2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
2022-07-12 00:16:13 +03:00
|
|
|
* or https://opensource.org/licenses/CDDL-1.0.
|
2008-11-20 23:01:55 +03:00
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
|
|
|
/*
|
2010-05-29 00:45:14 +04:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
2019-07-26 20:54:14 +03:00
|
|
|
* Copyright (c) 2012, 2018 by Delphix. All rights reserved.
|
2013-05-23 21:07:25 +04:00
|
|
|
* Copyright (c) 2013 Martin Matuska. All rights reserved.
|
2015-04-01 16:07:48 +03:00
|
|
|
* Copyright (c) 2014 Joyent, Inc. All rights reserved.
|
2015-04-02 06:44:32 +03:00
|
|
|
* Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
|
2014-03-22 13:07:14 +04:00
|
|
|
* Copyright (c) 2016 Actifio, Inc. All rights reserved.
|
2019-02-09 02:44:15 +03:00
|
|
|
* Copyright (c) 2018, loli10K <ezomori.nozomu@gmail.com>. All rights reserved.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/dmu.h>
|
|
|
|
#include <sys/dmu_objset.h>
|
|
|
|
#include <sys/dmu_tx.h>
|
|
|
|
#include <sys/dsl_dataset.h>
|
|
|
|
#include <sys/dsl_dir.h>
|
|
|
|
#include <sys/dsl_prop.h>
|
|
|
|
#include <sys/dsl_synctask.h>
|
|
|
|
#include <sys/dsl_deleg.h>
|
2013-10-08 21:13:05 +04:00
|
|
|
#include <sys/dmu_impl.h>
|
2008-11-20 23:01:55 +03:00
|
|
|
#include <sys/spa.h>
|
2017-11-08 22:12:59 +03:00
|
|
|
#include <sys/spa_impl.h>
|
2010-05-29 00:45:14 +04:00
|
|
|
#include <sys/metaslab.h>
|
2008-11-20 23:01:55 +03:00
|
|
|
#include <sys/zap.h>
|
|
|
|
#include <sys/zio.h>
|
|
|
|
#include <sys/arc.h>
|
|
|
|
#include <sys/sunddi.h>
|
2015-04-01 16:07:48 +03:00
|
|
|
#include <sys/zfeature.h>
|
|
|
|
#include <sys/policy.h>
|
2020-09-02 02:14:16 +03:00
|
|
|
#include <sys/zfs_vfsops.h>
|
2015-04-01 16:07:48 +03:00
|
|
|
#include <sys/zfs_znode.h>
|
2013-12-07 02:20:22 +04:00
|
|
|
#include <sys/zvol.h>
|
2019-07-26 20:54:14 +03:00
|
|
|
#include <sys/zthr.h>
|
2008-11-20 23:01:55 +03:00
|
|
|
#include "zfs_namecheck.h"
|
2015-04-01 16:07:48 +03:00
|
|
|
#include "zfs_prop.h"
|
|
|
|
|
2022-11-08 23:40:22 +03:00
|
|
|
/*
|
|
|
|
* This controls if we verify the ZVOL quota or not.
|
|
|
|
* Currently, quotas are not implemented for ZVOLs.
|
|
|
|
* The quota size is the size of the ZVOL.
|
|
|
|
* The size of the volume already implies the ZVOL size quota.
|
|
|
|
* The quota mechanism can introduce a significant performance drop.
|
|
|
|
*/
|
|
|
|
static int zvol_enforce_quotas = B_TRUE;
|
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
/*
|
|
|
|
* Filesystem and Snapshot Limits
|
|
|
|
* ------------------------------
|
|
|
|
*
|
|
|
|
* These limits are used to restrict the number of filesystems and/or snapshots
|
|
|
|
* that can be created at a given level in the tree or below. A typical
|
|
|
|
* use-case is with a delegated dataset where the administrator wants to ensure
|
|
|
|
* that a user within the zone is not creating too many additional filesystems
|
|
|
|
* or snapshots, even though they're not exceeding their space quota.
|
|
|
|
*
|
|
|
|
* The filesystem and snapshot counts are stored as extensible properties. This
|
|
|
|
* capability is controlled by a feature flag and must be enabled to be used.
|
|
|
|
* Once enabled, the feature is not active until the first limit is set. At
|
|
|
|
* that point, future operations to create/destroy filesystems or snapshots
|
|
|
|
* will validate and update the counts.
|
|
|
|
*
|
|
|
|
* Because the count properties will not exist before the feature is active,
|
|
|
|
* the counts are updated when a limit is first set on an uninitialized
|
|
|
|
* dsl_dir node in the tree (The filesystem/snapshot count on a node includes
|
|
|
|
* all of the nested filesystems/snapshots. Thus, a new leaf node has a
|
|
|
|
* filesystem count of 0 and a snapshot count of 0. Non-existent filesystem and
|
|
|
|
* snapshot count properties on a node indicate uninitialized counts on that
|
|
|
|
* node.) When first setting a limit on an uninitialized node, the code starts
|
|
|
|
* at the filesystem with the new limit and descends into all sub-filesystems
|
|
|
|
* to add the count properties.
|
|
|
|
*
|
|
|
|
* In practice this is lightweight since a limit is typically set when the
|
|
|
|
* filesystem is created and thus has no children. Once valid, changing the
|
|
|
|
* limit value won't require a re-traversal since the counts are already valid.
|
|
|
|
* When recursively fixing the counts, if a node with a limit is encountered
|
|
|
|
* during the descent, the counts are known to be valid and there is no need to
|
|
|
|
* descend into that filesystem's children. The counts on filesystems above the
|
|
|
|
* one with the new limit will still be uninitialized, unless a limit is
|
|
|
|
* eventually set on one of those filesystems. The counts are always recursively
|
|
|
|
* updated when a limit is set on a dataset, unless there is already a limit.
|
|
|
|
* When a new limit value is set on a filesystem with an existing limit, it is
|
|
|
|
* possible for the new limit to be less than the current count at that level
|
|
|
|
* since a user who can change the limit is also allowed to exceed the limit.
|
|
|
|
*
|
|
|
|
* Once the feature is active, then whenever a filesystem or snapshot is
|
|
|
|
* created, the code recurses up the tree, validating the new count against the
|
|
|
|
* limit at each initialized level. In practice, most levels will not have a
|
|
|
|
* limit set. If there is a limit at any initialized level up the tree, the
|
|
|
|
* check must pass or the creation will fail. Likewise, when a filesystem or
|
|
|
|
* snapshot is destroyed, the counts are recursively adjusted all the way up
|
2019-09-03 03:56:41 +03:00
|
|
|
* the initialized nodes in the tree. Renaming a filesystem into different point
|
2015-04-01 16:07:48 +03:00
|
|
|
* in the tree will first validate, then update the counts on each branch up to
|
|
|
|
* the common ancestor. A receive will also validate the counts and then update
|
|
|
|
* them.
|
|
|
|
*
|
|
|
|
* An exception to the above behavior is that the limit is not enforced if the
|
|
|
|
* user has permission to modify the limit. This is primarily so that
|
|
|
|
* recursive snapshots in the global zone always work. We want to prevent a
|
|
|
|
* denial-of-service in which a lower level delegated dataset could max out its
|
|
|
|
* limit and thus block recursive snapshots from being taken in the global zone.
|
|
|
|
* Because of this, it is possible for the snapshot count to be over the limit
|
|
|
|
* and snapshots taken in the global zone could cause a lower level dataset to
|
|
|
|
* hit or exceed its limit. The administrator taking the global zone recursive
|
|
|
|
* snapshot should be aware of this side-effect and behave accordingly.
|
|
|
|
* For consistency, the filesystem limit is also not enforced if the user can
|
|
|
|
* modify the limit.
|
|
|
|
*
|
|
|
|
* The filesystem and snapshot limits are validated by dsl_fs_ss_limit_check()
|
|
|
|
* and updated by dsl_fs_ss_count_adjust(). A new limit value is setup in
|
|
|
|
* dsl_dir_activate_fs_ss_limit() and the counts are adjusted, if necessary, by
|
|
|
|
* dsl_dir_init_fs_ss_count().
|
|
|
|
*/
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
static uint64_t dsl_dir_space_towrite(dsl_dir_t *dd);
|
|
|
|
|
OpenZFS 7614, 9064 - zfs device evacuation/removal
OpenZFS 7614 - zfs device evacuation/removal
OpenZFS 9064 - remove_mirror should wait for device removal to complete
This project allows top-level vdevs to be removed from the storage pool
with "zpool remove", reducing the total amount of storage in the pool.
This operation copies all allocated regions of the device to be removed
onto other devices, recording the mapping from old to new location.
After the removal is complete, read and free operations to the removed
(now "indirect") vdev must be remapped and performed at the new location
on disk. The indirect mapping table is kept in memory whenever the pool
is loaded, so there is minimal performance overhead when doing operations
on the indirect vdev.
The size of the in-memory mapping table will be reduced when its entries
become "obsolete" because they are no longer used by any block pointers
in the pool. An entry becomes obsolete when all the blocks that use
it are freed. An entry can also become obsolete when all the snapshots
that reference it are deleted, and the block pointers that reference it
have been "remapped" in all filesystems/zvols (and clones). Whenever an
indirect block is written, all the block pointers in it will be "remapped"
to their new (concrete) locations if possible. This process can be
accelerated by using the "zfs remap" command to proactively rewrite all
indirect blocks that reference indirect (removed) vdevs.
Note that when a device is removed, we do not verify the checksum of
the data that is copied. This makes the process much faster, but if it
were used on redundant vdevs (i.e. mirror or raidz vdevs), it would be
possible to copy the wrong data, when we have the correct data on e.g.
the other side of the mirror.
At the moment, only mirrors and simple top-level vdevs can be removed
and no removal is allowed if any of the top-level vdevs are raidz.
Porting Notes:
* Avoid zero-sized kmem_alloc() in vdev_compact_children().
The device evacuation code adds a dependency that
vdev_compact_children() be able to properly empty the vdev_child
array by setting it to NULL and zeroing vdev_children. Under Linux,
kmem_alloc() and related functions return a sentinel pointer rather
than NULL for zero-sized allocations.
* Remove comment regarding "mpt" driver where zfs_remove_max_segment
is initialized to SPA_MAXBLOCKSIZE.
Change zfs_condense_indirect_commit_entry_delay_ticks to
zfs_condense_indirect_commit_entry_delay_ms for consistency with
most other tunables in which delays are specified in ms.
* ZTS changes:
Use set_tunable rather than mdb
Use zpool sync as appropriate
Use sync_pool instead of sync
Kill jobs during test_removal_with_operation to allow unmount/export
Don't add non-disk names such as "mirror" or "raidz" to $DISKS
Use $TEST_BASE_DIR instead of /tmp
Increase HZ from 100 to 1000 which is more common on Linux
removal_multiple_indirection.ksh
Reduce iterations in order to not time out on the code
coverage builders.
removal_resume_export:
Functionally, the test case is correct but there exists a race
where the kernel thread hasn't been fully started yet and is
not visible. Wait for up to 1 second for the removal thread
to be started before giving up on it. Also, increase the
amount of data copied in order that the removal not finish
before the export has a chance to fail.
* MMP compatibility, the concept of concrete versus non-concrete devices
has slightly changed the semantics of vdev_writeable(). Update
mmp_random_leaf_impl() accordingly.
* Updated dbuf_remap() to handle the org.zfsonlinux:large_dnode pool
feature which is not supported by OpenZFS.
* Added support for new vdev removal tracepoints.
* Test cases removal_with_zdb and removal_condense_export have been
intentionally disabled. When run manually they pass as intended,
but when running in the automated test environment they produce
unreliable results on the latest Fedora release.
They may work better once the upstream pool import refectoring is
merged into ZoL at which point they will be re-enabled.
Authored by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Alex Reece <alex@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Richard Laager <rlaager@wiktel.com>
Reviewed by: Tim Chase <tim@chase2k.com>
Reviewed by: Brian Behlendorf <behlendorf1@llnl.gov>
Approved by: Garrett D'Amore <garrett@damore.org>
Ported-by: Tim Chase <tim@chase2k.com>
Signed-off-by: Tim Chase <tim@chase2k.com>
OpenZFS-issue: https://www.illumos.org/issues/7614
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/f539f1eb
Closes #6900
2016-09-22 19:30:13 +03:00
|
|
|
typedef struct ddulrt_arg {
|
|
|
|
dsl_dir_t *ddulrta_dd;
|
|
|
|
uint64_t ddlrta_txg;
|
|
|
|
} ddulrt_arg_t;
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
static void
|
2017-01-27 01:43:28 +03:00
|
|
|
dsl_dir_evict_async(void *dbu)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2015-04-02 06:44:32 +03:00
|
|
|
dsl_dir_t *dd = dbu;
|
2008-11-20 23:01:55 +03:00
|
|
|
int t;
|
2019-12-05 23:37:00 +03:00
|
|
|
dsl_pool_t *dp __maybe_unused = dd->dd_pool;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
dd->dd_dbuf = NULL;
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
for (t = 0; t < TXG_SIZE; t++) {
|
|
|
|
ASSERT(!txg_list_member(&dp->dp_dirty_dirs, dd, t));
|
|
|
|
ASSERT(dd->dd_tempreserved[t] == 0);
|
|
|
|
ASSERT(dd->dd_space_towrite[t] == 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dd->dd_parent)
|
2015-04-02 06:44:32 +03:00
|
|
|
dsl_dir_async_rele(dd->dd_parent, dd);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
spa_async_close(dd->dd_pool->dp_spa, dd);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2019-07-26 20:54:14 +03:00
|
|
|
if (dsl_deadlist_is_open(&dd->dd_livelist))
|
|
|
|
dsl_dir_livelist_close(dd);
|
|
|
|
|
2015-11-05 02:00:58 +03:00
|
|
|
dsl_prop_fini(dd);
|
2020-04-01 20:02:06 +03:00
|
|
|
cv_destroy(&dd->dd_activity_cv);
|
|
|
|
mutex_destroy(&dd->dd_activity_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_destroy(&dd->dd_lock);
|
|
|
|
kmem_free(dd, sizeof (dsl_dir_t));
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_hold_obj(dsl_pool_t *dp, uint64_t ddobj,
|
2022-04-19 21:49:30 +03:00
|
|
|
const char *tail, const void *tag, dsl_dir_t **ddp)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
dmu_buf_t *dbuf;
|
|
|
|
dsl_dir_t *dd;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
dmu_object_info_t doi;
|
2008-11-20 23:01:55 +03:00
|
|
|
int err;
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT(dsl_pool_config_held(dp));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
err = dmu_bonus_hold(dp->dp_meta_objset, ddobj, tag, &dbuf);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
dd = dmu_buf_get_user(dbuf);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
|
|
|
dmu_object_info_from_db(dbuf, &doi);
|
|
|
|
ASSERT3U(doi.doi_bonus_type, ==, DMU_OT_DSL_DIR);
|
|
|
|
ASSERT3U(doi.doi_bonus_size, >=, sizeof (dsl_dir_phys_t));
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
if (dd == NULL) {
|
|
|
|
dsl_dir_t *winner;
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
dd = kmem_zalloc(sizeof (dsl_dir_t), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
dd->dd_object = ddobj;
|
|
|
|
dd->dd_dbuf = dbuf;
|
|
|
|
dd->dd_pool = dp;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_init(&dd->dd_lock, NULL, MUTEX_DEFAULT, NULL);
|
2020-04-01 20:02:06 +03:00
|
|
|
mutex_init(&dd->dd_activity_lock, NULL, MUTEX_DEFAULT, NULL);
|
|
|
|
cv_init(&dd->dd_activity_cv, NULL, CV_DEFAULT, NULL);
|
2015-11-05 02:00:58 +03:00
|
|
|
dsl_prop_init(dd);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
err = zap_lookup(dp->dp_meta_objset,
|
|
|
|
ddobj, DD_FIELD_CRYPTO_KEY_OBJ,
|
|
|
|
sizeof (uint64_t), 1, &dd->dd_crypto_obj);
|
|
|
|
if (err == 0) {
|
|
|
|
/* check for on-disk format errata */
|
|
|
|
if (dsl_dir_incompatible_encryption_version(
|
|
|
|
dd)) {
|
|
|
|
dp->dp_spa->spa_errata =
|
|
|
|
ZPOOL_ERRATA_ZOL_6845_ENCRYPTION;
|
|
|
|
}
|
|
|
|
} else if (err != ENOENT) {
|
|
|
|
goto errout;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dir_phys(dd)->dd_parent_obj) {
|
|
|
|
err = dsl_dir_hold_obj(dp,
|
|
|
|
dsl_dir_phys(dd)->dd_parent_obj, NULL, dd,
|
|
|
|
&dd->dd_parent);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-12-03 23:09:06 +03:00
|
|
|
goto errout;
|
2008-11-20 23:01:55 +03:00
|
|
|
if (tail) {
|
|
|
|
#ifdef ZFS_DEBUG
|
|
|
|
uint64_t foundobj;
|
|
|
|
|
|
|
|
err = zap_lookup(dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd->dd_parent)->
|
|
|
|
dd_child_dir_zapobj, tail,
|
|
|
|
sizeof (foundobj), 1, &foundobj);
|
2008-11-20 23:01:55 +03:00
|
|
|
ASSERT(err || foundobj == ddobj);
|
|
|
|
#endif
|
2016-09-26 01:08:28 +03:00
|
|
|
(void) strlcpy(dd->dd_myname, tail,
|
|
|
|
sizeof (dd->dd_myname));
|
2008-11-20 23:01:55 +03:00
|
|
|
} else {
|
|
|
|
err = zap_value_search(dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd->dd_parent)->
|
|
|
|
dd_child_dir_zapobj,
|
2008-11-20 23:01:55 +03:00
|
|
|
ddobj, 0, dd->dd_myname);
|
|
|
|
}
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-12-03 23:09:06 +03:00
|
|
|
goto errout;
|
2008-11-20 23:01:55 +03:00
|
|
|
} else {
|
2020-06-07 21:42:12 +03:00
|
|
|
(void) strlcpy(dd->dd_myname, spa_name(dp->dp_spa),
|
|
|
|
sizeof (dd->dd_myname));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
if (dsl_dir_is_clone(dd)) {
|
|
|
|
dmu_buf_t *origin_bonus;
|
|
|
|
dsl_dataset_phys_t *origin_phys;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We can't open the origin dataset, because
|
|
|
|
* that would require opening this dsl_dir.
|
|
|
|
* Just look at its phys directly instead.
|
|
|
|
*/
|
|
|
|
err = dmu_bonus_hold(dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_origin_obj, FTAG,
|
|
|
|
&origin_bonus);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2010-05-29 00:45:14 +04:00
|
|
|
goto errout;
|
|
|
|
origin_phys = origin_bonus->db_data;
|
|
|
|
dd->dd_origin_txg =
|
|
|
|
origin_phys->ds_creation_txg;
|
|
|
|
dmu_buf_rele(origin_bonus, FTAG);
|
2019-07-26 20:54:14 +03:00
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
uint64_t obj;
|
|
|
|
err = zap_lookup(dp->dp_meta_objset,
|
|
|
|
dd->dd_object, DD_FIELD_LIVELIST,
|
|
|
|
sizeof (uint64_t), 1, &obj);
|
|
|
|
if (err == 0)
|
|
|
|
dsl_dir_livelist_open(dd, obj);
|
|
|
|
else if (err != ENOENT)
|
|
|
|
goto errout;
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
}
|
|
|
|
|
2022-08-25 00:20:43 +03:00
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
inode_timespec_t t = {0};
|
2022-09-24 02:52:03 +03:00
|
|
|
(void) zap_lookup(dp->dp_meta_objset, ddobj,
|
2022-09-02 23:33:50 +03:00
|
|
|
DD_FIELD_SNAPSHOTS_CHANGED,
|
2022-08-25 00:20:43 +03:00
|
|
|
sizeof (uint64_t),
|
|
|
|
sizeof (inode_timespec_t) / sizeof (uint64_t),
|
|
|
|
&t);
|
|
|
|
dd->dd_snap_cmtime = t;
|
|
|
|
}
|
2022-08-03 02:45:30 +03:00
|
|
|
|
2017-01-27 01:43:28 +03:00
|
|
|
dmu_buf_init_user(&dd->dd_dbu, NULL, dsl_dir_evict_async,
|
|
|
|
&dd->dd_dbuf);
|
2015-04-02 06:44:32 +03:00
|
|
|
winner = dmu_buf_set_user_ie(dbuf, &dd->dd_dbu);
|
|
|
|
if (winner != NULL) {
|
2008-11-20 23:01:55 +03:00
|
|
|
if (dd->dd_parent)
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd->dd_parent, dd);
|
2019-07-26 20:54:14 +03:00
|
|
|
if (dsl_deadlist_is_open(&dd->dd_livelist))
|
|
|
|
dsl_dir_livelist_close(dd);
|
2015-11-05 02:00:58 +03:00
|
|
|
dsl_prop_fini(dd);
|
2020-04-01 20:02:06 +03:00
|
|
|
cv_destroy(&dd->dd_activity_cv);
|
|
|
|
mutex_destroy(&dd->dd_activity_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_destroy(&dd->dd_lock);
|
|
|
|
kmem_free(dd, sizeof (dsl_dir_t));
|
|
|
|
dd = winner;
|
|
|
|
} else {
|
|
|
|
spa_open_ref(dp->dp_spa, dd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The dsl_dir_t has both open-to-close and instantiate-to-evict
|
|
|
|
* holds on the spa. We need the open-to-close holds because
|
|
|
|
* otherwise the spa_refcnt wouldn't change when we open a
|
|
|
|
* dir which the spa also has open, so we could incorrectly
|
|
|
|
* think it was OK to unload/export/destroy the pool. We need
|
|
|
|
* the instantiate-to-evict hold because the dsl_dir_t has a
|
|
|
|
* pointer to the dd_pool, which has a pointer to the spa_t.
|
|
|
|
*/
|
|
|
|
spa_open_ref(dp->dp_spa, tag);
|
|
|
|
ASSERT3P(dd->dd_pool, ==, dp);
|
|
|
|
ASSERT3U(dd->dd_object, ==, ddobj);
|
|
|
|
ASSERT3P(dd->dd_dbuf, ==, dbuf);
|
|
|
|
*ddp = dd;
|
|
|
|
return (0);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
errout:
|
|
|
|
if (dd->dd_parent)
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd->dd_parent, dd);
|
2019-07-26 20:54:14 +03:00
|
|
|
if (dsl_deadlist_is_open(&dd->dd_livelist))
|
|
|
|
dsl_dir_livelist_close(dd);
|
2015-11-05 02:00:58 +03:00
|
|
|
dsl_prop_fini(dd);
|
2020-04-01 20:02:06 +03:00
|
|
|
cv_destroy(&dd->dd_activity_cv);
|
|
|
|
mutex_destroy(&dd->dd_activity_lock);
|
2008-12-03 23:09:06 +03:00
|
|
|
mutex_destroy(&dd->dd_lock);
|
|
|
|
kmem_free(dd, sizeof (dsl_dir_t));
|
|
|
|
dmu_buf_rele(dbuf, tag);
|
|
|
|
return (err);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2022-04-19 21:49:30 +03:00
|
|
|
dsl_dir_rele(dsl_dir_t *dd, const void *tag)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
dprintf_dd(dd, "%s\n", "");
|
|
|
|
spa_close(dd->dd_pool->dp_spa, tag);
|
|
|
|
dmu_buf_rele(dd->dd_dbuf, tag);
|
|
|
|
}
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
/*
|
|
|
|
* Remove a reference to the given dsl dir that is being asynchronously
|
|
|
|
* released. Async releases occur from a taskq performing eviction of
|
|
|
|
* dsl datasets and dirs. This process is identical to a normal release
|
|
|
|
* with the exception of using the async API for releasing the reference on
|
|
|
|
* the spa.
|
|
|
|
*/
|
|
|
|
void
|
2022-04-19 21:49:30 +03:00
|
|
|
dsl_dir_async_rele(dsl_dir_t *dd, const void *tag)
|
2015-04-02 06:44:32 +03:00
|
|
|
{
|
|
|
|
dprintf_dd(dd, "%s\n", "");
|
|
|
|
spa_async_close(dd->dd_pool->dp_spa, tag);
|
|
|
|
dmu_buf_rele(dd->dd_dbuf, tag);
|
|
|
|
}
|
|
|
|
|
2016-06-16 00:28:36 +03:00
|
|
|
/* buf must be at least ZFS_MAX_DATASET_NAME_LEN bytes */
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
|
|
|
dsl_dir_name(dsl_dir_t *dd, char *buf)
|
|
|
|
{
|
|
|
|
if (dd->dd_parent) {
|
|
|
|
dsl_dir_name(dd->dd_parent, buf);
|
2016-06-16 00:28:36 +03:00
|
|
|
VERIFY3U(strlcat(buf, "/", ZFS_MAX_DATASET_NAME_LEN), <,
|
|
|
|
ZFS_MAX_DATASET_NAME_LEN);
|
2008-11-20 23:01:55 +03:00
|
|
|
} else {
|
|
|
|
buf[0] = '\0';
|
|
|
|
}
|
|
|
|
if (!MUTEX_HELD(&dd->dd_lock)) {
|
|
|
|
/*
|
|
|
|
* recursive mutex so that we can use
|
|
|
|
* dprintf_dd() with dd_lock held
|
|
|
|
*/
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2016-06-16 00:28:36 +03:00
|
|
|
VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
|
|
|
|
<, ZFS_MAX_DATASET_NAME_LEN);
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
} else {
|
2016-06-16 00:28:36 +03:00
|
|
|
VERIFY3U(strlcat(buf, dd->dd_myname, ZFS_MAX_DATASET_NAME_LEN),
|
|
|
|
<, ZFS_MAX_DATASET_NAME_LEN);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-12-15 04:13:40 +04:00
|
|
|
/* Calculate name length, avoiding all the strcat calls of dsl_dir_name */
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
|
|
|
dsl_dir_namelen(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
int result = 0;
|
|
|
|
|
|
|
|
if (dd->dd_parent) {
|
|
|
|
/* parent's name + 1 for the "/" */
|
|
|
|
result = dsl_dir_namelen(dd->dd_parent) + 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!MUTEX_HELD(&dd->dd_lock)) {
|
|
|
|
/* see dsl_dir_name */
|
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
result += strlen(dd->dd_myname);
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
} else {
|
|
|
|
result += strlen(dd->dd_myname);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (result);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
getcomponent(const char *path, char *component, const char **nextp)
|
|
|
|
{
|
|
|
|
char *p;
|
2013-09-04 16:00:57 +04:00
|
|
|
|
2009-07-03 02:44:48 +04:00
|
|
|
if ((path == NULL) || (path[0] == '\0'))
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 23:01:55 +03:00
|
|
|
/* This would be a good place to reserve some namespace... */
|
|
|
|
p = strpbrk(path, "/@");
|
|
|
|
if (p && (p[1] == '/' || p[1] == '@')) {
|
|
|
|
/* two separators in a row */
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
if (p == NULL || p == path) {
|
|
|
|
/*
|
|
|
|
* if the first thing is an @ or /, it had better be an
|
|
|
|
* @ and it had better not have any more ats or slashes,
|
|
|
|
* and it had better have something after the @.
|
|
|
|
*/
|
|
|
|
if (p != NULL &&
|
|
|
|
(p[0] != '@' || strpbrk(path+1, "/@") || p[1] == '\0'))
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2016-06-16 00:28:36 +03:00
|
|
|
if (strlen(path) >= ZFS_MAX_DATASET_NAME_LEN)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
2020-06-07 21:42:12 +03:00
|
|
|
(void) strlcpy(component, path, ZFS_MAX_DATASET_NAME_LEN);
|
2008-11-20 23:01:55 +03:00
|
|
|
p = NULL;
|
|
|
|
} else if (p[0] == '/') {
|
2016-06-16 00:28:36 +03:00
|
|
|
if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
Cleanup: Switch to strlcpy from strncpy
Coverity found a bug in `zfs_secpolicy_create_clone()` where it is
possible for us to pass an unterminated string when `zfs_get_parent()`
returns an error. Upon inspection, it is clear that using `strlcpy()`
would have avoided this issue.
Looking at the codebase, there are a number of other uses of `strncpy()`
that are unsafe and even when it is used safely, switching to
`strlcpy()` would make the code more readable. Therefore, we switch all
instances where we use `strncpy()` to use `strlcpy()`.
Unfortunately, we do not portably have access to `strlcpy()` in
tests/zfs-tests/cmd/zfs_diff-socket.c because it does not link to
libspl. Modifying the appropriate Makefile.am to try to link to it
resulted in an error from the naming choice used in the file. Trying to
disable the check on the file did not work on FreeBSD because Clang
ignores `#undef` when a definition is provided by `-Dstrncpy(...)=...`.
We workaround that by explictly including the C file from libspl into
the test. This makes things build correctly everywhere.
We add a deprecation warning to `config/Rules.am` and suppress it on the
remaining `strncpy()` usage. `strlcpy()` is not portably avaliable in
tests/zfs-tests/cmd/zfs_diff-socket.c, so we use `snprintf()` there as a
substitute.
This patch does not tackle the related problem of `strcpy()`, which is
even less safe. Thankfully, a quick inspection found that it is used far
more correctly than strncpy() was used. A quick inspection did not find
any problems with `strcpy()` usage outside of zhack, but it should be
said that I only checked around 90% of them.
Lastly, some of the fields in kstat_t varied in size by 1 depending on
whether they were in userspace or in the kernel. The origin of this
discrepancy appears to be 04a479f7066ccdaa23a6546955303b172f4a6909 where
it was made for no apparent reason. It conflicts with the comment on
KSTAT_STRLEN, so we shrink the kernel field sizes to match the userspace
field sizes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Ryan Moeller <ryan@iXsystems.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13876
2022-09-28 02:35:29 +03:00
|
|
|
(void) strlcpy(component, path, p - path + 1);
|
2008-11-20 23:01:55 +03:00
|
|
|
p++;
|
|
|
|
} else if (p[0] == '@') {
|
|
|
|
/*
|
|
|
|
* if the next separator is an @, there better not be
|
|
|
|
* any more slashes.
|
|
|
|
*/
|
|
|
|
if (strchr(path, '/'))
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2016-06-16 00:28:36 +03:00
|
|
|
if (p - path >= ZFS_MAX_DATASET_NAME_LEN)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
Cleanup: Switch to strlcpy from strncpy
Coverity found a bug in `zfs_secpolicy_create_clone()` where it is
possible for us to pass an unterminated string when `zfs_get_parent()`
returns an error. Upon inspection, it is clear that using `strlcpy()`
would have avoided this issue.
Looking at the codebase, there are a number of other uses of `strncpy()`
that are unsafe and even when it is used safely, switching to
`strlcpy()` would make the code more readable. Therefore, we switch all
instances where we use `strncpy()` to use `strlcpy()`.
Unfortunately, we do not portably have access to `strlcpy()` in
tests/zfs-tests/cmd/zfs_diff-socket.c because it does not link to
libspl. Modifying the appropriate Makefile.am to try to link to it
resulted in an error from the naming choice used in the file. Trying to
disable the check on the file did not work on FreeBSD because Clang
ignores `#undef` when a definition is provided by `-Dstrncpy(...)=...`.
We workaround that by explictly including the C file from libspl into
the test. This makes things build correctly everywhere.
We add a deprecation warning to `config/Rules.am` and suppress it on the
remaining `strncpy()` usage. `strlcpy()` is not portably avaliable in
tests/zfs-tests/cmd/zfs_diff-socket.c, so we use `snprintf()` there as a
substitute.
This patch does not tackle the related problem of `strcpy()`, which is
even less safe. Thankfully, a quick inspection found that it is used far
more correctly than strncpy() was used. A quick inspection did not find
any problems with `strcpy()` usage outside of zhack, but it should be
said that I only checked around 90% of them.
Lastly, some of the fields in kstat_t varied in size by 1 depending on
whether they were in userspace or in the kernel. The origin of this
discrepancy appears to be 04a479f7066ccdaa23a6546955303b172f4a6909 where
it was made for no apparent reason. It conflicts with the comment on
KSTAT_STRLEN, so we shrink the kernel field sizes to match the userspace
field sizes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Ryan Moeller <ryan@iXsystems.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13876
2022-09-28 02:35:29 +03:00
|
|
|
(void) strlcpy(component, path, p - path + 1);
|
2008-11-20 23:01:55 +03:00
|
|
|
} else {
|
2013-09-04 16:00:57 +04:00
|
|
|
panic("invalid p=%p", (void *)p);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
*nextp = p;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2013-09-04 16:00:57 +04:00
|
|
|
* Return the dsl_dir_t, and possibly the last component which couldn't
|
|
|
|
* be found in *tail. The name must be in the specified dsl_pool_t. This
|
|
|
|
* thread must hold the dp_config_rwlock for the pool. Returns NULL if the
|
|
|
|
* path is bogus, or if tail==NULL and we couldn't parse the whole name.
|
|
|
|
* (*tail)[0] == '@' means that the last component is a snapshot.
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
|
|
|
int
|
2022-04-19 21:49:30 +03:00
|
|
|
dsl_dir_hold(dsl_pool_t *dp, const char *name, const void *tag,
|
2008-11-20 23:01:55 +03:00
|
|
|
dsl_dir_t **ddp, const char **tailp)
|
|
|
|
{
|
2010-08-26 21:53:31 +04:00
|
|
|
char *buf;
|
2013-09-04 16:00:57 +04:00
|
|
|
const char *spaname, *next, *nextnext = NULL;
|
2008-11-20 23:01:55 +03:00
|
|
|
int err;
|
|
|
|
dsl_dir_t *dd;
|
|
|
|
uint64_t ddobj;
|
|
|
|
|
2016-06-16 00:28:36 +03:00
|
|
|
buf = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
err = getcomponent(name, buf, &next);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2010-08-26 21:53:31 +04:00
|
|
|
goto error;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/* Make sure the name is in the specified pool. */
|
|
|
|
spaname = spa_name(dp->dp_spa);
|
|
|
|
if (strcmp(buf, spaname) != 0) {
|
2014-11-19 20:08:08 +03:00
|
|
|
err = SET_ERROR(EXDEV);
|
2013-09-04 16:00:57 +04:00
|
|
|
goto error;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ASSERT(dsl_pool_config_held(dp));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
err = dsl_dir_hold_obj(dp, dp->dp_root_dir_obj, NULL, tag, &dd);
|
|
|
|
if (err != 0) {
|
2010-08-26 21:53:31 +04:00
|
|
|
goto error;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
while (next != NULL) {
|
2015-04-02 06:44:32 +03:00
|
|
|
dsl_dir_t *child_dd;
|
2008-11-20 23:01:55 +03:00
|
|
|
err = getcomponent(next, buf, &nextnext);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
break;
|
|
|
|
ASSERT(next[0] != '\0');
|
|
|
|
if (next[0] == '@')
|
|
|
|
break;
|
|
|
|
dprintf("looking up %s in obj%lld\n",
|
2021-06-23 07:53:45 +03:00
|
|
|
buf, (longlong_t)dsl_dir_phys(dd)->dd_child_dir_zapobj);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
err = zap_lookup(dp->dp_meta_objset,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_child_dir_zapobj,
|
2008-11-20 23:01:55 +03:00
|
|
|
buf, sizeof (ddobj), 1, &ddobj);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
2008-11-20 23:01:55 +03:00
|
|
|
if (err == ENOENT)
|
|
|
|
err = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2015-04-02 06:44:32 +03:00
|
|
|
err = dsl_dir_hold_obj(dp, ddobj, buf, tag, &child_dd);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
break;
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd, tag);
|
2015-04-02 06:44:32 +03:00
|
|
|
dd = child_dd;
|
2008-11-20 23:01:55 +03:00
|
|
|
next = nextnext;
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0) {
|
|
|
|
dsl_dir_rele(dd, tag);
|
2010-08-26 21:53:31 +04:00
|
|
|
goto error;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It's an error if there's more than one component left, or
|
|
|
|
* tailp==NULL and there's any component left.
|
|
|
|
*/
|
|
|
|
if (next != NULL &&
|
|
|
|
(tailp == NULL || (nextnext && nextnext[0] != '\0'))) {
|
|
|
|
/* bad path name */
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd, tag);
|
2008-11-20 23:01:55 +03:00
|
|
|
dprintf("next=%p (%s) tail=%p\n", next, next?next:"", tailp);
|
2013-03-08 22:41:28 +04:00
|
|
|
err = SET_ERROR(ENOENT);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2013-09-04 16:00:57 +04:00
|
|
|
if (tailp != NULL)
|
2008-11-20 23:01:55 +03:00
|
|
|
*tailp = next;
|
2018-08-04 00:50:51 +03:00
|
|
|
if (err == 0)
|
|
|
|
*ddp = dd;
|
2010-08-26 21:53:31 +04:00
|
|
|
error:
|
2016-06-16 00:28:36 +03:00
|
|
|
kmem_free(buf, ZFS_MAX_DATASET_NAME_LEN);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
/*
|
|
|
|
* If the counts are already initialized for this filesystem and its
|
|
|
|
* descendants then do nothing, otherwise initialize the counts.
|
|
|
|
*
|
|
|
|
* The counts on this filesystem, and those below, may be uninitialized due to
|
|
|
|
* either the use of a pre-existing pool which did not support the
|
|
|
|
* filesystem/snapshot limit feature, or one in which the feature had not yet
|
|
|
|
* been enabled.
|
|
|
|
*
|
|
|
|
* Recursively descend the filesystem tree and update the filesystem/snapshot
|
|
|
|
* counts on each filesystem below, then update the cumulative count on the
|
|
|
|
* current filesystem. If the filesystem already has a count set on it,
|
|
|
|
* then we know that its counts, and the counts on the filesystems below it,
|
|
|
|
* are already correct, so we don't have to update this filesystem.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
dsl_dir_init_fs_ss_count(dsl_dir_t *dd, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
uint64_t my_fs_cnt = 0;
|
|
|
|
uint64_t my_ss_cnt = 0;
|
|
|
|
dsl_pool_t *dp = dd->dd_pool;
|
|
|
|
objset_t *os = dp->dp_meta_objset;
|
|
|
|
zap_cursor_t *zc;
|
|
|
|
zap_attribute_t *za;
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
|
2015-01-29 02:21:33 +03:00
|
|
|
ASSERT(spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT));
|
2015-04-01 16:07:48 +03:00
|
|
|
ASSERT(dsl_pool_config_held(dp));
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
|
|
|
|
dsl_dir_zapify(dd, tx);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the filesystem count has already been initialized then we
|
|
|
|
* don't need to recurse down any further.
|
|
|
|
*/
|
|
|
|
if (zap_contains(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT) == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
zc = kmem_alloc(sizeof (zap_cursor_t), KM_SLEEP);
|
|
|
|
za = kmem_alloc(sizeof (zap_attribute_t), KM_SLEEP);
|
|
|
|
|
|
|
|
/* Iterate my child dirs */
|
2015-04-01 18:14:34 +03:00
|
|
|
for (zap_cursor_init(zc, os, dsl_dir_phys(dd)->dd_child_dir_zapobj);
|
2015-04-01 16:07:48 +03:00
|
|
|
zap_cursor_retrieve(zc, za) == 0; zap_cursor_advance(zc)) {
|
|
|
|
dsl_dir_t *chld_dd;
|
|
|
|
uint64_t count;
|
|
|
|
|
|
|
|
VERIFY0(dsl_dir_hold_obj(dp, za->za_first_integer, NULL, FTAG,
|
|
|
|
&chld_dd));
|
|
|
|
|
|
|
|
/*
|
2020-08-27 07:38:27 +03:00
|
|
|
* Ignore hidden ($FREE, $MOS & $ORIGIN) objsets.
|
2015-04-01 16:07:48 +03:00
|
|
|
*/
|
2020-08-27 07:38:27 +03:00
|
|
|
if (chld_dd->dd_myname[0] == '$') {
|
2015-04-01 16:07:48 +03:00
|
|
|
dsl_dir_rele(chld_dd, FTAG);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
my_fs_cnt++; /* count this child */
|
|
|
|
|
|
|
|
dsl_dir_init_fs_ss_count(chld_dd, tx);
|
|
|
|
|
|
|
|
VERIFY0(zap_lookup(os, chld_dd->dd_object,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT, sizeof (count), 1, &count));
|
|
|
|
my_fs_cnt += count;
|
|
|
|
VERIFY0(zap_lookup(os, chld_dd->dd_object,
|
|
|
|
DD_FIELD_SNAPSHOT_COUNT, sizeof (count), 1, &count));
|
|
|
|
my_ss_cnt += count;
|
|
|
|
|
|
|
|
dsl_dir_rele(chld_dd, FTAG);
|
|
|
|
}
|
|
|
|
zap_cursor_fini(zc);
|
|
|
|
/* Count my snapshots (we counted children's snapshots above) */
|
|
|
|
VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_head_dataset_obj, FTAG, &ds));
|
2015-04-01 16:07:48 +03:00
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
for (zap_cursor_init(zc, os, dsl_dataset_phys(ds)->ds_snapnames_zapobj);
|
2015-04-01 16:07:48 +03:00
|
|
|
zap_cursor_retrieve(zc, za) == 0;
|
|
|
|
zap_cursor_advance(zc)) {
|
|
|
|
/* Don't count temporary snapshots */
|
|
|
|
if (za->za_name[0] != '%')
|
|
|
|
my_ss_cnt++;
|
|
|
|
}
|
2015-04-01 16:10:21 +03:00
|
|
|
zap_cursor_fini(zc);
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
|
|
|
|
kmem_free(zc, sizeof (zap_cursor_t));
|
|
|
|
kmem_free(za, sizeof (zap_attribute_t));
|
|
|
|
|
|
|
|
/* we're in a sync task, update counts */
|
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
|
|
|
|
sizeof (my_fs_cnt), 1, &my_fs_cnt, tx));
|
|
|
|
VERIFY0(zap_add(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
|
|
|
|
sizeof (my_ss_cnt), 1, &my_ss_cnt, tx));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dsl_dir_actv_fs_ss_limit_check(void *arg, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
char *ddname = (char *)arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
dsl_dir_t *dd;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = dsl_dataset_hold(dp, ddname, FTAG, &ds);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
if (!spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT)) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (SET_ERROR(ENOTSUP));
|
|
|
|
}
|
|
|
|
|
|
|
|
dd = ds->ds_dir;
|
|
|
|
if (spa_feature_is_active(dp->dp_spa, SPA_FEATURE_FS_SS_LIMIT) &&
|
|
|
|
dsl_dir_is_zapified(dd) &&
|
|
|
|
zap_contains(dp->dp_meta_objset, dd->dd_object,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT) == 0) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (SET_ERROR(EALREADY));
|
|
|
|
}
|
|
|
|
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dsl_dir_actv_fs_ss_limit_sync(void *arg, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
char *ddname = (char *)arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
spa_t *spa;
|
|
|
|
|
|
|
|
VERIFY0(dsl_dataset_hold(dp, ddname, FTAG, &ds));
|
|
|
|
|
|
|
|
spa = dsl_dataset_get_spa(ds);
|
|
|
|
|
|
|
|
if (!spa_feature_is_active(spa, SPA_FEATURE_FS_SS_LIMIT)) {
|
|
|
|
/*
|
|
|
|
* Since the feature was not active and we're now setting a
|
|
|
|
* limit, increment the feature-active counter so that the
|
|
|
|
* feature becomes active for the first time.
|
|
|
|
*
|
|
|
|
* We are already in a sync task so we can update the MOS.
|
|
|
|
*/
|
|
|
|
spa_feature_incr(spa, SPA_FEATURE_FS_SS_LIMIT, tx);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Since we are now setting a non-UINT64_MAX limit on the filesystem,
|
|
|
|
* we need to ensure the counts are correct. Descend down the tree from
|
|
|
|
* this point and update all of the counts to be accurate.
|
|
|
|
*/
|
|
|
|
dsl_dir_init_fs_ss_count(ds->ds_dir, tx);
|
|
|
|
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Make sure the feature is enabled and activate it if necessary.
|
|
|
|
* Since we're setting a limit, ensure the on-disk counts are valid.
|
|
|
|
* This is only called by the ioctl path when setting a limit value.
|
|
|
|
*
|
|
|
|
* We do not need to validate the new limit, since users who can change the
|
|
|
|
* limit are also allowed to exceed the limit.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dsl_dir_activate_fs_ss_limit(const char *ddname)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = dsl_sync_task(ddname, dsl_dir_actv_fs_ss_limit_check,
|
2014-11-03 23:28:43 +03:00
|
|
|
dsl_dir_actv_fs_ss_limit_sync, (void *)ddname, 0,
|
|
|
|
ZFS_SPACE_CHECK_RESERVED);
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
if (error == EALREADY)
|
|
|
|
error = 0;
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Used to determine if the filesystem_limit or snapshot_limit should be
|
|
|
|
* enforced. We allow the limit to be exceeded if the user has permission to
|
|
|
|
* write the property value. We pass in the creds that we got in the open
|
|
|
|
* context since we will always be the GZ root in syncing context. We also have
|
|
|
|
* to handle the case where we are allowed to change the limit on the current
|
|
|
|
* dataset, but there may be another limit in the tree above.
|
|
|
|
*
|
|
|
|
* We can never modify these two properties within a non-global zone. In
|
|
|
|
* addition, the other checks are modeled on zfs_secpolicy_write_perms. We
|
|
|
|
* can't use that function since we are already holding the dp_config_rwlock.
|
|
|
|
* In addition, we already have the dd and dealing with snapshots is simplified
|
|
|
|
* in this code.
|
|
|
|
*/
|
|
|
|
|
|
|
|
typedef enum {
|
|
|
|
ENFORCE_ALWAYS,
|
|
|
|
ENFORCE_NEVER,
|
|
|
|
ENFORCE_ABOVE
|
|
|
|
} enforce_res_t;
|
|
|
|
|
|
|
|
static enforce_res_t
|
2020-07-12 03:18:02 +03:00
|
|
|
dsl_enforce_ds_ss_limits(dsl_dir_t *dd, zfs_prop_t prop,
|
|
|
|
cred_t *cr, proc_t *proc)
|
2015-04-01 16:07:48 +03:00
|
|
|
{
|
|
|
|
enforce_res_t enforce = ENFORCE_ALWAYS;
|
|
|
|
uint64_t obj;
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
uint64_t zoned;
|
2019-12-11 22:58:37 +03:00
|
|
|
const char *zonedstr;
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
|
|
|
|
prop == ZFS_PROP_SNAPSHOT_LIMIT);
|
|
|
|
|
|
|
|
#ifdef _KERNEL
|
|
|
|
if (crgetzoneid(cr) != GLOBAL_ZONEID)
|
|
|
|
return (ENFORCE_ALWAYS);
|
|
|
|
|
2020-07-12 03:18:02 +03:00
|
|
|
/*
|
|
|
|
* We are checking the saved credentials of the user process, which is
|
|
|
|
* not the current process. Note that we can't use secpolicy_zfs(),
|
|
|
|
* because it only works if the cred is that of the current process (on
|
|
|
|
* Linux).
|
|
|
|
*/
|
|
|
|
if (secpolicy_zfs_proc(cr, proc) == 0)
|
2015-04-01 16:07:48 +03:00
|
|
|
return (ENFORCE_NEVER);
|
2021-12-12 18:06:44 +03:00
|
|
|
#else
|
|
|
|
(void) proc;
|
2015-04-01 16:07:48 +03:00
|
|
|
#endif
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if ((obj = dsl_dir_phys(dd)->dd_head_dataset_obj) == 0)
|
2015-04-01 16:07:48 +03:00
|
|
|
return (ENFORCE_ALWAYS);
|
|
|
|
|
|
|
|
ASSERT(dsl_pool_config_held(dd->dd_pool));
|
|
|
|
|
|
|
|
if (dsl_dataset_hold_obj(dd->dd_pool, obj, FTAG, &ds) != 0)
|
|
|
|
return (ENFORCE_ALWAYS);
|
|
|
|
|
2019-12-11 22:58:37 +03:00
|
|
|
zonedstr = zfs_prop_to_name(ZFS_PROP_ZONED);
|
|
|
|
if (dsl_prop_get_ds(ds, zonedstr, 8, 1, &zoned, NULL) || zoned) {
|
2015-04-01 16:07:48 +03:00
|
|
|
/* Only root can access zoned fs's from the GZ */
|
|
|
|
enforce = ENFORCE_ALWAYS;
|
|
|
|
} else {
|
|
|
|
if (dsl_deleg_access_impl(ds, zfs_prop_to_name(prop), cr) == 0)
|
|
|
|
enforce = ENFORCE_ABOVE;
|
|
|
|
}
|
|
|
|
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (enforce);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check if adding additional child filesystem(s) would exceed any filesystem
|
|
|
|
* limits or adding additional snapshot(s) would exceed any snapshot limits.
|
|
|
|
* The prop argument indicates which limit to check.
|
|
|
|
*
|
|
|
|
* Note that all filesystem limits up to the root (or the highest
|
|
|
|
* initialized) filesystem or the given ancestor must be satisfied.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dsl_fs_ss_limit_check(dsl_dir_t *dd, uint64_t delta, zfs_prop_t prop,
|
2020-07-12 03:18:02 +03:00
|
|
|
dsl_dir_t *ancestor, cred_t *cr, proc_t *proc)
|
2015-04-01 16:07:48 +03:00
|
|
|
{
|
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
uint64_t limit, count;
|
2022-04-19 21:38:30 +03:00
|
|
|
const char *count_prop;
|
2015-04-01 16:07:48 +03:00
|
|
|
enforce_res_t enforce;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
ASSERT(dsl_pool_config_held(dd->dd_pool));
|
|
|
|
ASSERT(prop == ZFS_PROP_FILESYSTEM_LIMIT ||
|
|
|
|
prop == ZFS_PROP_SNAPSHOT_LIMIT);
|
|
|
|
|
2022-10-29 23:08:54 +03:00
|
|
|
if (prop == ZFS_PROP_SNAPSHOT_LIMIT) {
|
|
|
|
/*
|
|
|
|
* We don't enforce the limit for temporary snapshots. This is
|
|
|
|
* indicated by a NULL cred_t argument.
|
|
|
|
*/
|
|
|
|
if (cr == NULL)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
count_prop = DD_FIELD_SNAPSHOT_COUNT;
|
|
|
|
} else {
|
|
|
|
count_prop = DD_FIELD_FILESYSTEM_COUNT;
|
|
|
|
}
|
2015-04-01 16:07:48 +03:00
|
|
|
/*
|
|
|
|
* If we're allowed to change the limit, don't enforce the limit
|
|
|
|
* e.g. this can happen if a snapshot is taken by an administrative
|
|
|
|
* user in the global zone (i.e. a recursive snapshot by root).
|
|
|
|
* However, we must handle the case of delegated permissions where we
|
|
|
|
* are allowed to change the limit on the current dataset, but there
|
|
|
|
* is another limit in the tree above.
|
|
|
|
*/
|
2020-07-12 03:18:02 +03:00
|
|
|
enforce = dsl_enforce_ds_ss_limits(dd, prop, cr, proc);
|
2015-04-01 16:07:48 +03:00
|
|
|
if (enforce == ENFORCE_NEVER)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* e.g. if renaming a dataset with no snapshots, count adjustment
|
|
|
|
* is 0.
|
|
|
|
*/
|
|
|
|
if (delta == 0)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If an ancestor has been provided, stop checking the limit once we
|
|
|
|
* hit that dir. We need this during rename so that we don't overcount
|
|
|
|
* the check once we recurse up to the common ancestor.
|
|
|
|
*/
|
|
|
|
if (ancestor == dd)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we hit an uninitialized node while recursing up the tree, we can
|
|
|
|
* stop since we know there is no limit here (or above). The counts are
|
|
|
|
* not valid on this node and we know we won't touch this node's counts.
|
|
|
|
*/
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
if (!dsl_dir_is_zapified(dd))
|
|
|
|
return (0);
|
|
|
|
err = zap_lookup(os, dd->dd_object,
|
|
|
|
count_prop, sizeof (count), 1, &count);
|
|
|
|
if (err == ENOENT)
|
2015-04-01 16:07:48 +03:00
|
|
|
return (0);
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
err = dsl_prop_get_dd(dd, zfs_prop_to_name(prop), 8, 1, &limit, NULL,
|
|
|
|
B_FALSE);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
/* Is there a limit which we've hit? */
|
|
|
|
if (enforce == ENFORCE_ALWAYS && (count + delta) > limit)
|
|
|
|
return (SET_ERROR(EDQUOT));
|
|
|
|
|
|
|
|
if (dd->dd_parent != NULL)
|
|
|
|
err = dsl_fs_ss_limit_check(dd->dd_parent, delta, prop,
|
2020-07-12 03:18:02 +03:00
|
|
|
ancestor, cr, proc);
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjust the filesystem or snapshot count for the specified dsl_dir_t and all
|
|
|
|
* parents. When a new filesystem/snapshot is created, increment the count on
|
|
|
|
* all parents, and when a filesystem/snapshot is destroyed, decrement the
|
|
|
|
* count.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
dsl_fs_ss_count_adjust(dsl_dir_t *dd, int64_t delta, const char *prop,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
uint64_t count;
|
|
|
|
|
|
|
|
ASSERT(dsl_pool_config_held(dd->dd_pool));
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
ASSERT(strcmp(prop, DD_FIELD_FILESYSTEM_COUNT) == 0 ||
|
|
|
|
strcmp(prop, DD_FIELD_SNAPSHOT_COUNT) == 0);
|
|
|
|
|
|
|
|
/*
|
2020-08-27 07:38:27 +03:00
|
|
|
* We don't do accounting for hidden ($FREE, $MOS & $ORIGIN) objsets.
|
2015-04-01 16:07:48 +03:00
|
|
|
*/
|
2020-08-27 07:38:27 +03:00
|
|
|
if (dd->dd_myname[0] == '$' && strcmp(prop,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT) == 0) {
|
2015-04-01 16:07:48 +03:00
|
|
|
return;
|
2020-08-27 07:38:27 +03:00
|
|
|
}
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* e.g. if renaming a dataset with no snapshots, count adjustment is 0
|
|
|
|
*/
|
|
|
|
if (delta == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we hit an uninitialized node while recursing up the tree, we can
|
|
|
|
* stop since we know the counts are not valid on this node and we
|
|
|
|
* know we shouldn't touch this node's counts. An uninitialized count
|
|
|
|
* on the node indicates that either the feature has not yet been
|
|
|
|
* activated or there are no limits on this part of the tree.
|
|
|
|
*/
|
|
|
|
if (!dsl_dir_is_zapified(dd) || (err = zap_lookup(os, dd->dd_object,
|
|
|
|
prop, sizeof (count), 1, &count)) == ENOENT)
|
|
|
|
return;
|
|
|
|
VERIFY0(err);
|
|
|
|
|
|
|
|
count += delta;
|
|
|
|
/* Use a signed verify to make sure we're not neg. */
|
|
|
|
VERIFY3S(count, >=, 0);
|
|
|
|
|
|
|
|
VERIFY0(zap_update(os, dd->dd_object, prop, sizeof (count), 1, &count,
|
|
|
|
tx));
|
|
|
|
|
|
|
|
/* Roll up this additional count into our ancestors */
|
|
|
|
if (dd->dd_parent != NULL)
|
|
|
|
dsl_fs_ss_count_adjust(dd->dd_parent, delta, prop, tx);
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
uint64_t
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dir_create_sync(dsl_pool_t *dp, dsl_dir_t *pds, const char *name,
|
|
|
|
dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2008-12-03 23:09:06 +03:00
|
|
|
objset_t *mos = dp->dp_meta_objset;
|
2008-11-20 23:01:55 +03:00
|
|
|
uint64_t ddobj;
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_phys_t *ddphys;
|
2008-11-20 23:01:55 +03:00
|
|
|
dmu_buf_t *dbuf;
|
|
|
|
|
|
|
|
ddobj = dmu_object_alloc(mos, DMU_OT_DSL_DIR, 0,
|
|
|
|
DMU_OT_DSL_DIR, sizeof (dsl_dir_phys_t), tx);
|
2008-12-03 23:09:06 +03:00
|
|
|
if (pds) {
|
2016-12-17 01:11:29 +03:00
|
|
|
VERIFY0(zap_add(mos, dsl_dir_phys(pds)->dd_child_dir_zapobj,
|
2008-12-03 23:09:06 +03:00
|
|
|
name, sizeof (uint64_t), 1, &ddobj, tx));
|
|
|
|
} else {
|
|
|
|
/* it's the root dir */
|
2016-12-17 01:11:29 +03:00
|
|
|
VERIFY0(zap_add(mos, DMU_POOL_DIRECTORY_OBJECT,
|
2008-12-03 23:09:06 +03:00
|
|
|
DMU_POOL_ROOT_DATASET, sizeof (uint64_t), 1, &ddobj, tx));
|
|
|
|
}
|
2016-12-17 01:11:29 +03:00
|
|
|
VERIFY0(dmu_bonus_hold(mos, ddobj, FTAG, &dbuf));
|
2008-11-20 23:01:55 +03:00
|
|
|
dmu_buf_will_dirty(dbuf, tx);
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys = dbuf->db_data;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys->dd_creation_time = gethrestime_sec();
|
2015-04-01 16:07:48 +03:00
|
|
|
if (pds) {
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys->dd_parent_obj = pds->dd_object;
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
/* update the filesystem counts */
|
|
|
|
dsl_fs_ss_count_adjust(pds, 1, DD_FIELD_FILESYSTEM_COUNT, tx);
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys->dd_props_zapobj = zap_create(mos,
|
2008-11-20 23:01:55 +03:00
|
|
|
DMU_OT_DSL_PROPS, DMU_OT_NONE, 0, tx);
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys->dd_child_dir_zapobj = zap_create(mos,
|
2008-11-20 23:01:55 +03:00
|
|
|
DMU_OT_DSL_DIR_CHILD_MAP, DMU_OT_NONE, 0, tx);
|
2008-12-03 23:09:06 +03:00
|
|
|
if (spa_version(dp->dp_spa) >= SPA_VERSION_USED_BREAKDOWN)
|
2010-05-29 00:45:14 +04:00
|
|
|
ddphys->dd_flags |= DD_FLAG_USED_BREAKDOWN;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
dmu_buf_rele(dbuf, FTAG);
|
|
|
|
|
|
|
|
return (ddobj);
|
|
|
|
}
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
boolean_t
|
|
|
|
dsl_dir_is_clone(dsl_dir_t *dd)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2015-04-01 18:14:34 +03:00
|
|
|
return (dsl_dir_phys(dd)->dd_origin_obj &&
|
2008-12-03 23:09:06 +03:00
|
|
|
(dd->dd_pool->dp_origin_snap == NULL ||
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_origin_obj !=
|
2008-12-03 23:09:06 +03:00
|
|
|
dd->dd_pool->dp_origin_snap->ds_object));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2018-02-08 19:16:23 +03:00
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_used(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_used_bytes);
|
|
|
|
}
|
|
|
|
|
2016-12-17 01:11:29 +03:00
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_compressed(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_compressed_bytes);
|
|
|
|
}
|
|
|
|
|
2018-02-08 19:16:23 +03:00
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_quota(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_quota);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_reservation(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_reserved);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_compressratio(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
/* a fixed point number, 100x the ratio */
|
|
|
|
return (dsl_dir_phys(dd)->dd_compressed_bytes == 0 ? 100 :
|
|
|
|
(dsl_dir_phys(dd)->dd_uncompressed_bytes * 100 /
|
|
|
|
dsl_dir_phys(dd)->dd_compressed_bytes));
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_logicalused(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_uncompressed_bytes);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_usedsnap(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_SNAP]);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_usedds(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_HEAD]);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_usedrefreserv(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_REFRSRV]);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_get_usedchild(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD] +
|
|
|
|
dsl_dir_phys(dd)->dd_used_breakdown[DD_USED_CHILD_RSRV]);
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
void
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_origin(dsl_dir_t *dd, char *buf)
|
|
|
|
{
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
VERIFY0(dsl_dataset_hold_obj(dd->dd_pool,
|
|
|
|
dsl_dir_phys(dd)->dd_origin_obj, FTAG, &ds));
|
|
|
|
|
|
|
|
dsl_dataset_name(ds, buf);
|
|
|
|
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dsl_dir_get_filesystem_count(dsl_dir_t *dd, uint64_t *count)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2018-02-08 19:16:23 +03:00
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
return (zap_lookup(os, dd->dd_object, DD_FIELD_FILESYSTEM_COUNT,
|
|
|
|
sizeof (*count), 1, count));
|
|
|
|
} else {
|
2020-02-27 03:09:17 +03:00
|
|
|
return (SET_ERROR(ENOENT));
|
2018-02-08 19:16:23 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dsl_dir_get_snapshot_count(dsl_dir_t *dd, uint64_t *count)
|
|
|
|
{
|
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
return (zap_lookup(os, dd->dd_object, DD_FIELD_SNAPSHOT_COUNT,
|
|
|
|
sizeof (*count), 1, count));
|
|
|
|
} else {
|
2020-02-27 03:09:17 +03:00
|
|
|
return (SET_ERROR(ENOENT));
|
2018-02-08 19:16:23 +03:00
|
|
|
}
|
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
|
2018-02-08 19:16:23 +03:00
|
|
|
void
|
|
|
|
dsl_dir_stats(dsl_dir_t *dd, nvlist_t *nv)
|
|
|
|
{
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_enter(&dd->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_QUOTA,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_quota(dd));
|
2008-11-20 23:01:55 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_RESERVATION,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_reservation(dd));
|
2013-02-22 13:23:09 +04:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_LOGICALUSED,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_logicalused(dd));
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dir_phys(dd)->dd_flags & DD_FLAG_USED_BREAKDOWN) {
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDSNAP,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_usedsnap(dd));
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDDS,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_usedds(dd));
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDREFRESERV,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_usedrefreserv(dd));
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_USEDCHILD,
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_usedchild(dd));
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
2018-02-08 19:16:23 +03:00
|
|
|
uint64_t count;
|
|
|
|
if (dsl_dir_get_filesystem_count(dd, &count) == 0) {
|
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_FILESYSTEM_COUNT,
|
|
|
|
count);
|
|
|
|
}
|
|
|
|
if (dsl_dir_get_snapshot_count(dd, &count) == 0) {
|
|
|
|
dsl_prop_nvlist_add_uint64(nv, ZFS_PROP_SNAPSHOT_COUNT,
|
|
|
|
count);
|
2015-04-01 16:07:48 +03:00
|
|
|
}
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
if (dsl_dir_is_clone(dd)) {
|
2016-06-16 00:28:36 +03:00
|
|
|
char buf[ZFS_MAX_DATASET_NAME_LEN];
|
2018-02-08 19:16:23 +03:00
|
|
|
dsl_dir_get_origin(dd, buf);
|
2008-11-20 23:01:55 +03:00
|
|
|
dsl_prop_nvlist_add_string(nv, ZFS_PROP_ORIGIN, buf);
|
|
|
|
}
|
2018-02-08 19:16:23 +03:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_dirty(dsl_dir_t *dd, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dsl_pool_t *dp = dd->dd_pool;
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
ASSERT(dsl_dir_phys(dd));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (txg_list_add(&dp->dp_dirty_dirs, dd, tx->tx_txg)) {
|
2008-11-20 23:01:55 +03:00
|
|
|
/* up the hold count until we can be written out */
|
|
|
|
dmu_buf_add_ref(dd->dd_dbuf, dd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int64_t
|
|
|
|
parent_delta(dsl_dir_t *dd, uint64_t used, int64_t delta)
|
|
|
|
{
|
2015-04-01 18:14:34 +03:00
|
|
|
uint64_t old_accounted = MAX(used, dsl_dir_phys(dd)->dd_reserved);
|
|
|
|
uint64_t new_accounted =
|
|
|
|
MAX(used + delta, dsl_dir_phys(dd)->dd_reserved);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (new_accounted - old_accounted);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_sync(dsl_dir_t *dd, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2019-04-12 21:30:59 +03:00
|
|
|
ASSERT0(dd->dd_tempreserved[tx->tx_txg & TXG_MASK]);
|
2021-06-23 07:53:45 +03:00
|
|
|
dprintf_dd(dd, "txg=%llu towrite=%lluK\n", (u_longlong_t)tx->tx_txg,
|
|
|
|
(u_longlong_t)dd->dd_space_towrite[tx->tx_txg & TXG_MASK] / 1024);
|
2019-04-12 21:30:59 +03:00
|
|
|
dd->dd_space_towrite[tx->tx_txg & TXG_MASK] = 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
|
|
|
/* release the hold from dsl_dir_dirty */
|
|
|
|
dmu_buf_rele(dd->dd_dbuf, dd);
|
|
|
|
}
|
|
|
|
|
|
|
|
static uint64_t
|
|
|
|
dsl_dir_space_towrite(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
uint64_t space = 0;
|
|
|
|
|
|
|
|
ASSERT(MUTEX_HELD(&dd->dd_lock));
|
|
|
|
|
2023-01-20 22:10:15 +03:00
|
|
|
for (int i = 0; i < TXG_SIZE; i++)
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
space += dd->dd_space_towrite[i & TXG_MASK];
|
2023-01-20 22:10:15 +03:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
return (space);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* How much space would dd have available if ancestor had delta applied
|
|
|
|
* to it? If ondiskonly is set, we're only interested in what's
|
|
|
|
* on-disk, not estimated pending changes.
|
|
|
|
*/
|
|
|
|
uint64_t
|
|
|
|
dsl_dir_space_available(dsl_dir_t *dd,
|
|
|
|
dsl_dir_t *ancestor, int64_t delta, int ondiskonly)
|
|
|
|
{
|
|
|
|
uint64_t parentspace, myspace, quota, used;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If there are no restrictions otherwise, assume we have
|
|
|
|
* unlimited space available.
|
|
|
|
*/
|
|
|
|
quota = UINT64_MAX;
|
|
|
|
parentspace = UINT64_MAX;
|
|
|
|
|
|
|
|
if (dd->dd_parent != NULL) {
|
|
|
|
parentspace = dsl_dir_space_available(dd->dd_parent,
|
|
|
|
ancestor, delta, ondiskonly);
|
|
|
|
}
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dir_phys(dd)->dd_quota != 0)
|
|
|
|
quota = dsl_dir_phys(dd)->dd_quota;
|
|
|
|
used = dsl_dir_phys(dd)->dd_used_bytes;
|
2008-11-20 23:01:55 +03:00
|
|
|
if (!ondiskonly)
|
|
|
|
used += dsl_dir_space_towrite(dd);
|
|
|
|
|
|
|
|
if (dd->dd_parent == NULL) {
|
2016-12-17 01:11:29 +03:00
|
|
|
uint64_t poolsize = dsl_pool_adjustedsize(dd->dd_pool,
|
|
|
|
ZFS_SPACE_CHECK_NORMAL);
|
2008-11-20 23:01:55 +03:00
|
|
|
quota = MIN(quota, poolsize);
|
|
|
|
}
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dir_phys(dd)->dd_reserved > used && parentspace != UINT64_MAX) {
|
2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
* We have some space reserved, in addition to what our
|
|
|
|
* parent gave us.
|
|
|
|
*/
|
2015-04-01 18:14:34 +03:00
|
|
|
parentspace += dsl_dir_phys(dd)->dd_reserved - used;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
if (dd == ancestor) {
|
|
|
|
ASSERT(delta <= 0);
|
|
|
|
ASSERT(used >= -delta);
|
|
|
|
used += delta;
|
|
|
|
if (parentspace != UINT64_MAX)
|
|
|
|
parentspace -= delta;
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
if (used > quota) {
|
|
|
|
/* over quota */
|
|
|
|
myspace = 0;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* the lesser of the space provided by our parent and
|
|
|
|
* the space left in our quota
|
|
|
|
*/
|
|
|
|
myspace = MIN(parentspace, quota - used);
|
|
|
|
}
|
|
|
|
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
|
|
|
return (myspace);
|
|
|
|
}
|
|
|
|
|
|
|
|
struct tempreserve {
|
|
|
|
list_node_t tr_node;
|
|
|
|
dsl_dir_t *tr_ds;
|
|
|
|
uint64_t tr_size;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
|
|
|
dsl_dir_tempreserve_impl(dsl_dir_t *dd, uint64_t asize, boolean_t netfree,
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
boolean_t ignorequota, list_t *tr_list,
|
2008-11-20 23:01:55 +03:00
|
|
|
dmu_tx_t *tx, boolean_t first)
|
|
|
|
{
|
2017-06-12 21:41:03 +03:00
|
|
|
uint64_t txg;
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
uint64_t quota;
|
2008-11-20 23:01:55 +03:00
|
|
|
struct tempreserve *tr;
|
2017-06-12 21:41:03 +03:00
|
|
|
int retval;
|
2022-10-28 21:44:18 +03:00
|
|
|
uint64_t ext_quota;
|
2017-06-12 21:41:03 +03:00
|
|
|
uint64_t ref_rsrv;
|
|
|
|
|
|
|
|
top_of_function:
|
|
|
|
txg = tx->tx_txg;
|
|
|
|
retval = EDQUOT;
|
|
|
|
ref_rsrv = 0;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
ASSERT3U(txg, !=, 0);
|
|
|
|
ASSERT3S(asize, >, 0);
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check against the dsl_dir's quota. We don't add in the delta
|
|
|
|
* when checking for over-quota because they get one free hit.
|
|
|
|
*/
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
uint64_t est_inflight = dsl_dir_space_towrite(dd);
|
|
|
|
for (int i = 0; i < TXG_SIZE; i++)
|
2008-11-20 23:01:55 +03:00
|
|
|
est_inflight += dd->dd_tempreserved[i];
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
uint64_t used_on_disk = dsl_dir_phys(dd)->dd_used_bytes;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* On the first iteration, fetch the dataset's used-on-disk and
|
|
|
|
* refreservation values. Also, if checkrefquota is set, test if
|
|
|
|
* allocating this space would exceed the dataset's refquota.
|
|
|
|
*/
|
|
|
|
if (first && tx->tx_objset) {
|
|
|
|
int error;
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dataset_t *ds = tx->tx_objset->os_dsl_dataset;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
error = dsl_dataset_check_quota(ds, !netfree,
|
2008-11-20 23:01:55 +03:00
|
|
|
asize, est_inflight, &used_on_disk, &ref_rsrv);
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
if (error != 0) {
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
2014-02-28 04:11:11 +04:00
|
|
|
DMU_TX_STAT_BUMP(dmu_tx_quota);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If this transaction will result in a net free of space,
|
|
|
|
* we want to let it through.
|
|
|
|
*/
|
2022-11-08 23:40:22 +03:00
|
|
|
if (ignorequota || netfree || dsl_dir_phys(dd)->dd_quota == 0 ||
|
2022-11-10 17:01:58 +03:00
|
|
|
(tx->tx_objset && dmu_objset_type(tx->tx_objset) == DMU_OST_ZVOL &&
|
2022-11-08 23:40:22 +03:00
|
|
|
zvol_enforce_quotas == B_FALSE))
|
2008-11-20 23:01:55 +03:00
|
|
|
quota = UINT64_MAX;
|
|
|
|
else
|
2015-04-01 18:14:34 +03:00
|
|
|
quota = dsl_dir_phys(dd)->dd_quota;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
2010-05-29 00:45:14 +04:00
|
|
|
* Adjust the quota against the actual pool size at the root
|
|
|
|
* minus any outstanding deferred frees.
|
2008-11-20 23:01:55 +03:00
|
|
|
* To ensure that it's possible to remove files from a full
|
|
|
|
* pool without inducing transient overcommits, we throttle
|
|
|
|
* netfree transactions against a quota that is slightly larger,
|
|
|
|
* but still within the pool's allocation slop. In cases where
|
|
|
|
* we're very close to full, this will allow a steady trickle of
|
|
|
|
* removes to get through.
|
|
|
|
*/
|
|
|
|
if (dd->dd_parent == NULL) {
|
2016-12-17 01:11:29 +03:00
|
|
|
uint64_t avail = dsl_pool_unreserved_space(dd->dd_pool,
|
|
|
|
(netfree) ?
|
|
|
|
ZFS_SPACE_CHECK_RESERVED : ZFS_SPACE_CHECK_NORMAL);
|
|
|
|
|
|
|
|
if (avail < quota) {
|
|
|
|
quota = avail;
|
2020-02-27 03:09:17 +03:00
|
|
|
retval = SET_ERROR(ENOSPC);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If they are requesting more space, and our current estimate
|
|
|
|
* is over quota, they get to try again unless the actual
|
2022-03-08 20:16:35 +03:00
|
|
|
* on-disk is over quota and there are no pending changes
|
|
|
|
* or deferred frees (which may free up space for us).
|
2008-11-20 23:01:55 +03:00
|
|
|
*/
|
2022-10-28 21:44:18 +03:00
|
|
|
ext_quota = quota >> 5;
|
|
|
|
if (quota == UINT64_MAX)
|
|
|
|
ext_quota = 0;
|
|
|
|
|
|
|
|
if (used_on_disk >= quota) {
|
|
|
|
/* Quota exceeded */
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
DMU_TX_STAT_BUMP(dmu_tx_quota);
|
|
|
|
return (retval);
|
|
|
|
} else if (used_on_disk + est_inflight >= quota + ext_quota) {
|
2022-03-08 20:16:35 +03:00
|
|
|
if (est_inflight > 0 || used_on_disk < quota) {
|
|
|
|
retval = SET_ERROR(ERESTART);
|
|
|
|
} else {
|
|
|
|
ASSERT3U(used_on_disk, >=, quota);
|
|
|
|
|
|
|
|
if (retval == ENOSPC && (used_on_disk - quota) <
|
|
|
|
dsl_pool_deferred_space(dd->dd_pool)) {
|
|
|
|
retval = SET_ERROR(ERESTART);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
dprintf_dd(dd, "failing: used=%lluK inflight = %lluK "
|
|
|
|
"quota=%lluK tr=%lluK err=%d\n",
|
2021-06-23 07:53:45 +03:00
|
|
|
(u_longlong_t)used_on_disk>>10,
|
|
|
|
(u_longlong_t)est_inflight>>10,
|
|
|
|
(u_longlong_t)quota>>10, (u_longlong_t)asize>>10, retval);
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
2014-02-28 04:11:11 +04:00
|
|
|
DMU_TX_STAT_BUMP(dmu_tx_quota);
|
2022-03-08 20:16:35 +03:00
|
|
|
return (retval);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/* We need to up our estimated delta before dropping dd_lock */
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
dd->dd_tempreserved[txg & TXG_MASK] += asize;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
uint64_t parent_rsrv = parent_delta(dd, used_on_disk + est_inflight,
|
2008-11-20 23:01:55 +03:00
|
|
|
asize - ref_rsrv);
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
tr->tr_ds = dd;
|
|
|
|
tr->tr_size = asize;
|
|
|
|
list_insert_tail(tr_list, tr);
|
|
|
|
|
|
|
|
/* see if it's OK with our parent */
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
if (dd->dd_parent != NULL && parent_rsrv != 0) {
|
2017-06-12 21:41:03 +03:00
|
|
|
/*
|
|
|
|
* Recurse on our parent without recursion. This has been
|
|
|
|
* observed to be potentially large stack usage even within
|
|
|
|
* the test suite. Largest seen stack was 7632 bytes on linux.
|
|
|
|
*/
|
|
|
|
|
|
|
|
dd = dd->dd_parent;
|
|
|
|
asize = parent_rsrv;
|
|
|
|
ignorequota = (dsl_dir_phys(dd)->dd_head_dataset_obj == 0);
|
|
|
|
first = B_FALSE;
|
|
|
|
goto top_of_function;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2022-11-08 23:40:22 +03:00
|
|
|
|
|
|
|
return (0);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reserve space in this dsl_dir, to be used in this tx's txg.
|
|
|
|
* After the space has been dirtied (and dsl_dir_willuse_space()
|
|
|
|
* has been called), the reservation should be canceled, using
|
|
|
|
* dsl_dir_tempreserve_clear().
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dsl_dir_tempreserve_space(dsl_dir_t *dd, uint64_t lsize, uint64_t asize,
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
boolean_t netfree, void **tr_cookiep, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
list_t *tr_list;
|
|
|
|
|
|
|
|
if (asize == 0) {
|
|
|
|
*tr_cookiep = NULL;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
tr_list = kmem_alloc(sizeof (list_t), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
list_create(tr_list, sizeof (struct tempreserve),
|
|
|
|
offsetof(struct tempreserve, tr_node));
|
|
|
|
ASSERT3S(asize, >, 0);
|
|
|
|
|
2017-09-27 04:45:19 +03:00
|
|
|
err = arc_tempreserve_space(dd->dd_pool->dp_spa, lsize, tx->tx_txg);
|
2008-11-20 23:01:55 +03:00
|
|
|
if (err == 0) {
|
|
|
|
struct tempreserve *tr;
|
|
|
|
|
2014-11-21 03:09:39 +03:00
|
|
|
tr = kmem_zalloc(sizeof (struct tempreserve), KM_SLEEP);
|
2008-11-20 23:01:55 +03:00
|
|
|
tr->tr_size = lsize;
|
|
|
|
list_insert_tail(tr_list, tr);
|
|
|
|
} else {
|
|
|
|
if (err == EAGAIN) {
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-29 07:01:20 +04:00
|
|
|
/*
|
|
|
|
* If arc_memory_throttle() detected that pageout
|
|
|
|
* is running and we are low on memory, we delay new
|
|
|
|
* non-pageout transactions to give pageout an
|
|
|
|
* advantage.
|
|
|
|
*
|
|
|
|
* It is unfortunate to be delaying while the caller's
|
|
|
|
* locks are held.
|
|
|
|
*/
|
2013-08-29 03:05:48 +04:00
|
|
|
txg_delay(dd->dd_pool, tx->tx_txg,
|
|
|
|
MSEC2NSEC(10), MSEC2NSEC(10));
|
2013-03-08 22:41:28 +04:00
|
|
|
err = SET_ERROR(ERESTART);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (err == 0) {
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 20:51:59 +03:00
|
|
|
err = dsl_dir_tempreserve_impl(dd, asize, netfree,
|
|
|
|
B_FALSE, tr_list, tx, B_TRUE);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (err != 0)
|
2008-11-20 23:01:55 +03:00
|
|
|
dsl_dir_tempreserve_clear(tr_list, tx);
|
|
|
|
else
|
|
|
|
*tr_cookiep = tr_list;
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Clear a temporary reservation that we previously made with
|
|
|
|
* dsl_dir_tempreserve_space().
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
dsl_dir_tempreserve_clear(void *tr_cookie, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int txgidx = tx->tx_txg & TXG_MASK;
|
|
|
|
list_t *tr_list = tr_cookie;
|
|
|
|
struct tempreserve *tr;
|
|
|
|
|
|
|
|
ASSERT3U(tx->tx_txg, !=, 0);
|
|
|
|
|
|
|
|
if (tr_cookie == NULL)
|
|
|
|
return;
|
|
|
|
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-29 07:01:20 +04:00
|
|
|
while ((tr = list_head(tr_list)) != NULL) {
|
|
|
|
if (tr->tr_ds) {
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_enter(&tr->tr_ds->dd_lock);
|
|
|
|
ASSERT3U(tr->tr_ds->dd_tempreserved[txgidx], >=,
|
|
|
|
tr->tr_size);
|
|
|
|
tr->tr_ds->dd_tempreserved[txgidx] -= tr->tr_size;
|
|
|
|
mutex_exit(&tr->tr_ds->dd_lock);
|
|
|
|
} else {
|
|
|
|
arc_tempreserve_clear(tr->tr_size);
|
|
|
|
}
|
|
|
|
list_remove(tr_list, tr);
|
|
|
|
kmem_free(tr, sizeof (struct tempreserve));
|
|
|
|
}
|
|
|
|
|
|
|
|
kmem_free(tr_list, sizeof (list_t));
|
|
|
|
}
|
|
|
|
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-29 07:01:20 +04:00
|
|
|
/*
|
|
|
|
* This should be called from open context when we think we're going to write
|
|
|
|
* or free space, for example when dirtying data. Be conservative; it's okay
|
|
|
|
* to write less space or free more, but we don't want to write more or free
|
|
|
|
* less than the amount specified.
|
2014-01-20 08:39:28 +04:00
|
|
|
*
|
|
|
|
* NOTE: The behavior of this function is identical to the Illumos / FreeBSD
|
2019-09-03 03:56:41 +03:00
|
|
|
* version however it has been adjusted to use an iterative rather than
|
2014-01-20 08:39:28 +04:00
|
|
|
* recursive algorithm to minimize stack usage.
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-29 07:01:20 +04:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
dsl_dir_willuse_space(dsl_dir_t *dd, int64_t space, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
int64_t parent_space;
|
|
|
|
uint64_t est_used;
|
|
|
|
|
2014-01-20 08:39:28 +04:00
|
|
|
do {
|
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
if (space > 0)
|
|
|
|
dd->dd_space_towrite[tx->tx_txg & TXG_MASK] += space;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-01-20 08:39:28 +04:00
|
|
|
est_used = dsl_dir_space_towrite(dd) +
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_used_bytes;
|
2014-01-20 08:39:28 +04:00
|
|
|
parent_space = parent_delta(dd, est_used, space);
|
|
|
|
mutex_exit(&dd->dd_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-01-20 08:39:28 +04:00
|
|
|
/* Make sure that we clean up dd_space_to* */
|
|
|
|
dsl_dir_dirty(dd, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2014-01-20 08:39:28 +04:00
|
|
|
dd = dd->dd_parent;
|
|
|
|
space = parent_space;
|
|
|
|
} while (space && dd);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/* call from syncing context when we actually write/free space for this dd */
|
|
|
|
void
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dir_diduse_space(dsl_dir_t *dd, dd_used_t type,
|
2008-11-20 23:01:55 +03:00
|
|
|
int64_t used, int64_t compressed, int64_t uncompressed, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int64_t accounted_delta;
|
2013-08-22 21:51:47 +04:00
|
|
|
|
2021-07-16 22:39:24 +03:00
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
ASSERT(type < DD_USED_NUM);
|
|
|
|
|
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
|
2013-08-22 21:51:47 +04:00
|
|
|
/*
|
|
|
|
* dsl_dataset_set_refreservation_sync_impl() calls this with
|
|
|
|
* dd_lock held, so that it can atomically update
|
|
|
|
* ds->ds_reserved and the dsl_dir accounting, so that
|
|
|
|
* dsl_dataset_check_quota() can see dataset and dir accounting
|
|
|
|
* consistently.
|
|
|
|
*/
|
2008-12-03 23:09:06 +03:00
|
|
|
boolean_t needlock = !MUTEX_HELD(&dd->dd_lock);
|
|
|
|
if (needlock)
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2021-07-16 22:39:24 +03:00
|
|
|
dsl_dir_phys_t *ddp = dsl_dir_phys(dd);
|
|
|
|
accounted_delta = parent_delta(dd, ddp->dd_used_bytes, used);
|
|
|
|
ASSERT(used >= 0 || ddp->dd_used_bytes >= -used);
|
|
|
|
ASSERT(compressed >= 0 || ddp->dd_compressed_bytes >= -compressed);
|
2008-11-20 23:01:55 +03:00
|
|
|
ASSERT(uncompressed >= 0 ||
|
2021-07-16 22:39:24 +03:00
|
|
|
ddp->dd_uncompressed_bytes >= -uncompressed);
|
|
|
|
ddp->dd_used_bytes += used;
|
|
|
|
ddp->dd_uncompressed_bytes += uncompressed;
|
|
|
|
ddp->dd_compressed_bytes += compressed;
|
|
|
|
|
|
|
|
if (ddp->dd_flags & DD_FLAG_USED_BREAKDOWN) {
|
|
|
|
ASSERT(used >= 0 || ddp->dd_used_breakdown[type] >= -used);
|
|
|
|
ddp->dd_used_breakdown[type] += used;
|
2020-07-26 06:07:44 +03:00
|
|
|
#ifdef ZFS_DEBUG
|
2010-08-26 20:52:39 +04:00
|
|
|
{
|
|
|
|
dd_used_t t;
|
|
|
|
uint64_t u = 0;
|
|
|
|
for (t = 0; t < DD_USED_NUM; t++)
|
2021-07-16 22:39:24 +03:00
|
|
|
u += ddp->dd_used_breakdown[t];
|
|
|
|
ASSERT3U(u, ==, ddp->dd_used_bytes);
|
2010-08-26 20:52:39 +04:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
if (needlock)
|
|
|
|
mutex_exit(&dd->dd_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
if (dd->dd_parent != NULL) {
|
2021-07-16 22:39:24 +03:00
|
|
|
dsl_dir_diduse_transfer_space(dd->dd_parent,
|
|
|
|
accounted_delta, compressed, uncompressed,
|
|
|
|
used, DD_USED_CHILD_RSRV, DD_USED_CHILD, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
void
|
|
|
|
dsl_dir_transfer_space(dsl_dir_t *dd, int64_t delta,
|
|
|
|
dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
ASSERT(oldtype < DD_USED_NUM);
|
|
|
|
ASSERT(newtype < DD_USED_NUM);
|
|
|
|
|
2021-07-16 22:39:24 +03:00
|
|
|
dsl_dir_phys_t *ddp = dsl_dir_phys(dd);
|
2015-04-01 18:14:34 +03:00
|
|
|
if (delta == 0 ||
|
2021-07-16 22:39:24 +03:00
|
|
|
!(ddp->dd_flags & DD_FLAG_USED_BREAKDOWN))
|
2008-12-03 23:09:06 +03:00
|
|
|
return;
|
|
|
|
|
2013-08-22 21:51:47 +04:00
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2008-12-03 23:09:06 +03:00
|
|
|
ASSERT(delta > 0 ?
|
2021-07-16 22:39:24 +03:00
|
|
|
ddp->dd_used_breakdown[oldtype] >= delta :
|
|
|
|
ddp->dd_used_breakdown[newtype] >= -delta);
|
|
|
|
ASSERT(ddp->dd_used_bytes >= ABS(delta));
|
|
|
|
ddp->dd_used_breakdown[oldtype] -= delta;
|
|
|
|
ddp->dd_used_breakdown[newtype] += delta;
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_diduse_transfer_space(dsl_dir_t *dd, int64_t used,
|
|
|
|
int64_t compressed, int64_t uncompressed, int64_t tonew,
|
|
|
|
dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int64_t accounted_delta;
|
|
|
|
|
|
|
|
ASSERT(dmu_tx_is_syncing(tx));
|
|
|
|
ASSERT(oldtype < DD_USED_NUM);
|
|
|
|
ASSERT(newtype < DD_USED_NUM);
|
|
|
|
|
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
dsl_dir_phys_t *ddp = dsl_dir_phys(dd);
|
|
|
|
accounted_delta = parent_delta(dd, ddp->dd_used_bytes, used);
|
|
|
|
ASSERT(used >= 0 || ddp->dd_used_bytes >= -used);
|
|
|
|
ASSERT(compressed >= 0 || ddp->dd_compressed_bytes >= -compressed);
|
|
|
|
ASSERT(uncompressed >= 0 ||
|
|
|
|
ddp->dd_uncompressed_bytes >= -uncompressed);
|
|
|
|
ddp->dd_used_bytes += used;
|
|
|
|
ddp->dd_uncompressed_bytes += uncompressed;
|
|
|
|
ddp->dd_compressed_bytes += compressed;
|
|
|
|
|
|
|
|
if (ddp->dd_flags & DD_FLAG_USED_BREAKDOWN) {
|
|
|
|
ASSERT(tonew - used <= 0 ||
|
|
|
|
ddp->dd_used_breakdown[oldtype] >= tonew - used);
|
|
|
|
ASSERT(tonew >= 0 ||
|
|
|
|
ddp->dd_used_breakdown[newtype] >= -tonew);
|
|
|
|
ddp->dd_used_breakdown[oldtype] -= tonew - used;
|
|
|
|
ddp->dd_used_breakdown[newtype] += tonew;
|
|
|
|
#ifdef ZFS_DEBUG
|
|
|
|
{
|
|
|
|
dd_used_t t;
|
|
|
|
uint64_t u = 0;
|
|
|
|
for (t = 0; t < DD_USED_NUM; t++)
|
|
|
|
u += ddp->dd_used_breakdown[t];
|
|
|
|
ASSERT3U(u, ==, ddp->dd_used_bytes);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
2013-08-22 21:51:47 +04:00
|
|
|
mutex_exit(&dd->dd_lock);
|
2021-07-16 22:39:24 +03:00
|
|
|
|
|
|
|
if (dd->dd_parent != NULL) {
|
|
|
|
dsl_dir_diduse_transfer_space(dd->dd_parent,
|
|
|
|
accounted_delta, compressed, uncompressed,
|
|
|
|
used, DD_USED_CHILD_RSRV, DD_USED_CHILD, tx);
|
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
typedef struct dsl_dir_set_qr_arg {
|
|
|
|
const char *ddsqra_name;
|
|
|
|
zprop_source_t ddsqra_source;
|
|
|
|
uint64_t ddsqra_value;
|
|
|
|
} dsl_dir_set_qr_arg_t;
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
static int
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_quota_check(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t *ddsqra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
int error;
|
|
|
|
uint64_t towrite, newval;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
error = dsl_prop_predict(ds->ds_dir, "quota",
|
|
|
|
ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (newval == 0) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
mutex_enter(&ds->ds_dir->dd_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
/*
|
|
|
|
* If we are doing the preliminary check in open context, and
|
|
|
|
* there are pending changes, then don't fail it, since the
|
|
|
|
* pending changes could under-estimate the amount of space to be
|
|
|
|
* freed up.
|
|
|
|
*/
|
2013-09-04 16:00:57 +04:00
|
|
|
towrite = dsl_dir_space_towrite(ds->ds_dir);
|
2008-11-20 23:01:55 +03:00
|
|
|
if ((dmu_tx_is_syncing(tx) || towrite == 0) &&
|
2015-04-01 18:14:34 +03:00
|
|
|
(newval < dsl_dir_phys(ds->ds_dir)->dd_reserved ||
|
|
|
|
newval < dsl_dir_phys(ds->ds_dir)->dd_used_bytes + towrite)) {
|
2013-03-08 22:41:28 +04:00
|
|
|
error = SET_ERROR(ENOSPC);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2013-09-04 16:00:57 +04:00
|
|
|
mutex_exit(&ds->ds_dir->dd_lock);
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (error);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_quota_sync(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t *ddsqra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
uint64_t newval;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-05-23 21:07:25 +04:00
|
|
|
if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
|
|
|
|
dsl_prop_set_sync_impl(ds, zfs_prop_to_name(ZFS_PROP_QUOTA),
|
|
|
|
ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
|
|
|
|
&ddsqra->ddsqra_value, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-05-23 21:07:25 +04:00
|
|
|
VERIFY0(dsl_prop_get_int_ds(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_QUOTA), &newval));
|
|
|
|
} else {
|
|
|
|
newval = ddsqra->ddsqra_value;
|
|
|
|
spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
|
|
|
|
zfs_prop_to_name(ZFS_PROP_QUOTA), (longlong_t)newval);
|
|
|
|
}
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dmu_buf_will_dirty(ds->ds_dir->dd_dbuf, tx);
|
|
|
|
mutex_enter(&ds->ds_dir->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(ds->ds_dir)->dd_quota = newval;
|
2013-09-04 16:00:57 +04:00
|
|
|
mutex_exit(&ds->ds_dir->dd_lock);
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_set_quota(const char *ddname, zprop_source_t source, uint64_t quota)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t ddsqra;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ddsqra.ddsqra_name = ddname;
|
|
|
|
ddsqra.ddsqra_source = source;
|
|
|
|
ddsqra.ddsqra_value = quota;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (dsl_sync_task(ddname, dsl_dir_set_quota_check,
|
2016-12-17 01:11:29 +03:00
|
|
|
dsl_dir_set_quota_sync, &ddsqra, 0,
|
|
|
|
ZFS_SPACE_CHECK_EXTRA_RESERVED));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2020-06-15 21:30:37 +03:00
|
|
|
static int
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_reservation_check(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t *ddsqra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
dsl_dir_t *dd;
|
|
|
|
uint64_t newval, used, avail;
|
|
|
|
int error;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
dd = ds->ds_dir;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we are doing the preliminary check in open context, the
|
|
|
|
* space estimates may be inaccurate.
|
|
|
|
*/
|
2013-09-04 16:00:57 +04:00
|
|
|
if (!dmu_tx_is_syncing(tx)) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
error = dsl_prop_predict(ds->ds_dir,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_RESERVATION),
|
|
|
|
ddsqra->ddsqra_source, ddsqra->ddsqra_value, &newval);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
used = dsl_dir_phys(dd)->dd_used_bytes;
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
|
|
|
if (dd->dd_parent) {
|
|
|
|
avail = dsl_dir_space_available(dd->dd_parent,
|
|
|
|
NULL, 0, FALSE);
|
|
|
|
} else {
|
2016-12-17 01:11:29 +03:00
|
|
|
avail = dsl_pool_adjustedsize(dd->dd_pool,
|
|
|
|
ZFS_SPACE_CHECK_NORMAL) - used;
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (MAX(used, newval) > MAX(used, dsl_dir_phys(dd)->dd_reserved)) {
|
2013-09-04 16:00:57 +04:00
|
|
|
uint64_t delta = MAX(used, newval) -
|
2015-04-01 18:14:34 +03:00
|
|
|
MAX(used, dsl_dir_phys(dd)->dd_reserved);
|
2009-02-18 23:51:31 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (delta > avail ||
|
2015-04-01 18:14:34 +03:00
|
|
|
(dsl_dir_phys(dd)->dd_quota > 0 &&
|
|
|
|
newval > dsl_dir_phys(dd)->dd_quota))
|
2013-03-08 22:41:28 +04:00
|
|
|
error = SET_ERROR(ENOSPC);
|
2009-02-18 23:51:31 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
return (error);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
void
|
2013-08-28 15:45:09 +04:00
|
|
|
dsl_dir_set_reservation_sync_impl(dsl_dir_t *dd, uint64_t value, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
uint64_t used;
|
|
|
|
int64_t delta;
|
|
|
|
|
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
used = dsl_dir_phys(dd)->dd_used_bytes;
|
|
|
|
delta = MAX(used, value) - MAX(used, dsl_dir_phys(dd)->dd_reserved);
|
|
|
|
dsl_dir_phys(dd)->dd_reserved = value;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
if (dd->dd_parent != NULL) {
|
|
|
|
/* Roll up this additional usage into our ancestors */
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
|
|
|
|
delta, 0, 0, tx);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
2008-12-03 23:09:06 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-08-28 15:45:09 +04:00
|
|
|
static void
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_reservation_sync(void *arg, dmu_tx_t *tx)
|
2013-08-28 15:45:09 +04:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t *ddsqra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dataset_t *ds;
|
|
|
|
uint64_t newval;
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dataset_hold(dp, ddsqra->ddsqra_name, FTAG, &ds));
|
|
|
|
|
2013-05-23 21:07:25 +04:00
|
|
|
if (spa_version(dp->dp_spa) >= SPA_VERSION_RECVD_PROPS) {
|
|
|
|
dsl_prop_set_sync_impl(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_RESERVATION),
|
|
|
|
ddsqra->ddsqra_source, sizeof (ddsqra->ddsqra_value), 1,
|
|
|
|
&ddsqra->ddsqra_value, tx);
|
2013-11-01 23:26:11 +04:00
|
|
|
|
2013-05-23 21:07:25 +04:00
|
|
|
VERIFY0(dsl_prop_get_int_ds(ds,
|
|
|
|
zfs_prop_to_name(ZFS_PROP_RESERVATION), &newval));
|
|
|
|
} else {
|
|
|
|
newval = ddsqra->ddsqra_value;
|
|
|
|
spa_history_log_internal_ds(ds, "set", tx, "%s=%lld",
|
|
|
|
zfs_prop_to_name(ZFS_PROP_RESERVATION),
|
|
|
|
(longlong_t)newval);
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_reservation_sync_impl(ds->ds_dir, newval, tx);
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
2013-11-01 23:26:11 +04:00
|
|
|
}
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
int
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
|
|
|
|
uint64_t reservation)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_set_qr_arg_t ddsqra;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ddsqra.ddsqra_name = ddname;
|
|
|
|
ddsqra.ddsqra_source = source;
|
|
|
|
ddsqra.ddsqra_value = reservation;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (dsl_sync_task(ddname, dsl_dir_set_reservation_check,
|
2016-12-17 01:11:29 +03:00
|
|
|
dsl_dir_set_reservation_sync, &ddsqra, 0,
|
|
|
|
ZFS_SPACE_CHECK_EXTRA_RESERVED));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static dsl_dir_t *
|
|
|
|
closest_common_ancestor(dsl_dir_t *ds1, dsl_dir_t *ds2)
|
|
|
|
{
|
|
|
|
for (; ds1; ds1 = ds1->dd_parent) {
|
|
|
|
dsl_dir_t *dd;
|
|
|
|
for (dd = ds2; dd; dd = dd->dd_parent) {
|
|
|
|
if (ds1 == dd)
|
|
|
|
return (dd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If delta is applied to dd, how much of that delta would be applied to
|
|
|
|
* ancestor? Syncing context only.
|
|
|
|
*/
|
|
|
|
static int64_t
|
|
|
|
would_change(dsl_dir_t *dd, int64_t delta, dsl_dir_t *ancestor)
|
|
|
|
{
|
|
|
|
if (dd == ancestor)
|
|
|
|
return (delta);
|
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
2015-04-01 18:14:34 +03:00
|
|
|
delta = parent_delta(dd, dsl_dir_phys(dd)->dd_used_bytes, delta);
|
2008-11-20 23:01:55 +03:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
return (would_change(dd->dd_parent, delta, ancestor));
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
typedef struct dsl_dir_rename_arg {
|
|
|
|
const char *ddra_oldname;
|
|
|
|
const char *ddra_newname;
|
2015-04-01 16:07:48 +03:00
|
|
|
cred_t *ddra_cred;
|
2020-07-12 03:18:02 +03:00
|
|
|
proc_t *ddra_proc;
|
2013-09-04 16:00:57 +04:00
|
|
|
} dsl_dir_rename_arg_t;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-09-12 18:15:20 +03:00
|
|
|
typedef struct dsl_valid_rename_arg {
|
|
|
|
int char_delta;
|
|
|
|
int nest_delta;
|
|
|
|
} dsl_valid_rename_arg_t;
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
static int
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_valid_rename(dsl_pool_t *dp, dsl_dataset_t *ds, void *arg)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2021-12-12 18:06:44 +03:00
|
|
|
(void) dp;
|
2016-09-12 18:15:20 +03:00
|
|
|
dsl_valid_rename_arg_t *dvra = arg;
|
2016-06-16 00:28:36 +03:00
|
|
|
char namebuf[ZFS_MAX_DATASET_NAME_LEN];
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dataset_name(ds, namebuf);
|
|
|
|
|
2016-09-12 18:15:20 +03:00
|
|
|
ASSERT3U(strnlen(namebuf, ZFS_MAX_DATASET_NAME_LEN),
|
|
|
|
<, ZFS_MAX_DATASET_NAME_LEN);
|
|
|
|
int namelen = strlen(namebuf) + dvra->char_delta;
|
|
|
|
int depth = get_dataset_depth(namebuf) + dvra->nest_delta;
|
|
|
|
|
|
|
|
if (namelen >= ZFS_MAX_DATASET_NAME_LEN)
|
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
|
|
|
if (dvra->nest_delta > 0 && depth >= zfs_max_dataset_nesting)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENAMETOOLONG));
|
2013-09-04 16:00:57 +04:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dsl_dir_rename_check(void *arg, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dsl_dir_rename_arg_t *ddra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dir_t *dd, *newparent;
|
2016-09-12 18:15:20 +03:00
|
|
|
dsl_valid_rename_arg_t dvra;
|
2019-02-09 02:44:15 +03:00
|
|
|
dsl_dataset_t *parentds;
|
|
|
|
objset_t *parentos;
|
2013-09-04 16:00:57 +04:00
|
|
|
const char *mynewname;
|
|
|
|
int error;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/* target dir should exist */
|
|
|
|
error = dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL);
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
/* new parent should exist */
|
|
|
|
error = dsl_dir_hold(dp, ddra->ddra_newname, FTAG,
|
|
|
|
&newparent, &mynewname);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* can't rename to different pool */
|
|
|
|
if (dd->dd_pool != newparent->dd_pool) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2014-11-19 20:08:08 +03:00
|
|
|
return (SET_ERROR(EXDEV));
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* new name should not already exist */
|
|
|
|
if (mynewname == NULL) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EEXIST));
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
|
|
|
|
2019-02-09 02:44:15 +03:00
|
|
|
/* can't rename below anything but filesystems (eg. no ZVOLs) */
|
|
|
|
error = dsl_dataset_hold_obj(newparent->dd_pool,
|
|
|
|
dsl_dir_phys(newparent)->dd_head_dataset_obj, FTAG, &parentds);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
error = dmu_objset_from_ds(parentds, &parentos);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dataset_rele(parentds, FTAG);
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
if (dmu_objset_type(parentos) != DMU_OST_ZFS) {
|
|
|
|
dsl_dataset_rele(parentds, FTAG);
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (SET_ERROR(ZFS_ERR_WRONG_PARENT));
|
|
|
|
}
|
|
|
|
dsl_dataset_rele(parentds, FTAG);
|
|
|
|
|
2016-09-12 18:15:20 +03:00
|
|
|
ASSERT3U(strnlen(ddra->ddra_newname, ZFS_MAX_DATASET_NAME_LEN),
|
|
|
|
<, ZFS_MAX_DATASET_NAME_LEN);
|
|
|
|
ASSERT3U(strnlen(ddra->ddra_oldname, ZFS_MAX_DATASET_NAME_LEN),
|
|
|
|
<, ZFS_MAX_DATASET_NAME_LEN);
|
|
|
|
dvra.char_delta = strlen(ddra->ddra_newname)
|
|
|
|
- strlen(ddra->ddra_oldname);
|
|
|
|
dvra.nest_delta = get_dataset_depth(ddra->ddra_newname)
|
|
|
|
- get_dataset_depth(ddra->ddra_oldname);
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
/* if the name length is growing, validate child name lengths */
|
2016-09-12 18:15:20 +03:00
|
|
|
if (dvra.char_delta > 0 || dvra.nest_delta > 0) {
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dmu_objset_find_dp(dp, dd->dd_object, dsl_valid_rename,
|
2016-09-12 18:15:20 +03:00
|
|
|
&dvra, DS_FIND_CHILDREN | DS_FIND_SNAPSHOTS);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
if (dmu_tx_is_syncing(tx)) {
|
2015-01-29 02:21:33 +03:00
|
|
|
if (spa_feature_is_active(dp->dp_spa,
|
2015-04-01 16:07:48 +03:00
|
|
|
SPA_FEATURE_FS_SS_LIMIT)) {
|
|
|
|
/*
|
|
|
|
* Although this is the check function and we don't
|
|
|
|
* normally make on-disk changes in check functions,
|
|
|
|
* we need to do that here.
|
|
|
|
*
|
|
|
|
* Ensure this portion of the tree's counts have been
|
|
|
|
* initialized in case the new parent has limits set.
|
|
|
|
*/
|
|
|
|
dsl_dir_init_fs_ss_count(dd, tx);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (newparent != dd->dd_parent) {
|
2008-11-20 23:01:55 +03:00
|
|
|
/* is there enough space? */
|
|
|
|
uint64_t myspace =
|
2015-04-01 18:14:34 +03:00
|
|
|
MAX(dsl_dir_phys(dd)->dd_used_bytes,
|
|
|
|
dsl_dir_phys(dd)->dd_reserved);
|
2015-04-01 16:07:48 +03:00
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
uint64_t fs_cnt = 0;
|
|
|
|
uint64_t ss_cnt = 0;
|
|
|
|
|
|
|
|
if (dsl_dir_is_zapified(dd)) {
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = zap_lookup(os, dd->dd_object,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
|
|
|
|
&fs_cnt);
|
2015-01-29 02:21:33 +03:00
|
|
|
if (err != ENOENT && err != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2015-04-01 16:07:48 +03:00
|
|
|
return (err);
|
2015-01-29 02:21:33 +03:00
|
|
|
}
|
2015-04-01 16:07:48 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* have to add 1 for the filesystem itself that we're
|
|
|
|
* moving
|
|
|
|
*/
|
|
|
|
fs_cnt++;
|
|
|
|
|
|
|
|
err = zap_lookup(os, dd->dd_object,
|
|
|
|
DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
|
|
|
|
&ss_cnt);
|
2015-01-29 02:21:33 +03:00
|
|
|
if (err != ENOENT && err != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2015-04-01 16:07:48 +03:00
|
|
|
return (err);
|
2015-01-29 02:21:33 +03:00
|
|
|
}
|
2015-04-01 16:07:48 +03:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 20:36:48 +03:00
|
|
|
/* check for encryption errors */
|
|
|
|
error = dsl_dir_rename_crypt_check(dd, newparent);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (SET_ERROR(EACCES));
|
|
|
|
}
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
/* no rename into our descendant */
|
2013-09-04 16:00:57 +04:00
|
|
|
if (closest_common_ancestor(dd, newparent) == dd) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(EINVAL));
|
2013-09-04 16:00:57 +04:00
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
error = dsl_dir_transfer_possible(dd->dd_parent,
|
2020-07-12 03:18:02 +03:00
|
|
|
newparent, fs_cnt, ss_cnt, myspace,
|
|
|
|
ddra->ddra_cred, ddra->ddra_proc);
|
2013-09-04 16:00:57 +04:00
|
|
|
if (error != 0) {
|
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rename_sync(void *arg, dmu_tx_t *tx)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rename_arg_t *ddra = arg;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
dsl_dir_t *dd, *newparent;
|
|
|
|
const char *mynewname;
|
2008-11-20 23:01:55 +03:00
|
|
|
objset_t *mos = dp->dp_meta_objset;
|
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dir_hold(dp, ddra->ddra_oldname, FTAG, &dd, NULL));
|
|
|
|
VERIFY0(dsl_dir_hold(dp, ddra->ddra_newname, FTAG, &newparent,
|
|
|
|
&mynewname));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2023-03-05 06:23:48 +03:00
|
|
|
ASSERT3P(mynewname, !=, NULL);
|
|
|
|
|
2013-08-28 15:45:09 +04:00
|
|
|
/* Log this before we change the name. */
|
|
|
|
spa_history_log_internal_dd(dd, "rename", tx,
|
2013-09-04 16:00:57 +04:00
|
|
|
"-> %s", ddra->ddra_newname);
|
2013-08-28 15:45:09 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
if (newparent != dd->dd_parent) {
|
2015-04-01 16:07:48 +03:00
|
|
|
objset_t *os = dd->dd_pool->dp_meta_objset;
|
|
|
|
uint64_t fs_cnt = 0;
|
|
|
|
uint64_t ss_cnt = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We already made sure the dd counts were initialized in the
|
|
|
|
* check function.
|
|
|
|
*/
|
2015-01-29 02:21:33 +03:00
|
|
|
if (spa_feature_is_active(dp->dp_spa,
|
2015-04-01 16:07:48 +03:00
|
|
|
SPA_FEATURE_FS_SS_LIMIT)) {
|
|
|
|
VERIFY0(zap_lookup(os, dd->dd_object,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT, sizeof (fs_cnt), 1,
|
|
|
|
&fs_cnt));
|
|
|
|
/* add 1 for the filesystem itself that we're moving */
|
|
|
|
fs_cnt++;
|
|
|
|
|
|
|
|
VERIFY0(zap_lookup(os, dd->dd_object,
|
|
|
|
DD_FIELD_SNAPSHOT_COUNT, sizeof (ss_cnt), 1,
|
|
|
|
&ss_cnt));
|
|
|
|
}
|
|
|
|
|
|
|
|
dsl_fs_ss_count_adjust(dd->dd_parent, -fs_cnt,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT, tx);
|
|
|
|
dsl_fs_ss_count_adjust(newparent, fs_cnt,
|
|
|
|
DD_FIELD_FILESYSTEM_COUNT, tx);
|
|
|
|
|
|
|
|
dsl_fs_ss_count_adjust(dd->dd_parent, -ss_cnt,
|
|
|
|
DD_FIELD_SNAPSHOT_COUNT, tx);
|
|
|
|
dsl_fs_ss_count_adjust(newparent, ss_cnt,
|
|
|
|
DD_FIELD_SNAPSHOT_COUNT, tx);
|
|
|
|
|
2008-12-03 23:09:06 +03:00
|
|
|
dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD,
|
2015-04-01 18:14:34 +03:00
|
|
|
-dsl_dir_phys(dd)->dd_used_bytes,
|
|
|
|
-dsl_dir_phys(dd)->dd_compressed_bytes,
|
|
|
|
-dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_diduse_space(newparent, DD_USED_CHILD,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_used_bytes,
|
|
|
|
dsl_dir_phys(dd)->dd_compressed_bytes,
|
|
|
|
dsl_dir_phys(dd)->dd_uncompressed_bytes, tx);
|
2008-12-03 23:09:06 +03:00
|
|
|
|
2015-04-01 18:14:34 +03:00
|
|
|
if (dsl_dir_phys(dd)->dd_reserved >
|
|
|
|
dsl_dir_phys(dd)->dd_used_bytes) {
|
|
|
|
uint64_t unused_rsrv = dsl_dir_phys(dd)->dd_reserved -
|
|
|
|
dsl_dir_phys(dd)->dd_used_bytes;
|
2008-12-03 23:09:06 +03:00
|
|
|
|
|
|
|
dsl_dir_diduse_space(dd->dd_parent, DD_USED_CHILD_RSRV,
|
|
|
|
-unused_rsrv, 0, 0, tx);
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_diduse_space(newparent, DD_USED_CHILD_RSRV,
|
2008-12-03 23:09:06 +03:00
|
|
|
unused_rsrv, 0, 0, tx);
|
|
|
|
}
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
dmu_buf_will_dirty(dd->dd_dbuf, tx);
|
|
|
|
|
|
|
|
/* remove from old parent zapobj */
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
VERIFY0(zap_remove(mos,
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd->dd_parent)->dd_child_dir_zapobj,
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
dd->dd_myname, tx));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2016-09-29 22:06:14 +03:00
|
|
|
(void) strlcpy(dd->dd_myname, mynewname,
|
|
|
|
sizeof (dd->dd_myname));
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(dd->dd_parent, dd);
|
2015-04-01 18:14:34 +03:00
|
|
|
dsl_dir_phys(dd)->dd_parent_obj = newparent->dd_object;
|
2013-09-04 16:00:57 +04:00
|
|
|
VERIFY0(dsl_dir_hold_obj(dp,
|
|
|
|
newparent->dd_object, NULL, dd, &dd->dd_parent));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
/* add to new parent zapobj */
|
2015-04-01 18:14:34 +03:00
|
|
|
VERIFY0(zap_add(mos, dsl_dir_phys(newparent)->dd_child_dir_zapobj,
|
2013-09-04 16:00:57 +04:00
|
|
|
dd->dd_myname, 8, 1, &dd->dd_object, tx));
|
|
|
|
|
2020-09-02 02:14:16 +03:00
|
|
|
/* TODO: A rename callback to avoid these layering violations. */
|
|
|
|
zfsvfs_update_fromname(ddra->ddra_oldname, ddra->ddra_newname);
|
2014-03-22 13:07:14 +04:00
|
|
|
zvol_rename_minors(dp->dp_spa, ddra->ddra_oldname,
|
|
|
|
ddra->ddra_newname, B_TRUE);
|
2013-12-07 02:20:22 +04:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_prop_notify_all(dd);
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rele(newparent, FTAG);
|
|
|
|
dsl_dir_rele(dd, FTAG);
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rename(const char *oldname, const char *newname)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
2013-09-04 16:00:57 +04:00
|
|
|
dsl_dir_rename_arg_t ddra;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
ddra.ddra_oldname = oldname;
|
|
|
|
ddra.ddra_newname = newname;
|
2015-04-01 16:07:48 +03:00
|
|
|
ddra.ddra_cred = CRED();
|
2020-07-12 03:18:02 +03:00
|
|
|
ddra.ddra_proc = curproc;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2013-09-04 16:00:57 +04:00
|
|
|
return (dsl_sync_task(oldname,
|
2014-11-03 23:28:43 +03:00
|
|
|
dsl_dir_rename_check, dsl_dir_rename_sync, &ddra,
|
|
|
|
3, ZFS_SPACE_CHECK_RESERVED));
|
2008-11-20 23:01:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2015-04-01 16:07:48 +03:00
|
|
|
dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
|
2020-07-12 03:18:02 +03:00
|
|
|
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space,
|
|
|
|
cred_t *cr, proc_t *proc)
|
2008-11-20 23:01:55 +03:00
|
|
|
{
|
|
|
|
dsl_dir_t *ancestor;
|
|
|
|
int64_t adelta;
|
|
|
|
uint64_t avail;
|
2015-04-01 16:07:48 +03:00
|
|
|
int err;
|
2008-11-20 23:01:55 +03:00
|
|
|
|
|
|
|
ancestor = closest_common_ancestor(sdd, tdd);
|
|
|
|
adelta = would_change(sdd, -space, ancestor);
|
|
|
|
avail = dsl_dir_space_available(tdd, ancestor, adelta, FALSE);
|
|
|
|
if (avail < space)
|
2013-03-08 22:41:28 +04:00
|
|
|
return (SET_ERROR(ENOSPC));
|
2008-11-20 23:01:55 +03:00
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
err = dsl_fs_ss_limit_check(tdd, fs_cnt, ZFS_PROP_FILESYSTEM_LIMIT,
|
2020-07-12 03:18:02 +03:00
|
|
|
ancestor, cr, proc);
|
2015-04-01 16:07:48 +03:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
err = dsl_fs_ss_limit_check(tdd, ss_cnt, ZFS_PROP_SNAPSHOT_LIMIT,
|
2020-07-12 03:18:02 +03:00
|
|
|
ancestor, cr, proc);
|
2015-04-01 16:07:48 +03:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
|
|
|
|
2008-11-20 23:01:55 +03:00
|
|
|
return (0);
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
|
2018-06-20 07:51:18 +03:00
|
|
|
inode_timespec_t
|
2010-05-29 00:45:14 +04:00
|
|
|
dsl_dir_snap_cmtime(dsl_dir_t *dd)
|
|
|
|
{
|
2018-06-20 07:51:18 +03:00
|
|
|
inode_timespec_t t;
|
2010-05-29 00:45:14 +04:00
|
|
|
|
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
t = dd->dd_snap_cmtime;
|
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
|
|
|
|
return (t);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2022-08-03 02:45:30 +03:00
|
|
|
dsl_dir_snap_cmtime_update(dsl_dir_t *dd, dmu_tx_t *tx)
|
2010-05-29 00:45:14 +04:00
|
|
|
{
|
2022-08-25 00:20:43 +03:00
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
2018-06-20 07:51:18 +03:00
|
|
|
inode_timespec_t t;
|
2010-05-29 00:45:14 +04:00
|
|
|
gethrestime(&t);
|
2022-08-25 00:20:43 +03:00
|
|
|
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_enter(&dd->dd_lock);
|
|
|
|
dd->dd_snap_cmtime = t;
|
2022-08-25 00:20:43 +03:00
|
|
|
if (spa_feature_is_enabled(dp->dp_spa,
|
|
|
|
SPA_FEATURE_EXTENSIBLE_DATASET)) {
|
|
|
|
objset_t *mos = dd->dd_pool->dp_meta_objset;
|
|
|
|
uint64_t ddobj = dd->dd_object;
|
|
|
|
dsl_dir_zapify(dd, tx);
|
|
|
|
VERIFY0(zap_update(mos, ddobj,
|
2022-09-02 23:33:50 +03:00
|
|
|
DD_FIELD_SNAPSHOTS_CHANGED,
|
2022-08-25 00:20:43 +03:00
|
|
|
sizeof (uint64_t),
|
|
|
|
sizeof (inode_timespec_t) / sizeof (uint64_t),
|
|
|
|
&t, tx));
|
|
|
|
}
|
2010-05-29 00:45:14 +04:00
|
|
|
mutex_exit(&dd->dd_lock);
|
|
|
|
}
|
2010-08-26 22:49:16 +04:00
|
|
|
|
2013-10-08 21:13:05 +04:00
|
|
|
void
|
|
|
|
dsl_dir_zapify(dsl_dir_t *dd, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
objset_t *mos = dd->dd_pool->dp_meta_objset;
|
|
|
|
dmu_object_zapify(mos, dd->dd_object, DMU_OT_DSL_DIR, tx);
|
|
|
|
}
|
|
|
|
|
2015-04-01 16:07:48 +03:00
|
|
|
boolean_t
|
|
|
|
dsl_dir_is_zapified(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
dmu_object_info_t doi;
|
|
|
|
|
|
|
|
dmu_object_info_from_db(dd->dd_dbuf, &doi);
|
|
|
|
return (doi.doi_type == DMU_OTN_ZAP_METADATA);
|
|
|
|
}
|
|
|
|
|
2019-07-26 20:54:14 +03:00
|
|
|
void
|
|
|
|
dsl_dir_livelist_open(dsl_dir_t *dd, uint64_t obj)
|
|
|
|
{
|
|
|
|
objset_t *mos = dd->dd_pool->dp_meta_objset;
|
|
|
|
ASSERT(spa_feature_is_active(dd->dd_pool->dp_spa,
|
|
|
|
SPA_FEATURE_LIVELIST));
|
|
|
|
dsl_deadlist_open(&dd->dd_livelist, mos, obj);
|
|
|
|
bplist_create(&dd->dd_pending_allocs);
|
|
|
|
bplist_create(&dd->dd_pending_frees);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_livelist_close(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
dsl_deadlist_close(&dd->dd_livelist);
|
|
|
|
bplist_destroy(&dd->dd_pending_allocs);
|
|
|
|
bplist_destroy(&dd->dd_pending_frees);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_remove_livelist(dsl_dir_t *dd, dmu_tx_t *tx, boolean_t total)
|
|
|
|
{
|
|
|
|
uint64_t obj;
|
|
|
|
dsl_pool_t *dp = dmu_tx_pool(tx);
|
|
|
|
spa_t *spa = dp->dp_spa;
|
|
|
|
livelist_condense_entry_t to_condense = spa->spa_to_condense;
|
|
|
|
|
|
|
|
if (!dsl_deadlist_is_open(&dd->dd_livelist))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the livelist being removed is set to be condensed, stop the
|
|
|
|
* condense zthr and indicate the cancellation in the spa_to_condense
|
|
|
|
* struct in case the condense no-wait synctask has already started
|
|
|
|
*/
|
|
|
|
zthr_t *ll_condense_thread = spa->spa_livelist_condense_zthr;
|
|
|
|
if (ll_condense_thread != NULL &&
|
|
|
|
(to_condense.ds != NULL) && (to_condense.ds->ds_dir == dd)) {
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
/*
|
|
|
|
* We use zthr_wait_cycle_done instead of zthr_cancel
|
|
|
|
* because we don't want to destroy the zthr, just have
|
|
|
|
* it skip its current task.
|
|
|
|
*/
|
|
|
|
spa->spa_to_condense.cancelled = B_TRUE;
|
|
|
|
zthr_wait_cycle_done(ll_condense_thread);
|
|
|
|
/*
|
|
|
|
* If we've returned from zthr_wait_cycle_done without
|
|
|
|
* clearing the to_condense data structure it's either
|
|
|
|
* because the no-wait synctask has started (which is
|
|
|
|
* indicated by 'syncing' field of to_condense) and we
|
|
|
|
* can expect it to clear to_condense on its own.
|
|
|
|
* Otherwise, we returned before the zthr ran. The
|
|
|
|
* checkfunc will now fail as cancelled == B_TRUE so we
|
|
|
|
* can safely NULL out ds, allowing a different dir's
|
|
|
|
* livelist to be condensed.
|
|
|
|
*
|
|
|
|
* We can be sure that the to_condense struct will not
|
|
|
|
* be repopulated at this stage because both this
|
|
|
|
* function and dsl_livelist_try_condense execute in
|
|
|
|
* syncing context.
|
|
|
|
*/
|
|
|
|
if ((spa->spa_to_condense.ds != NULL) &&
|
|
|
|
!spa->spa_to_condense.syncing) {
|
|
|
|
dmu_buf_rele(spa->spa_to_condense.ds->ds_dbuf,
|
|
|
|
spa);
|
|
|
|
spa->spa_to_condense.ds = NULL;
|
|
|
|
}
|
2019-07-26 20:54:14 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
dsl_dir_livelist_close(dd);
|
Fix i/o error handling of livelists and zap iteration
Pool-wide metadata is stored in the MOS (Meta Object Set). This
metadata is stored in triplicate, in addition to any pool-level
reduncancy (e.g. RAIDZ). However, if all 3+ copies of this metadata are
not available, we can still get EIO/ECKSUM when reading from the MOS.
If we encounter such an error in syncing context, we have typically
already committed to making a change that we now can't do because of the
corrupt/missing metadata. We typically "handle" this with a `VERIFY()`
or `zfs_panic_recover()`. This prevents the system from continuing on
in an undefined state, while minimizing the amount of error-handling
code.
However, there are some code paths that ignore these i/o errors, or
`ASSERT()` that they don't happen. Since assertions are disabled on
non-debug builds, they effectively ignore them as well. This can lead
to ZFS continuing on in an incorrect state, potentially leading to
on-disk inconsistencies.
This commit adds handling for these i/o errors on MOS metadata,
typically with a `VERIFY()`:
* Handle error return from `zap_cursor_retrieve()` in 4 places in
`dsl_deadlist.c`.
* Handle error return from `zap_contains()` in `dsl_dir_hold_obj()`.
Turns out this call isn't necessary because we can always call
`zap_lookup()`.
* Handle error return from `zap_lookup()` in `dsl_fs_ss_limit_check()`.
* Handle error return from `zap_remove()` in `dsl_dir_rename_sync()`.
* Handle error return from `zap_lookup()` in
`dsl_dir_remove_livelist()`.
* Handle error return from `dsl_process_sub_livelist()` in
`spa_livelist_delete_cb()`.
Additionally:
* Augment the internal history log message for `zfs destroy` to note
which method is used (e.g. bptree, livelist, or, synchronous) and the
mintxg.
* Correct a comment in `dbuf_init()`.
* Correct indentation in `dsl_dir_remove_livelist()`.
Reviewed by: Sara Hartse <sara.hartse@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Closes #10643
2020-08-05 20:22:09 +03:00
|
|
|
VERIFY0(zap_lookup(dp->dp_meta_objset, dd->dd_object,
|
|
|
|
DD_FIELD_LIVELIST, sizeof (uint64_t), 1, &obj));
|
|
|
|
VERIFY0(zap_remove(dp->dp_meta_objset, dd->dd_object,
|
|
|
|
DD_FIELD_LIVELIST, tx));
|
|
|
|
if (total) {
|
|
|
|
dsl_deadlist_free(dp->dp_meta_objset, obj, tx);
|
|
|
|
spa_feature_decr(spa, SPA_FEATURE_LIVELIST, tx);
|
2019-07-26 20:54:14 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-01 20:02:06 +03:00
|
|
|
static int
|
|
|
|
dsl_dir_activity_in_progress(dsl_dir_t *dd, dsl_dataset_t *ds,
|
|
|
|
zfs_wait_activity_t activity, boolean_t *in_progress)
|
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
|
|
|
|
ASSERT(MUTEX_HELD(&dd->dd_activity_lock));
|
|
|
|
|
|
|
|
switch (activity) {
|
|
|
|
case ZFS_WAIT_DELETEQ: {
|
|
|
|
#ifdef _KERNEL
|
|
|
|
objset_t *os;
|
|
|
|
error = dmu_objset_from_ds(ds, &os);
|
|
|
|
if (error != 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
mutex_enter(&os->os_user_ptr_lock);
|
|
|
|
void *user = dmu_objset_get_user(os);
|
|
|
|
mutex_exit(&os->os_user_ptr_lock);
|
|
|
|
if (dmu_objset_type(os) != DMU_OST_ZFS ||
|
|
|
|
user == NULL || zfs_get_vfs_flag_unmounted(os)) {
|
|
|
|
*in_progress = B_FALSE;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t readonly = B_FALSE;
|
|
|
|
error = zfs_get_temporary_prop(ds, ZFS_PROP_READONLY, &readonly,
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
if (error != 0)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (readonly || !spa_writeable(dd->dd_pool->dp_spa)) {
|
|
|
|
*in_progress = B_FALSE;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t count, unlinked_obj;
|
|
|
|
error = zap_lookup(os, MASTER_NODE_OBJ, ZFS_UNLINKED_SET, 8, 1,
|
|
|
|
&unlinked_obj);
|
|
|
|
if (error != 0) {
|
|
|
|
dsl_dataset_rele(ds, FTAG);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
error = zap_count(os, unlinked_obj, &count);
|
|
|
|
|
|
|
|
if (error == 0)
|
|
|
|
*in_progress = (count != 0);
|
|
|
|
break;
|
|
|
|
#else
|
|
|
|
/*
|
|
|
|
* The delete queue is ZPL specific, and libzpool doesn't have
|
|
|
|
* it. It doesn't make sense to wait for it.
|
|
|
|
*/
|
2021-12-12 18:06:44 +03:00
|
|
|
(void) ds;
|
2020-04-01 20:02:06 +03:00
|
|
|
*in_progress = B_FALSE;
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
panic("unrecognized value for activity %d", activity);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dsl_dir_wait(dsl_dir_t *dd, dsl_dataset_t *ds, zfs_wait_activity_t activity,
|
|
|
|
boolean_t *waited)
|
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
boolean_t in_progress;
|
|
|
|
dsl_pool_t *dp = dd->dd_pool;
|
|
|
|
for (;;) {
|
|
|
|
dsl_pool_config_enter(dp, FTAG);
|
|
|
|
error = dsl_dir_activity_in_progress(dd, ds, activity,
|
|
|
|
&in_progress);
|
|
|
|
dsl_pool_config_exit(dp, FTAG);
|
|
|
|
if (error != 0 || !in_progress)
|
|
|
|
break;
|
|
|
|
|
|
|
|
*waited = B_TRUE;
|
|
|
|
|
|
|
|
if (cv_wait_sig(&dd->dd_activity_cv, &dd->dd_activity_lock) ==
|
|
|
|
0 || dd->dd_activity_cancelled) {
|
|
|
|
error = SET_ERROR(EINTR);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dsl_dir_cancel_waiters(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
mutex_enter(&dd->dd_activity_lock);
|
|
|
|
dd->dd_activity_cancelled = B_TRUE;
|
|
|
|
cv_broadcast(&dd->dd_activity_cv);
|
|
|
|
while (dd->dd_activity_waiters > 0)
|
|
|
|
cv_wait(&dd->dd_activity_cv, &dd->dd_activity_lock);
|
|
|
|
mutex_exit(&dd->dd_activity_lock);
|
|
|
|
}
|
|
|
|
|
2018-02-16 04:53:18 +03:00
|
|
|
#if defined(_KERNEL)
|
2010-08-26 22:49:16 +04:00
|
|
|
EXPORT_SYMBOL(dsl_dir_set_quota);
|
|
|
|
EXPORT_SYMBOL(dsl_dir_set_reservation);
|
|
|
|
#endif
|
2022-11-08 23:40:22 +03:00
|
|
|
|
|
|
|
/* CSTYLED */
|
|
|
|
ZFS_MODULE_PARAM(zfs, , zvol_enforce_quotas, INT, ZMOD_RW,
|
|
|
|
"Enable strict ZVOL quota enforcment");
|