr_copy, os->os_phys_buf, DMU_OS_IS_L2CACHEABLE(os),
|
2016-05-15 18:02:28 +03:00
|
|
|
&zp, dmu_objset_write_ready, NULL, NULL, dmu_objset_write_done,
|
|
|
|
os, ZIO_PRIORITY_ASYNC_WRITE, ZIO_FLAG_MUSTSUCCEED, &zb);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
2009-07-03 02:44:48 +04:00
|
|
|
* Sync special dnodes - the parent IO for the sync is the root block
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
2010-08-27 01:24:34 +04:00
|
|
|
DMU_META_DNODE(os)->dn_zio = zio;
|
|
|
|
dnode_sync(DMU_META_DNODE(os), tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
os->os_phys->os_flags = os->os_flags;
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
if (DMU_USERUSED_DNODE(os) &&
|
|
|
|
DMU_USERUSED_DNODE(os)->dn_type != DMU_OT_NONE) {
|
|
|
|
DMU_USERUSED_DNODE(os)->dn_zio = zio;
|
|
|
|
dnode_sync(DMU_USERUSED_DNODE(os), tx);
|
|
|
|
DMU_GROUPUSED_DNODE(os)->dn_zio = zio;
|
|
|
|
dnode_sync(DMU_GROUPUSED_DNODE(os), tx);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
txgoff = tx->tx_txg & TXG_MASK;
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
if (dmu_objset_userused_enabled(os) &&
|
|
|
|
(!os->os_encrypted || !dmu_objset_is_receiving(os))) {
|
2009-07-03 02:44:48 +04:00
|
|
|
/*
|
|
|
|
* We must create the list here because it uses the
|
2017-03-21 04:36:00 +03:00
|
|
|
* dn_dirty_link[] of this txg. But it may already
|
|
|
|
* exist because we call dsl_dataset_sync() twice per txg.
|
2009-07-03 02:44:48 +04:00
|
|
|
*/
|
2017-03-21 04:36:00 +03:00
|
|
|
if (os->os_synced_dnodes == NULL) {
|
|
|
|
os->os_synced_dnodes =
|
|
|
|
multilist_create(sizeof (dnode_t),
|
|
|
|
offsetof(dnode_t, dn_dirty_link[txgoff]),
|
|
|
|
dnode_multilist_index_func);
|
|
|
|
} else {
|
|
|
|
ASSERT3U(os->os_synced_dnodes->ml_offset, ==,
|
|
|
|
offsetof(dnode_t, dn_dirty_link[txgoff]));
|
|
|
|
}
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
for (int i = 0;
|
|
|
|
i < multilist_get_num_sublists(os->os_dirty_dnodes[txgoff]); i++) {
|
|
|
|
sync_dnodes_arg_t *sda = kmem_alloc(sizeof (*sda), KM_SLEEP);
|
|
|
|
sda->sda_list = os->os_dirty_dnodes[txgoff];
|
|
|
|
sda->sda_sublist_idx = i;
|
|
|
|
sda->sda_tx = tx;
|
|
|
|
(void) taskq_dispatch(dmu_objset_pool(os)->dp_sync_taskq,
|
|
|
|
sync_dnodes_task, sda, 0);
|
|
|
|
/* callback frees sda */
|
|
|
|
}
|
|
|
|
taskq_wait(dmu_objset_pool(os)->dp_sync_taskq);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
list = &DMU_META_DNODE(os)->dn_dirty_records[txgoff];
|
2017-03-21 04:36:00 +03:00
|
|
|
while ((dr = list_head(list)) != NULL) {
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT0(dr->dr_dbuf->db_level);
|
2008-11-20 23:01:55 +03:00
|
|
|
list_remove(list, dr);
|
|
|
|
if (dr->dr_zio)
|
|
|
|
zio_nowait(dr->dr_zio);
|
|
|
|
}
|
2016-05-17 04:02:29 +03:00
|
|
|
|
|
|
|
/* Enable dnode backfill if enough objects have been freed. */
|
|
|
|
if (os->os_freed_dnodes >= dmu_rescan_dnode_threshold) {
|
|
|
|
os->os_rescan_dnodes = B_TRUE;
|
|
|
|
os->os_freed_dnodes = 0;
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
* Free intent log blocks up to this tx.
|
|
|
|
*/
|
|
|
|
zil_sync(os->os_zil, tx);
|
2008-12-03 23:09:06 +03:00
|
|
|
os->os_phys->os_zil_header = os->os_zil_header;
|
2008-11-20 23:01:55 +03:00
|
|
|
zio_nowait(zio);
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_is_dirty(objset_t *os, uint64_t txg)
|
|
|
|
{
|
2017-03-21 04:36:00 +03:00
|
|
|
return (!multilist_is_empty(os->os_dirty_dnodes[txg & TXG_MASK]));
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
static objset_used_cb_t *used_cbs[DMU_OST_NUMTYPES];
|
2009-07-03 02:44:48 +04:00
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_register_type(dmu_objset_type_t ost, objset_used_cb_t *cb)
|
|
|
|
{
|
|
|
|
used_cbs[ost] = cb;
|
|
|
|
}
|
|
|
|
|
|
|
|
boolean_t
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_objset_userused_enabled(objset_t *os)
|
2009-07-03 02:44:48 +04:00
|
|
|
{
|
|
|
|
return (spa_version(os->os_spa) >= SPA_VERSION_USERSPACE &&
|
2010-08-27 01:24:34 +04:00
|
|
|
used_cbs[os->os_phys->os_type] != NULL &&
|
|
|
|
DMU_USERUSED_DNODE(os) != NULL);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_userobjused_enabled(objset_t *os)
|
|
|
|
{
|
|
|
|
return (dmu_objset_userused_enabled(os) &&
|
|
|
|
spa_feature_is_enabled(os->os_spa, SPA_FEATURE_USEROBJ_ACCOUNTING));
|
|
|
|
}
|
|
|
|
|
2016-09-21 23:49:47 +03:00
|
|
|
typedef struct userquota_node {
|
|
|
|
/* must be in the first filed, see userquota_update_cache() */
|
|
|
|
char uqn_id[20 + DMU_OBJACCT_PREFIX_LEN];
|
|
|
|
int64_t uqn_delta;
|
|
|
|
avl_node_t uqn_node;
|
|
|
|
} userquota_node_t;
|
|
|
|
|
|
|
|
typedef struct userquota_cache {
|
|
|
|
avl_tree_t uqc_user_deltas;
|
|
|
|
avl_tree_t uqc_group_deltas;
|
|
|
|
} userquota_cache_t;
|
|
|
|
|
|
|
|
static int
|
|
|
|
userquota_compare(const void *l, const void *r)
|
|
|
|
{
|
|
|
|
const userquota_node_t *luqn = l;
|
|
|
|
const userquota_node_t *ruqn = r;
|
2016-10-21 18:23:27 +03:00
|
|
|
int rv;
|
2016-09-21 23:49:47 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* NB: can only access uqn_id because userquota_update_cache() doesn't
|
|
|
|
* pass in an entire userquota_node_t.
|
|
|
|
*/
|
2016-10-21 18:23:27 +03:00
|
|
|
rv = strcmp(luqn->uqn_id, ruqn->uqn_id);
|
|
|
|
|
|
|
|
return (AVL_ISIGN(rv));
|
2016-09-21 23:49:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_userquota_cacheflush(objset_t *os, userquota_cache_t *cache, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
void *cookie;
|
|
|
|
userquota_node_t *uqn;
|
|
|
|
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
|
|
|
|
cookie = NULL;
|
|
|
|
while ((uqn = avl_destroy_nodes(&cache->uqc_user_deltas,
|
|
|
|
&cookie)) != NULL) {
|
2017-03-21 04:36:00 +03:00
|
|
|
/*
|
|
|
|
* os_userused_lock protects against concurrent calls to
|
|
|
|
* zap_increment_int(). It's needed because zap_increment_int()
|
|
|
|
* is not thread-safe (i.e. not atomic).
|
|
|
|
*/
|
|
|
|
mutex_enter(&os->os_userused_lock);
|
2016-09-21 23:49:47 +03:00
|
|
|
VERIFY0(zap_increment(os, DMU_USERUSED_OBJECT,
|
|
|
|
uqn->uqn_id, uqn->uqn_delta, tx));
|
2017-03-21 04:36:00 +03:00
|
|
|
mutex_exit(&os->os_userused_lock);
|
2016-09-21 23:49:47 +03:00
|
|
|
kmem_free(uqn, sizeof (*uqn));
|
|
|
|
}
|
|
|
|
avl_destroy(&cache->uqc_user_deltas);
|
|
|
|
|
|
|
|
cookie = NULL;
|
|
|
|
while ((uqn = avl_destroy_nodes(&cache->uqc_group_deltas,
|
|
|
|
&cookie)) != NULL) {
|
2017-03-21 04:36:00 +03:00
|
|
|
mutex_enter(&os->os_userused_lock);
|
2016-09-21 23:49:47 +03:00
|
|
|
VERIFY0(zap_increment(os, DMU_GROUPUSED_OBJECT,
|
|
|
|
uqn->uqn_id, uqn->uqn_delta, tx));
|
2017-03-21 04:36:00 +03:00
|
|
|
mutex_exit(&os->os_userused_lock);
|
2016-09-21 23:49:47 +03:00
|
|
|
kmem_free(uqn, sizeof (*uqn));
|
|
|
|
}
|
|
|
|
avl_destroy(&cache->uqc_group_deltas);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
userquota_update_cache(avl_tree_t *avl, const char *id, int64_t delta)
|
|
|
|
{
|
|
|
|
userquota_node_t *uqn;
|
|
|
|
avl_index_t idx;
|
|
|
|
|
|
|
|
ASSERT(strlen(id) < sizeof (uqn->uqn_id));
|
|
|
|
/*
|
|
|
|
* Use id directly for searching because uqn_id is the first field of
|
|
|
|
* userquota_node_t and fields after uqn_id won't be accessed in
|
|
|
|
* avl_find().
|
|
|
|
*/
|
|
|
|
uqn = avl_find(avl, (const void *)id, &idx);
|
|
|
|
if (uqn == NULL) {
|
|
|
|
uqn = kmem_zalloc(sizeof (*uqn), KM_SLEEP);
|
2016-10-12 23:24:03 +03:00
|
|
|
strlcpy(uqn->uqn_id, id, sizeof (uqn->uqn_id));
|
2016-09-21 23:49:47 +03:00
|
|
|
avl_insert(avl, uqn, idx);
|
|
|
|
}
|
|
|
|
uqn->uqn_delta += delta;
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
static void
|
2016-09-21 23:49:47 +03:00
|
|
|
do_userquota_update(userquota_cache_t *cache, uint64_t used, uint64_t flags,
|
|
|
|
uint64_t user, uint64_t group, boolean_t subtract)
|
2010-05-29 00:45:14 +04:00
|
|
|
{
|
|
|
|
if ((flags & DNODE_FLAG_USERUSED_ACCOUNTED)) {
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
int64_t delta = DNODE_MIN_SIZE + used;
|
2016-09-21 23:49:47 +03:00
|
|
|
char name[20];
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if (subtract)
|
|
|
|
delta = -delta;
|
2016-09-21 23:49:47 +03:00
|
|
|
|
|
|
|
(void) sprintf(name, "%llx", (longlong_t)user);
|
|
|
|
userquota_update_cache(&cache->uqc_user_deltas, name, delta);
|
|
|
|
|
|
|
|
(void) sprintf(name, "%llx", (longlong_t)group);
|
|
|
|
userquota_update_cache(&cache->uqc_group_deltas, name, delta);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
static void
|
2016-09-21 23:49:47 +03:00
|
|
|
do_userobjquota_update(userquota_cache_t *cache, uint64_t flags,
|
|
|
|
uint64_t user, uint64_t group, boolean_t subtract)
|
2016-10-04 21:46:10 +03:00
|
|
|
{
|
|
|
|
if (flags & DNODE_FLAG_USEROBJUSED_ACCOUNTED) {
|
|
|
|
char name[20 + DMU_OBJACCT_PREFIX_LEN];
|
2016-09-21 23:49:47 +03:00
|
|
|
int delta = subtract ? -1 : 1;
|
2016-10-04 21:46:10 +03:00
|
|
|
|
|
|
|
(void) snprintf(name, sizeof (name), DMU_OBJACCT_PREFIX "%llx",
|
|
|
|
(longlong_t)user);
|
2016-09-21 23:49:47 +03:00
|
|
|
userquota_update_cache(&cache->uqc_user_deltas, name, delta);
|
2016-10-04 21:46:10 +03:00
|
|
|
|
|
|
|
(void) snprintf(name, sizeof (name), DMU_OBJACCT_PREFIX "%llx",
|
|
|
|
(longlong_t)group);
|
2016-09-21 23:49:47 +03:00
|
|
|
userquota_update_cache(&cache->uqc_group_deltas, name, delta);
|
2016-10-04 21:46:10 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
typedef struct userquota_updates_arg {
|
|
|
|
objset_t *uua_os;
|
|
|
|
int uua_sublist_idx;
|
|
|
|
dmu_tx_t *uua_tx;
|
|
|
|
} userquota_updates_arg_t;
|
|
|
|
|
|
|
|
static void
|
|
|
|
userquota_updates_task(void *arg)
|
2009-07-03 02:44:48 +04:00
|
|
|
{
|
2017-03-21 04:36:00 +03:00
|
|
|
userquota_updates_arg_t *uua = arg;
|
|
|
|
objset_t *os = uua->uua_os;
|
|
|
|
dmu_tx_t *tx = uua->uua_tx;
|
2009-07-03 02:44:48 +04:00
|
|
|
dnode_t *dn;
|
2016-09-21 23:49:47 +03:00
|
|
|
userquota_cache_t cache = { { 0 } };
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_sublist_t *list =
|
|
|
|
multilist_sublist_lock(os->os_synced_dnodes, uua->uua_sublist_idx);
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
ASSERT(multilist_sublist_head(list) == NULL ||
|
|
|
|
dmu_objset_userused_enabled(os));
|
2016-09-21 23:49:47 +03:00
|
|
|
avl_create(&cache.uqc_user_deltas, userquota_compare,
|
|
|
|
sizeof (userquota_node_t), offsetof(userquota_node_t, uqn_node));
|
|
|
|
avl_create(&cache.uqc_group_deltas, userquota_compare,
|
|
|
|
sizeof (userquota_node_t), offsetof(userquota_node_t, uqn_node));
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
while ((dn = multilist_sublist_head(list)) != NULL) {
|
2010-08-27 01:24:34 +04:00
|
|
|
int flags;
|
2009-07-03 02:44:48 +04:00
|
|
|
ASSERT(!DMU_OBJECT_IS_SPECIAL(dn->dn_object));
|
|
|
|
ASSERT(dn->dn_phys->dn_type == DMU_OT_NONE ||
|
|
|
|
dn->dn_phys->dn_flags &
|
|
|
|
DNODE_FLAG_USERUSED_ACCOUNTED);
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
flags = dn->dn_id_flags;
|
|
|
|
ASSERT(flags);
|
|
|
|
if (flags & DN_ID_OLD_EXIST) {
|
2016-09-21 23:49:47 +03:00
|
|
|
do_userquota_update(&cache,
|
|
|
|
dn->dn_oldused, dn->dn_oldflags,
|
|
|
|
dn->dn_olduid, dn->dn_oldgid, B_TRUE);
|
|
|
|
do_userobjquota_update(&cache, dn->dn_oldflags,
|
|
|
|
dn->dn_olduid, dn->dn_oldgid, B_TRUE);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
2010-08-27 01:24:34 +04:00
|
|
|
if (flags & DN_ID_NEW_EXIST) {
|
2016-09-21 23:49:47 +03:00
|
|
|
do_userquota_update(&cache,
|
|
|
|
DN_USED_BYTES(dn->dn_phys), dn->dn_phys->dn_flags,
|
|
|
|
dn->dn_newuid, dn->dn_newgid, B_FALSE);
|
|
|
|
do_userobjquota_update(&cache, dn->dn_phys->dn_flags,
|
|
|
|
dn->dn_newuid, dn->dn_newgid, B_FALSE);
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
mutex_enter(&dn->dn_mtx);
|
2010-05-29 00:45:14 +04:00
|
|
|
dn->dn_oldused = 0;
|
|
|
|
dn->dn_oldflags = 0;
|
|
|
|
if (dn->dn_id_flags & DN_ID_NEW_EXIST) {
|
|
|
|
dn->dn_olduid = dn->dn_newuid;
|
|
|
|
dn->dn_oldgid = dn->dn_newgid;
|
|
|
|
dn->dn_id_flags |= DN_ID_OLD_EXIST;
|
|
|
|
if (dn->dn_bonuslen == 0)
|
|
|
|
dn->dn_id_flags |= DN_ID_CHKED_SPILL;
|
|
|
|
else
|
|
|
|
dn->dn_id_flags |= DN_ID_CHKED_BONUS;
|
|
|
|
}
|
|
|
|
dn->dn_id_flags &= ~(DN_ID_NEW_EXIST);
|
2009-07-03 02:44:48 +04:00
|
|
|
mutex_exit(&dn->dn_mtx);
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_sublist_remove(list, dn);
|
|
|
|
dnode_rele(dn, os->os_synced_dnodes);
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
2016-09-21 23:49:47 +03:00
|
|
|
do_userquota_cacheflush(os, &cache, tx);
|
2017-03-21 04:36:00 +03:00
|
|
|
multilist_sublist_unlock(list);
|
|
|
|
kmem_free(uua, sizeof (*uua));
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_do_userquota_updates(objset_t *os, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
if (!dmu_objset_userused_enabled(os))
|
|
|
|
return;
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/* if this is a raw receive just return and handle accounting later */
|
|
|
|
if (os->os_encrypted && dmu_objset_is_receiving(os))
|
|
|
|
return;
|
|
|
|
|
2017-03-21 04:36:00 +03:00
|
|
|
/* Allocate the user/groupused objects if necessary. */
|
|
|
|
if (DMU_USERUSED_DNODE(os)->dn_type == DMU_OT_NONE) {
|
|
|
|
VERIFY0(zap_create_claim(os,
|
|
|
|
DMU_USERUSED_OBJECT,
|
|
|
|
DMU_OT_USERGROUP_USED, DMU_OT_NONE, 0, tx));
|
|
|
|
VERIFY0(zap_create_claim(os,
|
|
|
|
DMU_GROUPUSED_OBJECT,
|
|
|
|
DMU_OT_USERGROUP_USED, DMU_OT_NONE, 0, tx));
|
|
|
|
}
|
|
|
|
|
|
|
|
for (int i = 0;
|
|
|
|
i < multilist_get_num_sublists(os->os_synced_dnodes); i++) {
|
|
|
|
userquota_updates_arg_t *uua =
|
|
|
|
kmem_alloc(sizeof (*uua), KM_SLEEP);
|
|
|
|
uua->uua_os = os;
|
|
|
|
uua->uua_sublist_idx = i;
|
|
|
|
uua->uua_tx = tx;
|
|
|
|
/* note: caller does taskq_wait() */
|
|
|
|
(void) taskq_dispatch(dmu_objset_pool(os)->dp_sync_taskq,
|
|
|
|
userquota_updates_task, uua, 0);
|
|
|
|
/* callback frees uua */
|
|
|
|
}
|
2009-07-03 02:44:48 +04:00
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
/*
|
|
|
|
* Returns a pointer to data to find uid/gid from
|
|
|
|
*
|
|
|
|
* If a dirty record for transaction group that is syncing can't
|
|
|
|
* be found then NULL is returned. In the NULL case it is assumed
|
|
|
|
* the uid/gid aren't changing.
|
|
|
|
*/
|
|
|
|
static void *
|
|
|
|
dmu_objset_userquota_find_data(dmu_buf_impl_t *db, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dbuf_dirty_record_t *dr, **drp;
|
|
|
|
void *data;
|
|
|
|
|
|
|
|
if (db->db_dirtycnt == 0)
|
|
|
|
return (db->db.db_data); /* Nothing is changing */
|
|
|
|
|
|
|
|
for (drp = &db->db_last_dirty; (dr = *drp) != NULL; drp = &dr->dr_next)
|
|
|
|
if (dr->dr_txg == tx->tx_txg)
|
|
|
|
break;
|
|
|
|
|
2010-08-27 01:24:34 +04:00
|
|
|
if (dr == NULL) {
|
2010-05-29 00:45:14 +04:00
|
|
|
data = NULL;
|
2010-08-27 01:24:34 +04:00
|
|
|
} else {
|
|
|
|
dnode_t *dn;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(dr->dr_dbuf);
|
|
|
|
dn = DB_DNODE(dr->dr_dbuf);
|
|
|
|
|
|
|
|
if (dn->dn_bonuslen == 0 &&
|
|
|
|
dr->dr_dbuf->db_blkid == DMU_SPILL_BLKID)
|
|
|
|
data = dr->dt.dl.dr_data->b_data;
|
|
|
|
else
|
|
|
|
data = dr->dt.dl.dr_data;
|
|
|
|
|
|
|
|
DB_DNODE_EXIT(dr->dr_dbuf);
|
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
return (data);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_userquota_get_ids(dnode_t *dn, boolean_t before, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
objset_t *os = dn->dn_objset;
|
|
|
|
void *data = NULL;
|
|
|
|
dmu_buf_impl_t *db = NULL;
|
2013-02-11 10:21:05 +04:00
|
|
|
uint64_t *user = NULL;
|
|
|
|
uint64_t *group = NULL;
|
2010-05-29 00:45:14 +04:00
|
|
|
int flags = dn->dn_id_flags;
|
|
|
|
int error;
|
|
|
|
boolean_t have_spill = B_FALSE;
|
|
|
|
|
|
|
|
if (!dmu_objset_userused_enabled(dn->dn_objset))
|
|
|
|
return;
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/*
|
|
|
|
* Raw receives introduce a problem with user accounting. Raw
|
|
|
|
* receives cannot update the user accounting info because the
|
|
|
|
* user ids and the sizes are encrypted. To guarantee that we
|
|
|
|
* never end up with bad user accounting, we simply disable it
|
|
|
|
* during raw receives. We also disable this for normal receives
|
|
|
|
* so that an incremental raw receive may be done on top of an
|
|
|
|
* existing non-raw receive.
|
|
|
|
*/
|
|
|
|
if (os->os_encrypted && dmu_objset_is_receiving(os))
|
|
|
|
return;
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if (before && (flags & (DN_ID_CHKED_BONUS|DN_ID_OLD_EXIST|
|
|
|
|
DN_ID_CHKED_SPILL)))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (before && dn->dn_bonuslen != 0)
|
|
|
|
data = DN_BONUS(dn->dn_phys);
|
|
|
|
else if (!before && dn->dn_bonuslen != 0) {
|
2015-09-25 21:15:02 +03:00
|
|
|
if (dn->dn_bonus) {
|
|
|
|
db = dn->dn_bonus;
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_enter(&db->db_mtx);
|
|
|
|
data = dmu_objset_userquota_find_data(db, tx);
|
|
|
|
} else {
|
|
|
|
data = DN_BONUS(dn->dn_phys);
|
|
|
|
}
|
|
|
|
} else if (dn->dn_bonuslen == 0 && dn->dn_bonustype == DMU_OT_SA) {
|
|
|
|
int rf = 0;
|
|
|
|
|
|
|
|
if (RW_WRITE_HELD(&dn->dn_struct_rwlock))
|
|
|
|
rf |= DB_RF_HAVESTRUCT;
|
2010-08-27 01:24:34 +04:00
|
|
|
error = dmu_spill_hold_by_dnode(dn,
|
|
|
|
rf | DB_RF_MUST_SUCCEED,
|
2010-05-29 00:45:14 +04:00
|
|
|
FTAG, (dmu_buf_t **)&db);
|
|
|
|
ASSERT(error == 0);
|
|
|
|
mutex_enter(&db->db_mtx);
|
|
|
|
data = (before) ? db->db.db_data :
|
|
|
|
dmu_objset_userquota_find_data(db, tx);
|
|
|
|
have_spill = B_TRUE;
|
|
|
|
} else {
|
|
|
|
mutex_enter(&dn->dn_mtx);
|
|
|
|
dn->dn_id_flags |= DN_ID_CHKED_BONUS;
|
|
|
|
mutex_exit(&dn->dn_mtx);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (before) {
|
|
|
|
ASSERT(data);
|
|
|
|
user = &dn->dn_olduid;
|
|
|
|
group = &dn->dn_oldgid;
|
|
|
|
} else if (data) {
|
|
|
|
user = &dn->dn_newuid;
|
|
|
|
group = &dn->dn_newgid;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Must always call the callback in case the object
|
|
|
|
* type has changed and that type isn't an object type to track
|
|
|
|
*/
|
|
|
|
error = used_cbs[os->os_phys->os_type](dn->dn_bonustype, data,
|
|
|
|
user, group);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Preserve existing uid/gid when the callback can't determine
|
|
|
|
* what the new uid/gid are and the callback returned EEXIST.
|
|
|
|
* The EEXIST error tells us to just use the existing uid/gid.
|
|
|
|
* If we don't know what the old values are then just assign
|
|
|
|
* them to 0, since that is a new file being created.
|
|
|
|
*/
|
|
|
|
if (!before && data == NULL && error == EEXIST) {
|
|
|
|
if (flags & DN_ID_OLD_EXIST) {
|
|
|
|
dn->dn_newuid = dn->dn_olduid;
|
|
|
|
dn->dn_newgid = dn->dn_oldgid;
|
|
|
|
} else {
|
|
|
|
dn->dn_newuid = 0;
|
|
|
|
dn->dn_newgid = 0;
|
|
|
|
}
|
|
|
|
error = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (db)
|
|
|
|
mutex_exit(&db->db_mtx);
|
|
|
|
|
|
|
|
mutex_enter(&dn->dn_mtx);
|
|
|
|
if (error == 0 && before)
|
|
|
|
dn->dn_id_flags |= DN_ID_OLD_EXIST;
|
|
|
|
if (error == 0 && !before)
|
|
|
|
dn->dn_id_flags |= DN_ID_NEW_EXIST;
|
|
|
|
|
|
|
|
if (have_spill) {
|
|
|
|
dn->dn_id_flags |= DN_ID_CHKED_SPILL;
|
|
|
|
} else {
|
|
|
|
dn->dn_id_flags |= DN_ID_CHKED_BONUS;
|
|
|
|
}
|
|
|
|
mutex_exit(&dn->dn_mtx);
|
2015-09-25 21:15:02 +03:00
|
|
|
if (have_spill)
|
2010-05-29 00:45:14 +04:00
|
|
|
dmu_buf_rele((dmu_buf_t *)db, FTAG);
|
|
|
|
}
|
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_userspace_present(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (os->os_phys->os_flags &
|
2009-07-03 02:44:48 +04:00
|
|
|
OBJSET_FLAG_USERACCOUNTING_COMPLETE);
|
|
|
|
}
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_userobjspace_present(objset_t *os)
|
|
|
|
{
|
|
|
|
return (os->os_phys->os_flags &
|
|
|
|
OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dmu_objset_space_upgrade(objset_t *os)
|
2009-07-03 02:44:48 +04:00
|
|
|
{
|
|
|
|
uint64_t obj;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We simply need to mark every object dirty, so that it will be
|
|
|
|
* synced out and now accounted. If this is called
|
|
|
|
* concurrently, or if we already did some work before crashing,
|
|
|
|
* that's fine, since we track each object's accounted state
|
|
|
|
* independently.
|
|
|
|
*/
|
|
|
|
|
|
|
|
for (obj = 0; err == 0; err = dmu_object_next(os, &obj, FALSE, 0)) {
|
2009-08-18 22:43:27 +04:00
|
|
|
dmu_tx_t *tx;
|
2009-07-03 02:44:48 +04:00
|
|
|
dmu_buf_t *db;
|
|
|
|
int objerr;
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
mutex_enter(&os->os_upgrade_lock);
|
|
|
|
if (os->os_upgrade_exit)
|
|
|
|
err = SET_ERROR(EINTR);
|
|
|
|
mutex_exit(&os->os_upgrade_lock);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
if (issig(JUSTLOOKING) && issig(FORREAL))
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINTR));
|
2009-07-03 02:44:48 +04:00
|
|
|
|
|
|
|
objerr = dmu_bonus_hold(os, obj, FTAG, &db);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (objerr != 0)
|
2009-07-03 02:44:48 +04:00
|
|
|
continue;
|
2009-08-18 22:43:27 +04:00
|
|
|
tx = dmu_tx_create(os);
|
2009-07-03 02:44:48 +04:00
|
|
|
dmu_tx_hold_bonus(tx, obj);
|
|
|
|
objerr = dmu_tx_assign(tx, TXG_WAIT);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (objerr != 0) {
|
2017-08-30 22:09:18 +03:00
|
|
|
dmu_buf_rele(db, FTAG);
|
2009-07-03 02:44:48 +04:00
|
|
|
dmu_tx_abort(tx);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
dmu_buf_will_dirty(db, tx);
|
|
|
|
dmu_buf_rele(db, FTAG);
|
|
|
|
dmu_tx_commit(tx);
|
|
|
|
}
|
2016-10-04 21:46:10 +03:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_objset_userspace_upgrade(objset_t *os)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (dmu_objset_userspace_present(os))
|
|
|
|
return (0);
|
|
|
|
if (dmu_objset_is_snapshot(os))
|
|
|
|
return (SET_ERROR(EINVAL));
|
|
|
|
if (!dmu_objset_userused_enabled(os))
|
|
|
|
return (SET_ERROR(ENOTSUP));
|
|
|
|
|
|
|
|
err = dmu_objset_space_upgrade(os);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
2009-07-03 02:44:48 +04:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_flags |= OBJSET_FLAG_USERACCOUNTING_COMPLETE;
|
2009-07-03 02:44:48 +04:00
|
|
|
txg_wait_synced(dmu_objset_pool(os), 0);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2016-10-04 21:46:10 +03:00
|
|
|
static int
|
|
|
|
dmu_objset_userobjspace_upgrade_cb(objset_t *os)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (dmu_objset_userobjspace_present(os))
|
|
|
|
return (0);
|
|
|
|
if (dmu_objset_is_snapshot(os))
|
|
|
|
return (SET_ERROR(EINVAL));
|
|
|
|
if (!dmu_objset_userobjused_enabled(os))
|
|
|
|
return (SET_ERROR(ENOTSUP));
|
|
|
|
|
|
|
|
dmu_objset_ds(os)->ds_feature_activation_needed[
|
|
|
|
SPA_FEATURE_USEROBJ_ACCOUNTING] = B_TRUE;
|
|
|
|
|
|
|
|
err = dmu_objset_space_upgrade(os);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
os->os_flags |= OBJSET_FLAG_USEROBJACCOUNTING_COMPLETE;
|
|
|
|
txg_wait_synced(dmu_objset_pool(os), 0);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_userobjspace_upgrade(objset_t *os)
|
|
|
|
{
|
|
|
|
dmu_objset_upgrade(os, dmu_objset_userobjspace_upgrade_cb);
|
|
|
|
}
|
|
|
|
|
2016-11-10 00:51:12 +03:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_userobjspace_upgradable(objset_t *os)
|
|
|
|
{
|
|
|
|
return (dmu_objset_type(os) == DMU_OST_ZFS &&
|
|
|
|
!dmu_objset_is_snapshot(os) &&
|
|
|
|
dmu_objset_userobjused_enabled(os) &&
|
|
|
|
!dmu_objset_userobjspace_present(os));
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
|
|
|
dmu_objset_space(objset_t *os, uint64_t *refdbytesp, uint64_t *availbytesp,
|
|
|
|
uint64_t *usedobjsp, uint64_t *availobjsp)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_space(os->os_dsl_dataset, refdbytesp, availbytesp,
|
2008-11-20 23:01:55 +03:00
|
|
|
usedobjsp, availobjsp);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dmu_objset_fsid_guid(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
return (dsl_dataset_fsid_guid(os->os_dsl_dataset));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_fast_stat(objset_t *os, dmu_objset_stats_t *stat)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
stat->dds_type = os->os_phys->os_type;
|
|
|
|
if (os->os_dsl_dataset)
|
|
|
|
dsl_dataset_fast_stat(os->os_dsl_dataset, stat);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_objset_stats(objset_t *os, nvlist_t *nv)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(os->os_dsl_dataset ||
|
|
|
|
os->os_phys->os_type == DMU_OST_META);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if (os->os_dsl_dataset != NULL)
|
|
|
|
dsl_dataset_stats(os->os_dsl_dataset, nv);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_TYPE,
|
2010-05-29 00:45:14 +04:00
|
|
|
os->os_phys->os_type);
|
2009-07-03 02:44:48 +04:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USERACCOUNTING,
|
|
|
|
dmu_objset_userspace_present(os));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_objset_is_snapshot(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
if (os->os_dsl_dataset != NULL)
|
2015-04-02 06:44:32 +03:00
|
|
|
return (os->os_dsl_dataset->ds_is_snapshot);
|
2008-11-20 23:01:55 +03:00
|
|
|
else
|
|
|
|
return (B_FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_snapshot_realname(objset_t *os, char *name, char *real, int maxlen,
|
|
|
|
boolean_t *conflict)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
2008-11-20 23:01:55 +03:00
|
|
|
uint64_t ignored;
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dataset_phys(ds)->ds_snapnames_zapobj == 0)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
return (zap_lookup_norm(ds->ds_dir->dd_pool->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dataset_phys(ds)->ds_snapnames_zapobj, name, 8, 1, &ignored,
|
2017-02-03 01:13:41 +03:00
|
|
|
MT_NORMALIZE, real, maxlen, conflict));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_snapshot_list_next(objset_t *os, int namelen, char *name,
|
|
|
|
uint64_t *idp, uint64_t *offp, boolean_t *case_conflict)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
2008-11-20 23:01:55 +03:00
|
|
|
zap_cursor_t cursor;
|
|
|
|
zap_attribute_t attr;
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT(dsl_pool_config_held(dmu_objset_pool(os)));
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dataset_phys(ds)->ds_snapnames_zapobj == 0)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
zap_cursor_init_serialized(&cursor,
|
|
|
|
ds->ds_dir->dd_pool->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dataset_phys(ds)->ds_snapnames_zapobj, *offp);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
if (zap_cursor_retrieve(&cursor, &attr) != 0) {
|
|
|
|
zap_cursor_fini(&cursor);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
if (strlen(attr.za_name) + 1 > namelen) {
|
|
|
|
zap_cursor_fini(&cursor);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
(void) strcpy(name, attr.za_name);
|
|
|
|
if (idp)
|
|
|
|
*idp = attr.za_first_integer;
|
|
|
|
if (case_conflict)
|
|
|
|
*case_conflict = attr.za_normalization_conflict;
|
|
|
|
zap_cursor_advance(&cursor);
|
|
|
|
*offp = zap_cursor_serialize(&cursor);
|
|
|
|
zap_cursor_fini(&cursor);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2011-11-11 11:15:53 +04:00
|
|
|
int
|
2013-01-26 02:57:53 +04:00
|
|
|
dmu_snapshot_lookup(objset_t *os, const char *name, uint64_t *value)
|
2011-11-11 11:15:53 +04:00
|
|
|
{
|
2013-11-01 23:26:11 +04:00
|
|
|
return (dsl_dataset_snap_lookup(os->os_dsl_dataset, name, value));
|
2011-11-11 11:15:53 +04:00
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
|
|
|
dmu_dir_list_next(objset_t *os, int namelen, char *name,
|
|
|
|
uint64_t *idp, uint64_t *offp)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_t *dd = os->os_dsl_dataset->ds_dir;
|
2008-11-20 23:01:55 +03:00
|
|
|
zap_cursor_t cursor;
|
|
|
|
zap_attribute_t attr;
|
|
|
|
|
|
|
|
/* there is no next dir on a snapshot! */
|
2010-05-29 00:45:14 +04:00
|
|
|
if (os->os_dsl_dataset->ds_object !=
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_head_dataset_obj)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
zap_cursor_init_serialized(&cursor,
|
|
|
|
dd->dd_pool->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_child_dir_zapobj, *offp);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
if (zap_cursor_retrieve(&cursor, &attr) != 0) {
|
|
|
|
zap_cursor_fini(&cursor);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
if (strlen(attr.za_name) + 1 > namelen) {
|
|
|
|
zap_cursor_fini(&cursor);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
(void) strcpy(name, attr.za_name);
|
|
|
|
if (idp)
|
|
|
|
*idp = attr.za_first_integer;
|
|
|
|
zap_cursor_advance(&cursor);
|
|
|
|
*offp = zap_cursor_serialize(&cursor);
|
|
|
|
zap_cursor_fini(&cursor);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
typedef struct dmu_objset_find_ctx {
|
|
|
|
taskq_t *dc_tq;
|
|
|
|
dsl_pool_t *dc_dp;
|
|
|
|
uint64_t dc_ddobj;
|
2017-01-26 23:46:02 +03:00
|
|
|
char *dc_ddname; /* last component of ddobj's name */
|
2015-05-06 19:07:55 +03:00
|
|
|
int (*dc_func)(dsl_pool_t *, dsl_dataset_t *, void *);
|
|
|
|
void *dc_arg;
|
|
|
|
int dc_flags;
|
|
|
|
kmutex_t *dc_error_lock;
|
|
|
|
int *dc_error;
|
|
|
|
} dmu_objset_find_ctx_t;
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_objset_find_dp_impl(dmu_objset_find_ctx_t *dcp)
|
2008-12-03 23:09:06 +03:00
|
|
|
{
|
2015-05-06 19:07:55 +03:00
|
|
|
dsl_pool_t *dp = dcp->dc_dp;
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_t *dd;
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
zap_cursor_t zc;
|
|
|
|
zap_attribute_t *attr;
|
|
|
|
uint64_t thisobj;
|
2015-05-06 19:07:55 +03:00
|
|
|
int err = 0;
|
2013-09-04 16:00:57 +04:00
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
/* don't process if there already was an error */
|
|
|
|
if (*dcp->dc_error != 0)
|
|
|
|
goto out;
|
2013-09-04 16:00:57 +04:00
|
|
|
|
2017-01-26 23:46:02 +03:00
|
|
|
/*
|
|
|
|
* Note: passing the name (dc_ddname) here is optional, but it
|
|
|
|
* improves performance because we don't need to call
|
|
|
|
* zap_value_search() to determine the name.
|
|
|
|
*/
|
|
|
|
err = dsl_dir_hold_obj(dp, dcp->dc_ddobj, dcp->dc_ddname, FTAG, &dd);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2015-05-06 19:07:55 +03:00
|
|
|
goto out;
|
2013-09-04 16:00:57 +04:00
|
|
|
|
|
|
|
/* Don't visit hidden ($MOS & $ORIGIN) objsets. */
|
|
|
|
if (dd->dd_myname[0] == '$') {
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2015-05-06 19:07:55 +03:00
|
|
|
goto out;
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
thisobj = dsl_dir_phys(dd)->dd_head_dataset_obj;
|
2014-11-21 03:09:39 +03:00
|
|
|
attr = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
|
2013-09-04 16:00:57 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Iterate over all children.
|
|
|
|
*/
|
2015-05-06 19:07:55 +03:00
|
|
|
if (dcp->dc_flags & DS_FIND_CHILDREN) {
|
2013-09-04 16:00:57 +04:00
|
|
|
for (zap_cursor_init(&zc, dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_child_dir_zapobj);
|
2013-09-04 16:00:57 +04:00
|
|
|
zap_cursor_retrieve(&zc, attr) == 0;
|
|
|
|
(void) zap_cursor_advance(&zc)) {
|
|
|
|
ASSERT3U(attr->za_integer_length, ==,
|
|
|
|
sizeof (uint64_t));
|
|
|
|
ASSERT3U(attr->za_num_integers, ==, 1);
|
|
|
|
|
2017-11-04 23:25:13 +03:00
|
|
|
dmu_objset_find_ctx_t *child_dcp =
|
2017-01-26 23:46:02 +03:00
|
|
|
kmem_alloc(sizeof (*child_dcp), KM_SLEEP);
|
2015-05-06 19:07:55 +03:00
|
|
|
*child_dcp = *dcp;
|
|
|
|
child_dcp->dc_ddobj = attr->za_first_integer;
|
2017-01-26 23:46:02 +03:00
|
|
|
child_dcp->dc_ddname = spa_strdup(attr->za_name);
|
2015-05-06 19:07:55 +03:00
|
|
|
if (dcp->dc_tq != NULL)
|
|
|
|
(void) taskq_dispatch(dcp->dc_tq,
|
|
|
|
dmu_objset_find_dp_cb, child_dcp, TQ_SLEEP);
|
|
|
|
else
|
|
|
|
dmu_objset_find_dp_impl(child_dcp);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
zap_cursor_fini(&zc);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Iterate over all snapshots.
|
|
|
|
*/
|
2015-05-06 19:07:55 +03:00
|
|
|
if (dcp->dc_flags & DS_FIND_SNAPSHOTS) {
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_t *ds;
|
|
|
|
err = dsl_dataset_hold_obj(dp, thisobj, FTAG, &ds);
|
|
|
|
|
|
|
|
if (err == 0) {
|
2015-04-01 18:14:34 +03:00
|
|
|
uint64_t snapobj;
|
|
|
|
|
|
|
|
snapobj = dsl_dataset_phys(ds)->ds_snapnames_zapobj;
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
|
|
|
|
for (zap_cursor_init(&zc, dp->dp_meta_objset, snapobj);
|
|
|
|
zap_cursor_retrieve(&zc, attr) == 0;
|
|
|
|
(void) zap_cursor_advance(&zc)) {
|
|
|
|
ASSERT3U(attr->za_integer_length, ==,
|
|
|
|
sizeof (uint64_t));
|
|
|
|
ASSERT3U(attr->za_num_integers, ==, 1);
|
|
|
|
|
|
|
|
err = dsl_dataset_hold_obj(dp,
|
|
|
|
attr->za_first_integer, FTAG, &ds);
|
|
|
|
if (err != 0)
|
|
|
|
break;
|
2015-05-06 19:07:55 +03:00
|
|
|
err = dcp->dc_func(dp, ds, dcp->dc_arg);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
if (err != 0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
zap_cursor_fini(&zc);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
kmem_free(attr, sizeof (zap_attribute_t));
|
|
|
|
|
2017-01-26 23:46:02 +03:00
|
|
|
if (err != 0) {
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2015-05-06 19:07:55 +03:00
|
|
|
goto out;
|
2017-01-26 23:46:02 +03:00
|
|
|
}
|
2013-09-04 16:00:57 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Apply to self.
|
|
|
|
*/
|
|
|
|
err = dsl_dataset_hold_obj(dp, thisobj, FTAG, &ds);
|
2017-01-26 23:46:02 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Note: we hold the dir while calling dsl_dataset_hold_obj() so
|
|
|
|
* that the dir will remain cached, and we won't have to re-instantiate
|
|
|
|
* it (which could be expensive due to finding its name via
|
|
|
|
* zap_value_search()).
|
|
|
|
*/
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2015-05-06 19:07:55 +03:00
|
|
|
goto out;
|
|
|
|
err = dcp->dc_func(dp, ds, dcp->dc_arg);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2015-05-06 19:07:55 +03:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (err != 0) {
|
|
|
|
mutex_enter(dcp->dc_error_lock);
|
|
|
|
/* only keep first error */
|
|
|
|
if (*dcp->dc_error == 0)
|
|
|
|
*dcp->dc_error = err;
|
|
|
|
mutex_exit(dcp->dc_error_lock);
|
|
|
|
}
|
|
|
|
|
2017-01-26 23:46:02 +03:00
|
|
|
if (dcp->dc_ddname != NULL)
|
|
|
|
spa_strfree(dcp->dc_ddname);
|
2015-05-06 19:07:55 +03:00
|
|
|
kmem_free(dcp, sizeof (*dcp));
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_objset_find_dp_cb(void *arg)
|
|
|
|
{
|
|
|
|
dmu_objset_find_ctx_t *dcp = arg;
|
|
|
|
dsl_pool_t *dp = dcp->dc_dp;
|
|
|
|
|
2015-07-02 18:58:17 +03:00
|
|
|
/*
|
|
|
|
* We need to get a pool_config_lock here, as there are several
|
|
|
|
* asssert(pool_config_held) down the stack. Getting a lock via
|
|
|
|
* dsl_pool_config_enter is risky, as it might be stalled by a
|
|
|
|
* pending writer. This would deadlock, as the write lock can
|
|
|
|
* only be granted when our parent thread gives up the lock.
|
|
|
|
* The _prio interface gives us priority over a pending writer.
|
|
|
|
*/
|
|
|
|
dsl_pool_config_enter_prio(dp, FTAG);
|
2015-05-06 19:07:55 +03:00
|
|
|
|
|
|
|
dmu_objset_find_dp_impl(dcp);
|
|
|
|
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find objsets under and including ddobj, call func(ds) on each.
|
|
|
|
* The order for the enumeration is completely undefined.
|
|
|
|
* func is called with dsl_pool_config held.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_objset_find_dp(dsl_pool_t *dp, uint64_t ddobj,
|
|
|
|
int func(dsl_pool_t *, dsl_dataset_t *, void *), void *arg, int flags)
|
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
taskq_t *tq = NULL;
|
|
|
|
int ntasks;
|
|
|
|
dmu_objset_find_ctx_t *dcp;
|
|
|
|
kmutex_t err_lock;
|
|
|
|
|
|
|
|
mutex_init(&err_lock, NULL, MUTEX_DEFAULT, NULL);
|
|
|
|
dcp = kmem_alloc(sizeof (*dcp), KM_SLEEP);
|
|
|
|
dcp->dc_tq = NULL;
|
|
|
|
dcp->dc_dp = dp;
|
|
|
|
dcp->dc_ddobj = ddobj;
|
2017-01-26 23:46:02 +03:00
|
|
|
dcp->dc_ddname = NULL;
|
2015-05-06 19:07:55 +03:00
|
|
|
dcp->dc_func = func;
|
|
|
|
dcp->dc_arg = arg;
|
|
|
|
dcp->dc_flags = flags;
|
|
|
|
dcp->dc_error_lock = &err_lock;
|
|
|
|
dcp->dc_error = &error;
|
|
|
|
|
|
|
|
if ((flags & DS_FIND_SERIALIZE) || dsl_pool_config_held_writer(dp)) {
|
|
|
|
/*
|
|
|
|
* In case a write lock is held we can't make use of
|
|
|
|
* parallelism, as down the stack of the worker threads
|
|
|
|
* the lock is asserted via dsl_pool_config_held.
|
|
|
|
* In case of a read lock this is solved by getting a read
|
|
|
|
* lock in each worker thread, which isn't possible in case
|
|
|
|
* of a writer lock. So we fall back to the synchronous path
|
|
|
|
* here.
|
|
|
|
* In the future it might be possible to get some magic into
|
|
|
|
* dsl_pool_config_held in a way that it returns true for
|
|
|
|
* the worker threads so that a single lock held from this
|
|
|
|
* thread suffices. For now, stay single threaded.
|
|
|
|
*/
|
|
|
|
dmu_objset_find_dp_impl(dcp);
|
2016-01-27 04:54:45 +03:00
|
|
|
mutex_destroy(&err_lock);
|
2015-05-06 19:07:55 +03:00
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
ntasks = dmu_find_threads;
|
|
|
|
if (ntasks == 0)
|
|
|
|
ntasks = vdev_count_leaves(dp->dp_spa) * 4;
|
2015-07-24 20:08:31 +03:00
|
|
|
tq = taskq_create("dmu_objset_find", ntasks, maxclsyspri, ntasks,
|
2015-05-06 19:07:55 +03:00
|
|
|
INT_MAX, 0);
|
|
|
|
if (tq == NULL) {
|
|
|
|
kmem_free(dcp, sizeof (*dcp));
|
2016-01-27 04:54:45 +03:00
|
|
|
mutex_destroy(&err_lock);
|
|
|
|
|
2015-05-06 19:07:55 +03:00
|
|
|
return (SET_ERROR(ENOMEM));
|
|
|
|
}
|
|
|
|
dcp->dc_tq = tq;
|
|
|
|
|
|
|
|
/* dcp will be freed by task */
|
|
|
|
(void) taskq_dispatch(tq, dmu_objset_find_dp_cb, dcp, TQ_SLEEP);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* PORTING: this code relies on the property of taskq_wait to wait
|
|
|
|
* until no more tasks are queued and no more tasks are active. As
|
|
|
|
* we always queue new tasks from within other tasks, task_wait
|
|
|
|
* reliably waits for the full recursion to finish, even though we
|
|
|
|
* enqueue new tasks after taskq_wait has been called.
|
|
|
|
* On platforms other than illumos, taskq_wait may not have this
|
|
|
|
* property.
|
|
|
|
*/
|
|
|
|
taskq_wait(tq);
|
|
|
|
taskq_destroy(tq);
|
|
|
|
mutex_destroy(&err_lock);
|
|
|
|
|
|
|
|
return (error);
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2013-09-04 16:00:57 +04:00
|
|
|
* Find all objsets under name, and for each, call 'func(child_name, arg)'.
|
|
|
|
* The dp_config_rwlock must not be held when this is called, and it
|
|
|
|
* will not be held when the callback is called.
|
|
|
|
* Therefore this function should only be used when the pool is not changing
|
|
|
|
* (e.g. in syncing context), or the callback can deal with the possible races.
|
2008-12-03 23:09:06 +03:00
|
|
|
*/
|
2013-09-04 16:00:57 +04:00
|
|
|
static int
|
|
|
|
dmu_objset_find_impl(spa_t *spa, const char *name,
|
|
|
|
int func(const char *, void *), void *arg, int flags)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
dsl_dir_t *dd;
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_t *dp = spa_get_dsl(spa);
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dataset_t *ds;
|
2008-11-20 23:01:55 +03:00
|
|
|
zap_cursor_t zc;
|
|
|
|
zap_attribute_t *attr;
|
|
|
|
char *child;
|
2008-12-03 23:09:06 +03:00
|
|
|
uint64_t thisobj;
|
|
|
|
int err;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
|
|
|
|
|
|
|
err = dsl_dir_hold(dp, name, FTAG, &dd, NULL);
|
|
|
|
if (err != 0) {
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
/* Don't visit hidden ($MOS & $ORIGIN) objsets. */
|
|
|
|
if (dd->dd_myname[0] == '$') {
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
2008-12-03 23:09:06 +03:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
thisobj = dsl_dir_phys(dd)->dd_head_dataset_obj;
|
2014-11-21 03:09:39 +03:00
|
|
|
attr = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Iterate over all children.
|
|
|
|
*/
|
|
|
|
if (flags & DS_FIND_CHILDREN) {
|
2008-12-03 23:09:06 +03:00
|
|
|
for (zap_cursor_init(&zc, dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_child_dir_zapobj);
|
2008-11-20 23:01:55 +03:00
|
|
|
zap_cursor_retrieve(&zc, attr) == 0;
|
|
|
|
(void) zap_cursor_advance(&zc)) {
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT3U(attr->za_integer_length, ==,
|
|
|
|
sizeof (uint64_t));
|
|
|
|
ASSERT3U(attr->za_num_integers, ==, 1);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
child = kmem_asprintf("%s/%s", name, attr->za_name);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
err = dmu_objset_find_impl(spa, child,
|
|
|
|
func, arg, flags);
|
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
2010-05-29 00:45:14 +04:00
|
|
|
strfree(child);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
zap_cursor_fini(&zc);
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
kmem_free(attr, sizeof (zap_attribute_t));
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Iterate over all snapshots.
|
|
|
|
*/
|
2008-12-03 23:09:06 +03:00
|
|
|
if (flags & DS_FIND_SNAPSHOTS) {
|
|
|
|
err = dsl_dataset_hold_obj(dp, thisobj, FTAG, &ds);
|
|
|
|
|
|
|
|
if (err == 0) {
|
2015-04-01 18:14:34 +03:00
|
|
|
uint64_t snapobj;
|
|
|
|
|
|
|
|
snapobj = dsl_dataset_phys(ds)->ds_snapnames_zapobj;
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
|
|
|
|
for (zap_cursor_init(&zc, dp->dp_meta_objset, snapobj);
|
|
|
|
zap_cursor_retrieve(&zc, attr) == 0;
|
|
|
|
(void) zap_cursor_advance(&zc)) {
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT3U(attr->za_integer_length, ==,
|
2008-12-03 23:09:06 +03:00
|
|
|
sizeof (uint64_t));
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT3U(attr->za_num_integers, ==, 1);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
child = kmem_asprintf("%s@%s",
|
|
|
|
name, attr->za_name);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
err = func(child, arg);
|
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
2010-05-29 00:45:14 +04:00
|
|
|
strfree(child);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-12-03 23:09:06 +03:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
zap_cursor_fini(&zc);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
kmem_free(attr, sizeof (zap_attribute_t));
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/* Apply to self. */
|
|
|
|
return (func(name, arg));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/*
|
|
|
|
* See comment above dmu_objset_find_impl().
|
|
|
|
*/
|
2009-02-18 23:51:31 +03:00
|
|
|
int
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_objset_find(char *name, int func(const char *, void *), void *arg,
|
|
|
|
int flags)
|
2009-02-18 23:51:31 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
spa_t *spa;
|
|
|
|
int error;
|
2009-02-18 23:51:31 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = spa_open(name, &spa, FTAG);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
error = dmu_objset_find_impl(spa, name, func, arg, flags);
|
|
|
|
spa_close(spa, FTAG);
|
|
|
|
return (error);
|
2009-02-18 23:51:31 +03:00
|
|
|
}
|
|
|
|
|
2017-11-08 22:12:59 +03:00
|
|
|
boolean_t
|
|
|
|
dmu_objset_incompatible_encryption_version(objset_t *os)
|
|
|
|
{
|
|
|
|
return (dsl_dir_incompatible_encryption_version(
|
|
|
|
os->os_dsl_dataset->ds_dir));
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
|
|
|
dmu_objset_set_user(objset_t *os, void *user_ptr)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(MUTEX_HELD(&os->os_user_ptr_lock));
|
|
|
|
os->os_user_ptr = user_ptr;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void *
|
|
|
|
dmu_objset_get_user(objset_t *os)
|
|
|
|
{
|
2010-05-29 00:45:14 +04:00
|
|
|
ASSERT(MUTEX_HELD(&os->os_user_ptr_lock));
|
|
|
|
return (os->os_user_ptr);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2010-08-26 22:49:16 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/*
|
|
|
|
* Determine name of filesystem, given name of snapshot.
|
2016-06-16 00:28:36 +03:00
|
|
|
* buf must be at least ZFS_MAX_DATASET_NAME_LEN bytes
|
2013-09-04 16:00:57 +04:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_fsname(const char *snapname, char *buf)
|
|
|
|
{
|
|
|
|
char *atp = strchr(snapname, '@');
|
|
|
|
if (atp == NULL)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2016-06-16 00:28:36 +03:00
|
|
|
if (atp - snapname >= ZFS_MAX_DATASET_NAME_LEN)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
2013-09-04 16:00:57 +04:00
|
|
|
(void) strlcpy(buf, snapname, atp - snapname + 1);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
/*
|
|
|
|
* Call when we think we're going to write/free space in open context to track
|
|
|
|
* the amount of dirty data in the open txg, which is also the amount
|
|
|
|
* of memory that can not be evicted until this txg syncs.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
dmu_objset_willuse_space(objset_t *os, int64_t space, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
|
|
|
int64_t aspace = spa_get_worst_case_asize(os->os_spa, space);
|
|
|
|
|
|
|
|
if (ds != NULL) {
|
|
|
|
dsl_dir_willuse_space(ds->ds_dir, aspace, tx);
|
|
|
|
dsl_pool_dirty_space(dmu_tx_pool(tx), space, tx);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-08-26 22:49:16 +04:00
|
|
|
#if defined(_KERNEL) && defined(HAVE_SPL)
|
2012-04-05 00:46:55 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_zil);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_pool);
|
2012-04-05 00:46:55 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_ds);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_type);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_name);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_hold);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_hold_flags);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_own);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_rele);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_rele_flags);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_disown);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_from_ds);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_create);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_clone);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_stats);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_fast_stat);
|
2011-01-22 01:35:41 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_spa);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_space);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_fsid_guid);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_find);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_byteswap);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_evict_dbufs);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_snap_cmtime);
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-17 04:25:34 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_dnodesize);
|
2010-08-26 22:49:16 +04:00
|
|
|
|
|
|
|
EXPORT_SYMBOL(dmu_objset_sync);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_is_dirty);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_create_impl_dnstats);
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dmu_objset_create_impl);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_open_impl);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_evict);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_register_type);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_do_userquota_updates);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_userquota_get_ids);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_userused_enabled);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_userspace_upgrade);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_userspace_present);
|
2016-10-04 21:46:10 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_userobjused_enabled);
|
|
|
|
EXPORT_SYMBOL(dmu_objset_userobjspace_upgrade);
|
2016-11-10 00:51:12 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_userobjspace_upgradable);
|
2016-10-04 21:46:10 +03:00
|
|
|
EXPORT_SYMBOL(dmu_objset_userobjspace_present);
|
2010-08-26 22:49:16 +04:00
|
|
|
#endif
|