2008-11-20 12:01:55 -08:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 09:48:13 -07:00
|
|
|
* Copyright (c) 2011, 2018 by Delphix. All rights reserved.
|
2013-08-01 13:02:10 -07:00
|
|
|
* Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
|
2016-05-15 08:02:28 -07:00
|
|
|
* Copyright (c) 2013, Joyent, Inc. All rights reserved.
|
2017-01-27 22:46:39 +03:00
|
|
|
* Copyright (c) 2016, Nexenta Systems, Inc. All rights reserved.
|
2015-07-30 22:24:36 +08:00
|
|
|
* Copyright (c) 2015 by Chunwei Chen. All rights reserved.
|
2019-02-12 12:01:08 -08:00
|
|
|
* Copyright (c) 2019 Datto Inc.
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/dmu.h>
|
|
|
|
#include <sys/dmu_impl.h>
|
|
|
|
#include <sys/dmu_tx.h>
|
|
|
|
#include <sys/dbuf.h>
|
|
|
|
#include <sys/dnode.h>
|
|
|
|
#include <sys/zfs_context.h>
|
|
|
|
#include <sys/dmu_objset.h>
|
|
|
|
#include <sys/dmu_traverse.h>
|
|
|
|
#include <sys/dsl_dataset.h>
|
|
|
|
#include <sys/dsl_dir.h>
|
|
|
|
#include <sys/dsl_pool.h>
|
|
|
|
#include <sys/dsl_synctask.h>
|
|
|
|
#include <sys/dsl_prop.h>
|
|
|
|
#include <sys/dmu_zfetch.h>
|
|
|
|
#include <sys/zfs_ioctl.h>
|
|
|
|
#include <sys/zap.h>
|
|
|
|
#include <sys/zio_checksum.h>
|
2013-05-10 12:47:54 -07:00
|
|
|
#include <sys/zio_compress.h>
|
2010-05-28 13:45:14 -07:00
|
|
|
#include <sys/sa.h>
|
2014-10-18 11:58:11 -04:00
|
|
|
#include <sys/zfeature.h>
|
2016-07-22 11:52:49 -04:00
|
|
|
#include <sys/abd.h>
|
2017-02-01 01:44:03 +03:00
|
|
|
#include <sys/trace_dmu.h>
|
2017-08-21 17:59:48 +02:00
|
|
|
#include <sys/zfs_rlock.h>
|
2008-11-20 12:01:55 -08:00
|
|
|
#ifdef _KERNEL
|
|
|
|
#include <sys/vmsystm.h>
|
2008-12-03 12:09:06 -08:00
|
|
|
#include <sys/zfs_znode.h>
|
2008-11-20 12:01:55 -08:00
|
|
|
#endif
|
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
/*
|
|
|
|
* Enable/disable nopwrite feature.
|
|
|
|
*/
|
|
|
|
int zfs_nopwrite_enabled = 1;
|
|
|
|
|
2017-02-01 01:44:03 +03:00
|
|
|
/*
|
2019-02-12 12:01:08 -08:00
|
|
|
* Tunable to control percentage of dirtied L1 blocks from frees allowed into
|
|
|
|
* one TXG. After this threshold is crossed, additional dirty blocks from frees
|
|
|
|
* will wait until the next TXG.
|
2017-02-01 01:44:03 +03:00
|
|
|
* A value of zero will disable this throttle.
|
|
|
|
*/
|
2019-02-12 12:01:08 -08:00
|
|
|
unsigned long zfs_per_txg_dirty_frees_percent = 5;
|
2017-02-01 01:44:03 +03:00
|
|
|
|
2017-03-24 17:28:38 -04:00
|
|
|
/*
|
|
|
|
* Enable/disable forcing txg sync when dirty in dmu_offset_next.
|
|
|
|
*/
|
|
|
|
int zfs_dmu_offset_next_sync = 0;
|
|
|
|
|
2019-06-12 13:13:09 -07:00
|
|
|
/*
|
|
|
|
* Limit the amount we can prefetch with one call to this amount. This
|
|
|
|
* helps to limit the amount of memory that can be used by prefetching.
|
|
|
|
* Larger objects should be prefetched a bit at a time.
|
|
|
|
*/
|
|
|
|
int dmu_prefetch_max = 8 * SPA_MAXBLOCKSIZE;
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
const dmu_object_type_info_t dmu_ot[DMU_OT_NUMTYPES] = {
|
2018-07-10 13:49:50 -04:00
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, FALSE, "unallocated" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "object directory" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, TRUE, FALSE, "object array" },
|
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, FALSE, "packed nvlist" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "packed nvlist size" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "bpobj" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "bpobj header" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "SPA space map header" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "SPA space map" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, TRUE, "ZIL intent log" },
|
|
|
|
{DMU_BSWAP_DNODE, TRUE, FALSE, TRUE, "DMU dnode" },
|
|
|
|
{DMU_BSWAP_OBJSET, TRUE, TRUE, FALSE, "DMU objset" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, TRUE, FALSE, "DSL directory" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL directory child map"},
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL dataset snap map" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL props" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, TRUE, FALSE, "DSL dataset" },
|
|
|
|
{DMU_BSWAP_ZNODE, TRUE, FALSE, FALSE, "ZFS znode" },
|
|
|
|
{DMU_BSWAP_OLDACL, TRUE, FALSE, TRUE, "ZFS V0 ACL" },
|
|
|
|
{DMU_BSWAP_UINT8, FALSE, FALSE, TRUE, "ZFS plain file" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "ZFS directory" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "ZFS master node" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "ZFS delete queue" },
|
|
|
|
{DMU_BSWAP_UINT8, FALSE, FALSE, TRUE, "zvol object" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "zvol prop" },
|
|
|
|
{DMU_BSWAP_UINT8, FALSE, FALSE, TRUE, "other uint8[]" },
|
|
|
|
{DMU_BSWAP_UINT64, FALSE, FALSE, TRUE, "other uint64[]" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "other ZAP" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "persistent error log" },
|
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, FALSE, "SPA history" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "SPA history offsets" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "Pool properties" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL permissions" },
|
|
|
|
{DMU_BSWAP_ACL, TRUE, FALSE, TRUE, "ZFS ACL" },
|
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, TRUE, "ZFS SYSACL" },
|
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, TRUE, "FUID table" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "FUID table size" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL dataset next clones"},
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "scan work queue" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "ZFS user/group/project used" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "ZFS user/group/project quota"},
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "snapshot refcount tags"},
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "DDT ZAP algorithm" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "DDT statistics" },
|
|
|
|
{DMU_BSWAP_UINT8, TRUE, FALSE, TRUE, "System attributes" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "SA master node" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "SA attr registration" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, TRUE, "SA attr layouts" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, FALSE, FALSE, "scan translations" },
|
|
|
|
{DMU_BSWAP_UINT8, FALSE, FALSE, TRUE, "deduplicated block" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL deadlist map" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, TRUE, FALSE, "DSL deadlist map hdr" },
|
|
|
|
{DMU_BSWAP_ZAP, TRUE, TRUE, FALSE, "DSL dir clones" },
|
|
|
|
{DMU_BSWAP_UINT64, TRUE, FALSE, FALSE, "bpobj subobj" }
|
2012-12-13 15:24:15 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
const dmu_object_byteswap_info_t dmu_ot_byteswap[DMU_BSWAP_NUMFUNCS] = {
|
|
|
|
{ byteswap_uint8_array, "uint8" },
|
|
|
|
{ byteswap_uint16_array, "uint16" },
|
|
|
|
{ byteswap_uint32_array, "uint32" },
|
|
|
|
{ byteswap_uint64_array, "uint64" },
|
|
|
|
{ zap_byteswap, "zap" },
|
|
|
|
{ dnode_buf_byteswap, "dnode" },
|
|
|
|
{ dmu_objset_byteswap, "objset" },
|
|
|
|
{ zfs_znode_byteswap, "znode" },
|
|
|
|
{ zfs_oldacl_byteswap, "oldacl" },
|
|
|
|
{ zfs_acl_byteswap, "acl" }
|
2008-11-20 12:01:55 -08:00
|
|
|
};
|
|
|
|
|
OpenZFS 7004 - dmu_tx_hold_zap() does dnode_hold() 7x on same object
Using a benchmark which has 32 threads creating 2 million files in the
same directory, on a machine with 16 CPU cores, I observed poor
performance. I noticed that dmu_tx_hold_zap() was using about 30% of
all CPU, and doing dnode_hold() 7 times on the same object (the ZAP
object that is being held).
dmu_tx_hold_zap() keeps a hold on the dnode_t the entire time it is
running, in dmu_tx_hold_t:txh_dnode, so it would be nice to use the
dnode_t that we already have in hand, rather than repeatedly calling
dnode_hold(). To do this, we need to pass the dnode_t down through
all the intermediate calls that dmu_tx_hold_zap() makes, making these
routines take the dnode_t* rather than an objset_t* and a uint64_t
object number. In particular, the following routines will need to have
analogous *_by_dnode() variants created:
dmu_buf_hold_noread()
dmu_buf_hold()
zap_lookup()
zap_lookup_norm()
zap_count_write()
zap_lockdir()
zap_count_write()
This can improve performance on the benchmark described above by 100%,
from 30,000 file creations per second to 60,000. (This improvement is on
top of that provided by working around the object allocation issue. Peak
performance of ~90,000 creations per second was observed with 8 CPUs;
adding CPUs past that decreased performance due to lock contention.) The
CPU used by dmu_tx_hold_zap() was reduced by 88%, from 340 CPU-seconds
to 40 CPU-seconds.
Sponsored by: Intel Corp.
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/7004
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/109
Closes #4641
Closes #4972
2016-07-20 15:42:13 -07:00
|
|
|
int
|
|
|
|
dmu_buf_hold_noread_by_dnode(dnode_t *dn, uint64_t offset,
|
|
|
|
void *tag, dmu_buf_t **dbp)
|
|
|
|
{
|
|
|
|
uint64_t blkid;
|
|
|
|
dmu_buf_impl_t *db;
|
|
|
|
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
2019-07-08 13:18:50 -07:00
|
|
|
blkid = dbuf_whichblock(dn, 0, offset);
|
OpenZFS 7004 - dmu_tx_hold_zap() does dnode_hold() 7x on same object
Using a benchmark which has 32 threads creating 2 million files in the
same directory, on a machine with 16 CPU cores, I observed poor
performance. I noticed that dmu_tx_hold_zap() was using about 30% of
all CPU, and doing dnode_hold() 7 times on the same object (the ZAP
object that is being held).
dmu_tx_hold_zap() keeps a hold on the dnode_t the entire time it is
running, in dmu_tx_hold_t:txh_dnode, so it would be nice to use the
dnode_t that we already have in hand, rather than repeatedly calling
dnode_hold(). To do this, we need to pass the dnode_t down through
all the intermediate calls that dmu_tx_hold_zap() makes, making these
routines take the dnode_t* rather than an objset_t* and a uint64_t
object number. In particular, the following routines will need to have
analogous *_by_dnode() variants created:
dmu_buf_hold_noread()
dmu_buf_hold()
zap_lookup()
zap_lookup_norm()
zap_count_write()
zap_lockdir()
zap_count_write()
This can improve performance on the benchmark described above by 100%,
from 30,000 file creations per second to 60,000. (This improvement is on
top of that provided by working around the object allocation issue. Peak
performance of ~90,000 creations per second was observed with 8 CPUs;
adding CPUs past that decreased performance due to lock contention.) The
CPU used by dmu_tx_hold_zap() was reduced by 88%, from 340 CPU-seconds
to 40 CPU-seconds.
Sponsored by: Intel Corp.
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/7004
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/109
Closes #4641
Closes #4972
2016-07-20 15:42:13 -07:00
|
|
|
db = dbuf_hold(dn, blkid, tag);
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
|
|
|
|
if (db == NULL) {
|
|
|
|
*dbp = NULL;
|
|
|
|
return (SET_ERROR(EIO));
|
|
|
|
}
|
|
|
|
|
|
|
|
*dbp = &db->db;
|
|
|
|
return (0);
|
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
int
|
2014-06-05 13:19:08 -08:00
|
|
|
dmu_buf_hold_noread(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
void *tag, dmu_buf_t **dbp)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
uint64_t blkid;
|
|
|
|
dmu_buf_impl_t *db;
|
|
|
|
int err;
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
2019-07-08 13:18:50 -07:00
|
|
|
blkid = dbuf_whichblock(dn, 0, offset);
|
2008-11-20 12:01:55 -08:00
|
|
|
db = dbuf_hold(dn, blkid, tag);
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
2014-06-05 13:19:08 -08:00
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
if (db == NULL) {
|
2014-06-05 13:19:08 -08:00
|
|
|
*dbp = NULL;
|
|
|
|
return (SET_ERROR(EIO));
|
|
|
|
}
|
|
|
|
|
|
|
|
*dbp = &db->db;
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
OpenZFS 7004 - dmu_tx_hold_zap() does dnode_hold() 7x on same object
Using a benchmark which has 32 threads creating 2 million files in the
same directory, on a machine with 16 CPU cores, I observed poor
performance. I noticed that dmu_tx_hold_zap() was using about 30% of
all CPU, and doing dnode_hold() 7 times on the same object (the ZAP
object that is being held).
dmu_tx_hold_zap() keeps a hold on the dnode_t the entire time it is
running, in dmu_tx_hold_t:txh_dnode, so it would be nice to use the
dnode_t that we already have in hand, rather than repeatedly calling
dnode_hold(). To do this, we need to pass the dnode_t down through
all the intermediate calls that dmu_tx_hold_zap() makes, making these
routines take the dnode_t* rather than an objset_t* and a uint64_t
object number. In particular, the following routines will need to have
analogous *_by_dnode() variants created:
dmu_buf_hold_noread()
dmu_buf_hold()
zap_lookup()
zap_lookup_norm()
zap_count_write()
zap_lockdir()
zap_count_write()
This can improve performance on the benchmark described above by 100%,
from 30,000 file creations per second to 60,000. (This improvement is on
top of that provided by working around the object allocation issue. Peak
performance of ~90,000 creations per second was observed with 8 CPUs;
adding CPUs past that decreased performance due to lock contention.) The
CPU used by dmu_tx_hold_zap() was reduced by 88%, from 340 CPU-seconds
to 40 CPU-seconds.
Sponsored by: Intel Corp.
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/7004
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/109
Closes #4641
Closes #4972
2016-07-20 15:42:13 -07:00
|
|
|
int
|
|
|
|
dmu_buf_hold_by_dnode(dnode_t *dn, uint64_t offset,
|
|
|
|
void *tag, dmu_buf_t **dbp, int flags)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
int db_flags = DB_RF_CANFAIL;
|
|
|
|
|
|
|
|
if (flags & DMU_READ_NO_PREFETCH)
|
|
|
|
db_flags |= DB_RF_NOPREFETCH;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
if (flags & DMU_READ_NO_DECRYPT)
|
|
|
|
db_flags |= DB_RF_NO_DECRYPT;
|
OpenZFS 7004 - dmu_tx_hold_zap() does dnode_hold() 7x on same object
Using a benchmark which has 32 threads creating 2 million files in the
same directory, on a machine with 16 CPU cores, I observed poor
performance. I noticed that dmu_tx_hold_zap() was using about 30% of
all CPU, and doing dnode_hold() 7 times on the same object (the ZAP
object that is being held).
dmu_tx_hold_zap() keeps a hold on the dnode_t the entire time it is
running, in dmu_tx_hold_t:txh_dnode, so it would be nice to use the
dnode_t that we already have in hand, rather than repeatedly calling
dnode_hold(). To do this, we need to pass the dnode_t down through
all the intermediate calls that dmu_tx_hold_zap() makes, making these
routines take the dnode_t* rather than an objset_t* and a uint64_t
object number. In particular, the following routines will need to have
analogous *_by_dnode() variants created:
dmu_buf_hold_noread()
dmu_buf_hold()
zap_lookup()
zap_lookup_norm()
zap_count_write()
zap_lockdir()
zap_count_write()
This can improve performance on the benchmark described above by 100%,
from 30,000 file creations per second to 60,000. (This improvement is on
top of that provided by working around the object allocation issue. Peak
performance of ~90,000 creations per second was observed with 8 CPUs;
adding CPUs past that decreased performance due to lock contention.) The
CPU used by dmu_tx_hold_zap() was reduced by 88%, from 340 CPU-seconds
to 40 CPU-seconds.
Sponsored by: Intel Corp.
Signed-off-by: Matthew Ahrens <mahrens@delphix.com>
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/7004
OpenZFS-commit: https://github.com/openzfs/openzfs/pull/109
Closes #4641
Closes #4972
2016-07-20 15:42:13 -07:00
|
|
|
|
|
|
|
err = dmu_buf_hold_noread_by_dnode(dn, offset, tag, dbp);
|
|
|
|
if (err == 0) {
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)(*dbp);
|
|
|
|
err = dbuf_read(db, NULL, db_flags);
|
|
|
|
if (err != 0) {
|
|
|
|
dbuf_rele(db, tag);
|
|
|
|
*dbp = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2014-06-05 13:19:08 -08:00
|
|
|
int
|
|
|
|
dmu_buf_hold(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
void *tag, dmu_buf_t **dbp, int flags)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
int db_flags = DB_RF_CANFAIL;
|
|
|
|
|
|
|
|
if (flags & DMU_READ_NO_PREFETCH)
|
|
|
|
db_flags |= DB_RF_NOPREFETCH;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
if (flags & DMU_READ_NO_DECRYPT)
|
|
|
|
db_flags |= DB_RF_NO_DECRYPT;
|
2014-06-05 13:19:08 -08:00
|
|
|
|
|
|
|
err = dmu_buf_hold_noread(os, object, offset, tag, dbp);
|
|
|
|
if (err == 0) {
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)(*dbp);
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dbuf_read(db, NULL, db_flags);
|
2014-06-05 13:19:08 -08:00
|
|
|
if (err != 0) {
|
2008-11-20 12:01:55 -08:00
|
|
|
dbuf_rele(db, tag);
|
2014-06-05 13:19:08 -08:00
|
|
|
*dbp = NULL;
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_bonus_max(void)
|
|
|
|
{
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-16 18:25:34 -07:00
|
|
|
return (DN_OLD_MAX_BONUSLEN);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_set_bonus(dmu_buf_t *db_fake, int newsize, dmu_tx_t *tx)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
|
|
|
int error;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
|
|
|
|
if (dn->dn_bonus != db) {
|
2013-03-08 10:41:28 -08:00
|
|
|
error = SET_ERROR(EINVAL);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else if (newsize < 0 || newsize > db_fake->db_size) {
|
2013-03-08 10:41:28 -08:00
|
|
|
error = SET_ERROR(EINVAL);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else {
|
|
|
|
dnode_setbonuslen(dn, newsize, tx);
|
|
|
|
error = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
return (error);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
int
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_set_bonustype(dmu_buf_t *db_fake, dmu_object_type_t type, dmu_tx_t *tx)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
|
|
|
int error;
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2012-12-13 15:24:15 -08:00
|
|
|
if (!DMU_OT_IS_VALID(type)) {
|
2013-03-08 10:41:28 -08:00
|
|
|
error = SET_ERROR(EINVAL);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else if (dn->dn_bonus != db) {
|
2013-03-08 10:41:28 -08:00
|
|
|
error = SET_ERROR(EINVAL);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else {
|
|
|
|
dnode_setbonus_type(dn, type, tx);
|
|
|
|
error = 0;
|
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
dmu_object_type_t
|
|
|
|
dmu_get_bonustype(dmu_buf_t *db_fake)
|
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
|
|
|
dmu_object_type_t type;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
type = dn->dn_bonustype;
|
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
|
|
|
|
return (type);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_rm_spill(objset_t *os, uint64_t object, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
dbuf_rm_spill(dn, tx);
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_WRITER);
|
|
|
|
dnode_rm_spill(dn, tx);
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
2019-01-10 14:37:43 -08:00
|
|
|
* Lookup and hold the bonus buffer for the provided dnode. If the dnode
|
|
|
|
* has not yet been allocated a new bonus dbuf a will be allocated.
|
|
|
|
* Returns ENOENT, EIO, or 0.
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
2019-01-10 14:37:43 -08:00
|
|
|
int dmu_bonus_hold_by_dnode(dnode_t *dn, void *tag, dmu_buf_t **dbp,
|
|
|
|
uint32_t flags)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db;
|
|
|
|
int error;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
uint32_t db_flags = DB_RF_MUST_SUCCEED;
|
|
|
|
|
|
|
|
if (flags & DMU_READ_NO_PREFETCH)
|
|
|
|
db_flags |= DB_RF_NOPREFETCH;
|
|
|
|
if (flags & DMU_READ_NO_DECRYPT)
|
|
|
|
db_flags |= DB_RF_NO_DECRYPT;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
|
|
|
if (dn->dn_bonus == NULL) {
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_WRITER);
|
|
|
|
if (dn->dn_bonus == NULL)
|
|
|
|
dbuf_create_bonus(dn);
|
|
|
|
}
|
|
|
|
db = dn->dn_bonus;
|
|
|
|
|
|
|
|
/* as long as the bonus buf is held, the dnode will be held */
|
2018-09-26 19:29:26 +02:00
|
|
|
if (zfs_refcount_add(&db->db_holds, tag) == 1) {
|
2008-11-20 12:01:55 -08:00
|
|
|
VERIFY(dnode_add_ref(dn, db));
|
2015-03-12 11:03:31 +11:00
|
|
|
atomic_inc_32(&dn->dn_dbufs_count);
|
2010-08-26 14:24:34 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Wait to drop dn_struct_rwlock until after adding the bonus dbuf's
|
|
|
|
* hold and incrementing the dbuf count to ensure that dnode_move() sees
|
|
|
|
* a dnode hold for every dbuf.
|
|
|
|
*/
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
error = dbuf_read(db, NULL, db_flags);
|
|
|
|
if (error) {
|
|
|
|
dnode_evict_bonus(dn);
|
|
|
|
dbuf_rele(db, tag);
|
|
|
|
*dbp = NULL;
|
|
|
|
return (error);
|
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
*dbp = &db->db;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
int
|
2019-01-10 14:37:43 -08:00
|
|
|
dmu_bonus_hold(objset_t *os, uint64_t object, void *tag, dmu_buf_t **dbp)
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
{
|
2019-01-10 14:37:43 -08:00
|
|
|
dnode_t *dn;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (error)
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
error = dmu_bonus_hold_by_dnode(dn, tag, dbp, DMU_READ_NO_PREFETCH);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
|
|
|
return (error);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
/*
|
|
|
|
* returns ENOENT, EIO, or 0.
|
|
|
|
*
|
|
|
|
* This interface will allocate a blank spill dbuf when a spill blk
|
|
|
|
* doesn't already exist on the dnode.
|
|
|
|
*
|
|
|
|
* if you only want to find an already existing spill db, then
|
|
|
|
* dmu_spill_hold_existing() should be used.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_spill_hold_by_dnode(dnode_t *dn, uint32_t flags, void *tag, dmu_buf_t **dbp)
|
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db = NULL;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if ((flags & DB_RF_HAVESTRUCT) == 0)
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
|
|
|
|
|
|
|
db = dbuf_hold(dn, DMU_SPILL_BLKID, tag);
|
|
|
|
|
|
|
|
if ((flags & DB_RF_HAVESTRUCT) == 0)
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
|
2016-11-01 07:23:56 +08:00
|
|
|
if (db == NULL) {
|
|
|
|
*dbp = NULL;
|
|
|
|
return (SET_ERROR(EIO));
|
|
|
|
}
|
2010-08-26 14:24:34 -07:00
|
|
|
err = dbuf_read(db, NULL, flags);
|
|
|
|
if (err == 0)
|
|
|
|
*dbp = &db->db;
|
2016-11-01 07:23:56 +08:00
|
|
|
else {
|
2010-08-26 14:24:34 -07:00
|
|
|
dbuf_rele(db, tag);
|
2016-11-01 07:23:56 +08:00
|
|
|
*dbp = NULL;
|
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_spill_hold_existing(dmu_buf_t *bonus, void *tag, dmu_buf_t **dbp)
|
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)bonus;
|
|
|
|
dnode_t *dn;
|
2010-05-28 13:45:14 -07:00
|
|
|
int err;
|
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
|
|
|
|
if (spa_version(dn->dn_objset->os_spa) < SPA_VERSION_SA) {
|
2013-03-08 10:41:28 -08:00
|
|
|
err = SET_ERROR(EINVAL);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else {
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
|
|
|
|
|
|
|
if (!dn->dn_have_spill) {
|
2013-03-08 10:41:28 -08:00
|
|
|
err = SET_ERROR(ENOENT);
|
2010-08-26 14:24:34 -07:00
|
|
|
} else {
|
|
|
|
err = dmu_spill_hold_by_dnode(dn,
|
|
|
|
DB_RF_HAVESTRUCT | DB_RF_CANFAIL, tag, dbp);
|
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
}
|
2010-08-26 14:24:34 -07:00
|
|
|
|
|
|
|
DB_DNODE_EXIT(db);
|
2010-05-28 13:45:14 -07:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2018-06-06 13:16:41 -04:00
|
|
|
dmu_spill_hold_by_bonus(dmu_buf_t *bonus, uint32_t flags, void *tag,
|
|
|
|
dmu_buf_t **dbp)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)bonus;
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
2018-06-06 13:16:41 -04:00
|
|
|
uint32_t db_flags = DB_RF_CANFAIL;
|
|
|
|
|
|
|
|
if (flags & DMU_READ_NO_DECRYPT)
|
|
|
|
db_flags |= DB_RF_NO_DECRYPT;
|
2010-08-26 14:24:34 -07:00
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
2018-06-06 13:16:41 -04:00
|
|
|
err = dmu_spill_hold_by_dnode(dn, db_flags, tag, dbp);
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
|
|
|
|
return (err);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
|
|
|
* Note: longer-term, we should modify all of the dmu_buf_*() interfaces
|
|
|
|
* to take a held dnode rather than <os, object> -- the lookup is wasteful,
|
|
|
|
* and can induce severe lock contention when writing to several files
|
|
|
|
* whose dnodes are in the same block.
|
|
|
|
*/
|
|
|
|
static int
|
2009-07-02 15:44:48 -07:00
|
|
|
dmu_buf_hold_array_by_dnode(dnode_t *dn, uint64_t offset, uint64_t length,
|
2015-12-26 22:10:31 +01:00
|
|
|
boolean_t read, void *tag, int *numbufsp, dmu_buf_t ***dbpp, uint32_t flags)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
uint64_t blkid, nblks, i;
|
2009-07-02 15:44:48 -07:00
|
|
|
uint32_t dbuf_flags;
|
2008-11-20 12:01:55 -08:00
|
|
|
int err;
|
|
|
|
zio_t *zio;
|
|
|
|
|
|
|
|
ASSERT(length <= DMU_MAX_ACCESS);
|
|
|
|
|
2015-12-26 22:10:31 +01:00
|
|
|
/*
|
|
|
|
* Note: We directly notify the prefetch code of this read, so that
|
|
|
|
* we can tell it about the multi-block read. dbuf_read() only knows
|
|
|
|
* about the one block it is accessing.
|
|
|
|
*/
|
|
|
|
dbuf_flags = DB_RF_CANFAIL | DB_RF_NEVERWAIT | DB_RF_HAVESTRUCT |
|
|
|
|
DB_RF_NOPREFETCH;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
|
|
|
if (dn->dn_datablkshift) {
|
|
|
|
int blkshift = dn->dn_datablkshift;
|
2015-12-26 22:10:31 +01:00
|
|
|
nblks = (P2ROUNDUP(offset + length, 1ULL << blkshift) -
|
|
|
|
P2ALIGN(offset, 1ULL << blkshift)) >> blkshift;
|
2008-11-20 12:01:55 -08:00
|
|
|
} else {
|
|
|
|
if (offset + length > dn->dn_datablksz) {
|
|
|
|
zfs_panic_recover("zfs: accessing past end of object "
|
|
|
|
"%llx/%llx (size=%u access=%llu+%llu)",
|
|
|
|
(longlong_t)dn->dn_objset->
|
|
|
|
os_dsl_dataset->ds_object,
|
|
|
|
(longlong_t)dn->dn_object, dn->dn_datablksz,
|
|
|
|
(longlong_t)offset, (longlong_t)length);
|
2009-08-18 11:43:27 -07:00
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
2013-03-08 10:41:28 -08:00
|
|
|
return (SET_ERROR(EIO));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
nblks = 1;
|
|
|
|
}
|
2014-11-20 19:09:39 -05:00
|
|
|
dbp = kmem_zalloc(sizeof (dmu_buf_t *) * nblks, KM_SLEEP);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
zio = zio_root(dn->dn_objset->os_spa, NULL, NULL, ZIO_FLAG_CANFAIL);
|
2015-12-22 02:31:57 +01:00
|
|
|
blkid = dbuf_whichblock(dn, 0, offset);
|
2008-11-20 12:01:55 -08:00
|
|
|
for (i = 0; i < nblks; i++) {
|
2015-12-26 22:10:31 +01:00
|
|
|
dmu_buf_impl_t *db = dbuf_hold(dn, blkid + i, tag);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (db == NULL) {
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
dmu_buf_rele_array(dbp, nblks, tag);
|
|
|
|
zio_nowait(zio);
|
2013-03-08 10:41:28 -08:00
|
|
|
return (SET_ERROR(EIO));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
2015-12-26 22:10:31 +01:00
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/* initiate async i/o */
|
2015-12-26 22:10:31 +01:00
|
|
|
if (read)
|
2009-07-02 15:44:48 -07:00
|
|
|
(void) dbuf_read(db, zio, dbuf_flags);
|
2008-11-20 12:01:55 -08:00
|
|
|
dbp[i] = &db->db;
|
|
|
|
}
|
2015-12-26 22:10:31 +01:00
|
|
|
|
2016-08-29 23:36:39 +02:00
|
|
|
if ((flags & DMU_READ_NO_PREFETCH) == 0 &&
|
|
|
|
DNODE_META_IS_CACHEABLE(dn) && length <= zfetch_array_rd_sz) {
|
|
|
|
dmu_zfetch(&dn->dn_zfetch, blkid, nblks,
|
2019-07-08 13:18:50 -07:00
|
|
|
read && DNODE_IS_CACHEABLE(dn), B_TRUE);
|
2015-12-26 22:10:31 +01:00
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
|
|
|
|
/* wait for async i/o */
|
|
|
|
err = zio_wait(zio);
|
|
|
|
if (err) {
|
|
|
|
dmu_buf_rele_array(dbp, nblks, tag);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* wait for other io to complete */
|
|
|
|
if (read) {
|
|
|
|
for (i = 0; i < nblks; i++) {
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)dbp[i];
|
|
|
|
mutex_enter(&db->db_mtx);
|
|
|
|
while (db->db_state == DB_READ ||
|
|
|
|
db->db_state == DB_FILL)
|
|
|
|
cv_wait(&db->db_changed, &db->db_mtx);
|
|
|
|
if (db->db_state == DB_UNCACHED)
|
2013-03-08 10:41:28 -08:00
|
|
|
err = SET_ERROR(EIO);
|
2008-11-20 12:01:55 -08:00
|
|
|
mutex_exit(&db->db_mtx);
|
|
|
|
if (err) {
|
|
|
|
dmu_buf_rele_array(dbp, nblks, tag);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*numbufsp = nblks;
|
|
|
|
*dbpp = dbp;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dmu_buf_hold_array(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
uint64_t length, int read, void *tag, int *numbufsp, dmu_buf_t ***dbpp)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
err = dmu_buf_hold_array_by_dnode(dn, offset, length, read, tag,
|
2009-07-02 15:44:48 -07:00
|
|
|
numbufsp, dbpp, DMU_READ_PREFETCH);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_hold_array_by_bonus(dmu_buf_t *db_fake, uint64_t offset,
|
2015-12-26 22:10:31 +01:00
|
|
|
uint64_t length, boolean_t read, void *tag, int *numbufsp,
|
|
|
|
dmu_buf_t ***dbpp)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
2008-11-20 12:01:55 -08:00
|
|
|
int err;
|
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
err = dmu_buf_hold_array_by_dnode(dn, offset, length, read, tag,
|
2009-07-02 15:44:48 -07:00
|
|
|
numbufsp, dbpp, DMU_READ_PREFETCH);
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_buf_rele_array(dmu_buf_t **dbp_fake, int numbufs, void *tag)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
dmu_buf_impl_t **dbp = (dmu_buf_impl_t **)dbp_fake;
|
|
|
|
|
|
|
|
if (numbufs == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
|
|
|
if (dbp[i])
|
|
|
|
dbuf_rele(dbp[i], tag);
|
|
|
|
}
|
|
|
|
|
|
|
|
kmem_free(dbp, sizeof (dmu_buf_t *) * numbufs);
|
|
|
|
}
|
|
|
|
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-28 20:01:20 -07:00
|
|
|
/*
|
2015-12-22 02:31:57 +01:00
|
|
|
* Issue prefetch i/os for the given blocks. If level is greater than 0, the
|
2019-09-03 02:56:41 +02:00
|
|
|
* indirect blocks prefetched will be those that point to the blocks containing
|
2015-12-22 02:31:57 +01:00
|
|
|
* the data starting at offset, and continuing to offset + len.
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-28 20:01:20 -07:00
|
|
|
*
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
* Note that if the indirect blocks above the blocks being prefetched are not
|
2019-09-03 02:56:41 +02:00
|
|
|
* in cache, they will be asynchronously read in.
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-28 20:01:20 -07:00
|
|
|
*/
|
2008-11-20 12:01:55 -08:00
|
|
|
void
|
2015-12-22 02:31:57 +01:00
|
|
|
dmu_prefetch(objset_t *os, uint64_t object, int64_t level, uint64_t offset,
|
|
|
|
uint64_t len, zio_priority_t pri)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
uint64_t blkid;
|
Illumos #4045 write throttle & i/o scheduler performance work
4045 zfs write throttle & i/o scheduler performance work
1. The ZFS i/o scheduler (vdev_queue.c) now divides i/os into 5 classes: sync
read, sync write, async read, async write, and scrub/resilver. The scheduler
issues a number of concurrent i/os from each class to the device. Once a class
has been selected, an i/o is selected from this class using either an elevator
algorithem (async, scrub classes) or FIFO (sync classes). The number of
concurrent async write i/os is tuned dynamically based on i/o load, to achieve
good sync i/o latency when there is not a high load of writes, and good write
throughput when there is. See the block comment in vdev_queue.c (reproduced
below) for more details.
2. The write throttle (dsl_pool_tempreserve_space() and
txg_constrain_throughput()) is rewritten to produce much more consistent delays
when under constant load. The new write throttle is based on the amount of
dirty data, rather than guesses about future performance of the system. When
there is a lot of dirty data, each transaction (e.g. write() syscall) will be
delayed by the same small amount. This eliminates the "brick wall of wait"
that the old write throttle could hit, causing all transactions to wait several
seconds until the next txg opens. One of the keys to the new write throttle is
decrementing the amount of dirty data as i/o completes, rather than at the end
of spa_sync(). Note that the write throttle is only applied once the i/o
scheduler is issuing the maximum number of outstanding async writes. See the
block comments in dsl_pool.c and above dmu_tx_delay() (reproduced below) for
more details.
This diff has several other effects, including:
* the commonly-tuned global variable zfs_vdev_max_pending has been removed;
use per-class zfs_vdev_*_max_active values or zfs_vdev_max_active instead.
* the size of each txg (meaning the amount of dirty data written, and thus the
time it takes to write out) is now controlled differently. There is no longer
an explicit time goal; the primary determinant is amount of dirty data.
Systems that are under light or medium load will now often see that a txg is
always syncing, but the impact to performance (e.g. read latency) is minimal.
Tune zfs_dirty_data_max and zfs_dirty_data_sync to control this.
* zio_taskq_batch_pct = 75 -- Only use 75% of all CPUs for compression,
checksum, etc. This improves latency by not allowing these CPU-intensive tasks
to consume all CPU (on machines with at least 4 CPU's; the percentage is
rounded up).
--matt
APPENDIX: problems with the current i/o scheduler
The current ZFS i/o scheduler (vdev_queue.c) is deadline based. The problem
with this is that if there are always i/os pending, then certain classes of
i/os can see very long delays.
For example, if there are always synchronous reads outstanding, then no async
writes will be serviced until they become "past due". One symptom of this
situation is that each pass of the txg sync takes at least several seconds
(typically 3 seconds).
If many i/os become "past due" (their deadline is in the past), then we must
service all of these overdue i/os before any new i/os. This happens when we
enqueue a batch of async writes for the txg sync, with deadlines 2.5 seconds in
the future. If we can't complete all the i/os in 2.5 seconds (e.g. because
there were always reads pending), then these i/os will become past due. Now we
must service all the "async" writes (which could be hundreds of megabytes)
before we service any reads, introducing considerable latency to synchronous
i/os (reads or ZIL writes).
Notes on porting to ZFS on Linux:
- zio_t gained new members io_physdone and io_phys_children. Because
object caches in the Linux port call the constructor only once at
allocation time, objects may contain residual data when retrieved
from the cache. Therefore zio_create() was updated to zero out the two
new fields.
- vdev_mirror_pending() relied on the depth of the per-vdev pending queue
(vq->vq_pending_tree) to select the least-busy leaf vdev to read from.
This tree has been replaced by vq->vq_active_tree which is now used
for the same purpose.
- vdev_queue_init() used the value of zfs_vdev_max_pending to determine
the number of vdev I/O buffers to pre-allocate. That global no longer
exists, so we instead use the sum of the *_max_active values for each of
the five I/O classes described above.
- The Illumos implementation of dmu_tx_delay() delays a transaction by
sleeping in condition variable embedded in the thread
(curthread->t_delay_cv). We do not have an equivalent CV to use in
Linux, so this change replaced the delay logic with a wrapper called
zfs_sleep_until(). This wrapper could be adopted upstream and in other
downstream ports to abstract away operating system-specific delay logic.
- These tunables are added as module parameters, and descriptions added
to the zfs-module-parameters.5 man page.
spa_asize_inflation
zfs_deadman_synctime_ms
zfs_vdev_max_active
zfs_vdev_async_write_active_min_dirty_percent
zfs_vdev_async_write_active_max_dirty_percent
zfs_vdev_async_read_max_active
zfs_vdev_async_read_min_active
zfs_vdev_async_write_max_active
zfs_vdev_async_write_min_active
zfs_vdev_scrub_max_active
zfs_vdev_scrub_min_active
zfs_vdev_sync_read_max_active
zfs_vdev_sync_read_min_active
zfs_vdev_sync_write_max_active
zfs_vdev_sync_write_min_active
zfs_dirty_data_max_percent
zfs_delay_min_dirty_percent
zfs_dirty_data_max_max_percent
zfs_dirty_data_max
zfs_dirty_data_max_max
zfs_dirty_data_sync
zfs_delay_scale
The latter four have type unsigned long, whereas they are uint64_t in
Illumos. This accommodates Linux's module_param() supported types, but
means they may overflow on 32-bit architectures.
The values zfs_dirty_data_max and zfs_dirty_data_max_max are the most
likely to overflow on 32-bit systems, since they express physical RAM
sizes in bytes. In fact, Illumos initializes zfs_dirty_data_max_max to
2^32 which does overflow. To resolve that, this port instead initializes
it in arc_init() to 25% of physical RAM, and adds the tunable
zfs_dirty_data_max_max_percent to override that percentage. While this
solution doesn't completely avoid the overflow issue, it should be a
reasonable default for most systems, and the minority of affected
systems can work around the issue by overriding the defaults.
- Fixed reversed logic in comment above zfs_delay_scale declaration.
- Clarified comments in vdev_queue.c regarding when per-queue minimums take
effect.
- Replaced dmu_tx_write_limit in the dmu_tx kstat file
with dmu_tx_dirty_delay and dmu_tx_dirty_over_max. The first counts
how many times a transaction has been delayed because the pool dirty
data has exceeded zfs_delay_min_dirty_percent. The latter counts how
many times the pool dirty data has exceeded zfs_dirty_data_max (which
we expect to never happen).
- The original patch would have regressed the bug fixed in
zfsonlinux/zfs@c418410, which prevented users from setting the
zfs_vdev_aggregation_limit tuning larger than SPA_MAXBLOCKSIZE.
A similar fix is added to vdev_queue_aggregate().
- In vdev_queue_io_to_issue(), dynamically allocate 'zio_t search' on the
heap instead of the stack. In Linux we can't afford such large
structures on the stack.
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Adam Leventhal <ahl@delphix.com>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Ned Bass <bass6@llnl.gov>
Reviewed by: Brendan Gregg <brendan.gregg@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>
References:
http://www.illumos.org/issues/4045
illumos/illumos-gate@69962b5647e4a8b9b14998733b765925381b727e
Ported-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #1913
2013-08-28 20:01:20 -07:00
|
|
|
int nblks, err;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
if (len == 0) { /* they're interested in the bonus buffer */
|
2010-08-26 14:24:34 -07:00
|
|
|
dn = DMU_META_DNODE(os);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
if (object == 0 || object >= DN_MAX_OBJECT)
|
|
|
|
return;
|
|
|
|
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
2015-12-22 02:31:57 +01:00
|
|
|
blkid = dbuf_whichblock(dn, level,
|
|
|
|
object * sizeof (dnode_phys_t));
|
|
|
|
dbuf_prefetch(dn, level, blkid, pri, 0);
|
2008-11-20 12:01:55 -08:00
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-06-12 13:13:09 -07:00
|
|
|
/*
|
|
|
|
* See comment before the definition of dmu_prefetch_max.
|
|
|
|
*/
|
|
|
|
len = MIN(len, dmu_prefetch_max);
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
|
|
|
* XXX - Note, if the dnode for the requested object is not
|
|
|
|
* already cached, we will do a *synchronous* read in the
|
|
|
|
* dnode_hold() call. The same is true for any indirects.
|
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err != 0)
|
|
|
|
return;
|
|
|
|
|
2015-12-22 02:31:57 +01:00
|
|
|
/*
|
|
|
|
* offset + len - 1 is the last byte we want to prefetch for, and offset
|
|
|
|
* is the first. Then dbuf_whichblk(dn, level, off + len - 1) is the
|
|
|
|
* last block we want to prefetch, and dbuf_whichblock(dn, level,
|
|
|
|
* offset) is the first. Then the number we need to prefetch is the
|
|
|
|
* last - first + 1.
|
|
|
|
*/
|
2019-07-08 13:18:50 -07:00
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
2015-12-22 02:31:57 +01:00
|
|
|
if (level > 0 || dn->dn_datablkshift != 0) {
|
|
|
|
nblks = dbuf_whichblock(dn, level, offset + len - 1) -
|
|
|
|
dbuf_whichblock(dn, level, offset) + 1;
|
2008-11-20 12:01:55 -08:00
|
|
|
} else {
|
|
|
|
nblks = (offset < dn->dn_datablksz);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nblks != 0) {
|
2015-12-22 02:31:57 +01:00
|
|
|
blkid = dbuf_whichblock(dn, level, offset);
|
2017-11-04 14:25:13 -06:00
|
|
|
for (int i = 0; i < nblks; i++)
|
2015-12-22 02:31:57 +01:00
|
|
|
dbuf_prefetch(dn, level, blkid + i, pri, 0);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
}
|
|
|
|
|
2009-08-18 11:43:27 -07:00
|
|
|
/*
|
|
|
|
* Get the next "chunk" of file data to free. We traverse the file from
|
|
|
|
* the end so that the file gets shorter over time (if we crashes in the
|
|
|
|
* middle, this will leave us in a better state). We find allocated file
|
|
|
|
* data by simply searching the allocated level 1 indirects.
|
2013-08-20 20:11:52 -08:00
|
|
|
*
|
|
|
|
* On input, *start should be the first offset that does not need to be
|
|
|
|
* freed (e.g. "offset + length"). On return, *start will be the first
|
2019-02-12 12:01:08 -08:00
|
|
|
* offset that should be freed and l1blks is set to the number of level 1
|
|
|
|
* indirect blocks found within the chunk.
|
2009-08-18 11:43:27 -07:00
|
|
|
*/
|
2008-12-03 12:09:06 -08:00
|
|
|
static int
|
2019-02-12 12:01:08 -08:00
|
|
|
get_next_chunk(dnode_t *dn, uint64_t *start, uint64_t minimum, uint64_t *l1blks)
|
2008-12-03 12:09:06 -08:00
|
|
|
{
|
2019-02-12 12:01:08 -08:00
|
|
|
uint64_t blks;
|
2013-08-20 20:11:52 -08:00
|
|
|
uint64_t maxblks = DMU_MAX_ACCESS >> (dn->dn_indblkshift + 1);
|
|
|
|
/* bytes of data covered by a level-1 indirect block */
|
2019-05-29 19:17:25 +02:00
|
|
|
uint64_t iblkrange = (uint64_t)dn->dn_datablksz *
|
|
|
|
EPB(dn->dn_indblkshift, SPA_BLKPTRSHIFT);
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
ASSERT3U(minimum, <=, *start);
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2019-04-25 13:16:24 -04:00
|
|
|
/*
|
|
|
|
* Check if we can free the entire range assuming that all of the
|
|
|
|
* L1 blocks in this range have data. If we can, we use this
|
|
|
|
* worst case value as an estimate so we can avoid having to look
|
|
|
|
* at the object's actual data.
|
|
|
|
*/
|
|
|
|
uint64_t total_l1blks =
|
|
|
|
(roundup(*start, iblkrange) - (minimum / iblkrange * iblkrange)) /
|
|
|
|
iblkrange;
|
|
|
|
if (total_l1blks <= maxblks) {
|
|
|
|
*l1blks = total_l1blks;
|
2013-08-20 20:11:52 -08:00
|
|
|
*start = minimum;
|
2008-12-03 12:09:06 -08:00
|
|
|
return (0);
|
|
|
|
}
|
2009-08-18 11:43:27 -07:00
|
|
|
ASSERT(ISP2(iblkrange));
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2019-02-12 12:01:08 -08:00
|
|
|
for (blks = 0; *start > minimum && blks < maxblks; blks++) {
|
2008-12-03 12:09:06 -08:00
|
|
|
int err;
|
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
/*
|
|
|
|
* dnode_next_offset(BACKWARDS) will find an allocated L1
|
|
|
|
* indirect block at or before the input offset. We must
|
|
|
|
* decrement *start so that it is at the end of the region
|
|
|
|
* to search.
|
|
|
|
*/
|
|
|
|
(*start)--;
|
2019-04-25 13:16:24 -04:00
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
err = dnode_next_offset(dn,
|
2009-08-18 11:43:27 -07:00
|
|
|
DNODE_FIND_BACKWARDS, start, 2, 1, 0);
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
/* if there are no indirect blocks before start, we are done */
|
2009-08-18 11:43:27 -07:00
|
|
|
if (err == ESRCH) {
|
2013-08-20 20:11:52 -08:00
|
|
|
*start = minimum;
|
|
|
|
break;
|
|
|
|
} else if (err != 0) {
|
2019-02-12 12:01:08 -08:00
|
|
|
*l1blks = blks;
|
2008-12-03 12:09:06 -08:00
|
|
|
return (err);
|
2009-08-18 11:43:27 -07:00
|
|
|
}
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
/* set start to the beginning of this L1 indirect */
|
2009-08-18 11:43:27 -07:00
|
|
|
*start = P2ALIGN(*start, iblkrange);
|
2008-12-03 12:09:06 -08:00
|
|
|
}
|
2013-08-20 20:11:52 -08:00
|
|
|
if (*start < minimum)
|
|
|
|
*start = minimum;
|
2019-02-12 12:01:08 -08:00
|
|
|
*l1blks = blks;
|
2019-04-25 13:16:24 -04:00
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2017-01-27 22:46:39 +03:00
|
|
|
/*
|
|
|
|
* If this objset is of type OST_ZFS return true if vfs's unmounted flag is set,
|
|
|
|
* otherwise return false.
|
|
|
|
* Used below in dmu_free_long_range_impl() to enable abort when unmounting
|
|
|
|
*/
|
|
|
|
/*ARGSUSED*/
|
|
|
|
static boolean_t
|
|
|
|
dmu_objset_zfs_unmounting(objset_t *os)
|
|
|
|
{
|
|
|
|
#ifdef _KERNEL
|
|
|
|
if (dmu_objset_type(os) == DMU_OST_ZFS)
|
|
|
|
return (zfs_get_vfs_flag_unmounted(os));
|
|
|
|
#endif
|
|
|
|
return (B_FALSE);
|
|
|
|
}
|
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
static int
|
|
|
|
dmu_free_long_range_impl(objset_t *os, dnode_t *dn, uint64_t offset,
|
2018-04-17 11:06:54 -07:00
|
|
|
uint64_t length)
|
2008-12-03 12:09:06 -08:00
|
|
|
{
|
2015-07-24 12:08:53 -07:00
|
|
|
uint64_t object_size;
|
2013-08-20 20:11:52 -08:00
|
|
|
int err;
|
2017-02-01 01:44:03 +03:00
|
|
|
uint64_t dirty_frees_threshold;
|
|
|
|
dsl_pool_t *dp = dmu_objset_pool(os);
|
2013-08-20 20:11:52 -08:00
|
|
|
|
2015-07-24 12:08:53 -07:00
|
|
|
if (dn == NULL)
|
|
|
|
return (SET_ERROR(EINVAL));
|
|
|
|
|
|
|
|
object_size = (dn->dn_maxblkid + 1) * dn->dn_datablksz;
|
2013-08-20 20:11:52 -08:00
|
|
|
if (offset >= object_size)
|
2008-12-03 12:09:06 -08:00
|
|
|
return (0);
|
|
|
|
|
2017-02-01 01:44:03 +03:00
|
|
|
if (zfs_per_txg_dirty_frees_percent <= 100)
|
|
|
|
dirty_frees_threshold =
|
|
|
|
zfs_per_txg_dirty_frees_percent * zfs_dirty_data_max / 100;
|
|
|
|
else
|
2019-02-12 12:01:08 -08:00
|
|
|
dirty_frees_threshold = zfs_dirty_data_max / 20;
|
2017-02-01 01:44:03 +03:00
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
if (length == DMU_OBJECT_END || offset + length > object_size)
|
|
|
|
length = object_size - offset;
|
|
|
|
|
|
|
|
while (length != 0) {
|
2017-02-01 01:44:03 +03:00
|
|
|
uint64_t chunk_end, chunk_begin, chunk_len;
|
2019-02-12 12:01:08 -08:00
|
|
|
uint64_t l1blks;
|
2013-08-20 20:11:52 -08:00
|
|
|
dmu_tx_t *tx;
|
|
|
|
|
2017-01-27 22:46:39 +03:00
|
|
|
if (dmu_objset_zfs_unmounting(dn->dn_objset))
|
|
|
|
return (SET_ERROR(EINTR));
|
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
chunk_end = chunk_begin = offset + length;
|
|
|
|
|
|
|
|
/* move chunk_begin backwards to the beginning of this chunk */
|
2019-02-12 12:01:08 -08:00
|
|
|
err = get_next_chunk(dn, &chunk_begin, offset, &l1blks);
|
2008-12-03 12:09:06 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
2013-08-20 20:11:52 -08:00
|
|
|
ASSERT3U(chunk_begin, >=, offset);
|
|
|
|
ASSERT3U(chunk_begin, <=, chunk_end);
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2017-02-01 01:44:03 +03:00
|
|
|
chunk_len = chunk_end - chunk_begin;
|
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
tx = dmu_tx_create(os);
|
2017-02-01 01:44:03 +03:00
|
|
|
dmu_tx_hold_free(tx, dn->dn_object, chunk_begin, chunk_len);
|
2014-07-07 11:49:36 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Mark this transaction as typically resulting in a net
|
|
|
|
* reduction in space used.
|
|
|
|
*/
|
|
|
|
dmu_tx_mark_netfree(tx);
|
2008-12-03 12:09:06 -08:00
|
|
|
err = dmu_tx_assign(tx, TXG_WAIT);
|
|
|
|
if (err) {
|
|
|
|
dmu_tx_abort(tx);
|
|
|
|
return (err);
|
|
|
|
}
|
2017-02-01 01:44:03 +03:00
|
|
|
|
2019-04-25 13:16:24 -04:00
|
|
|
uint64_t txg = dmu_tx_get_txg(tx);
|
|
|
|
|
|
|
|
mutex_enter(&dp->dp_lock);
|
|
|
|
uint64_t long_free_dirty =
|
|
|
|
dp->dp_long_free_dirty_pertxg[txg & TXG_MASK];
|
|
|
|
mutex_exit(&dp->dp_lock);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* To avoid filling up a TXG with just frees, wait for
|
|
|
|
* the next TXG to open before freeing more chunks if
|
|
|
|
* we have reached the threshold of frees.
|
|
|
|
*/
|
|
|
|
if (dirty_frees_threshold != 0 &&
|
|
|
|
long_free_dirty >= dirty_frees_threshold) {
|
|
|
|
DMU_TX_STAT_BUMP(dmu_tx_dirty_frees_delay);
|
|
|
|
dmu_tx_commit(tx);
|
|
|
|
txg_wait_open(dp, 0, B_TRUE);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2019-02-12 12:01:08 -08:00
|
|
|
/*
|
|
|
|
* In order to prevent unnecessary write throttling, for each
|
|
|
|
* TXG, we track the cumulative size of L1 blocks being dirtied
|
|
|
|
* in dnode_free_range() below. We compare this number to a
|
|
|
|
* tunable threshold, past which we prevent new L1 dirty freeing
|
|
|
|
* blocks from being added into the open TXG. See
|
|
|
|
* dmu_free_long_range_impl() for details. The threshold
|
|
|
|
* prevents write throttle activation due to dirty freeing L1
|
|
|
|
* blocks taking up a large percentage of zfs_dirty_data_max.
|
|
|
|
*/
|
2017-02-01 01:44:03 +03:00
|
|
|
mutex_enter(&dp->dp_lock);
|
2019-04-25 13:16:24 -04:00
|
|
|
dp->dp_long_free_dirty_pertxg[txg & TXG_MASK] +=
|
2019-02-12 12:01:08 -08:00
|
|
|
l1blks << dn->dn_indblkshift;
|
2017-02-01 01:44:03 +03:00
|
|
|
mutex_exit(&dp->dp_lock);
|
|
|
|
DTRACE_PROBE3(free__long__range,
|
2019-04-25 13:16:24 -04:00
|
|
|
uint64_t, long_free_dirty, uint64_t, chunk_len,
|
|
|
|
uint64_t, txg);
|
2017-02-01 01:44:03 +03:00
|
|
|
dnode_free_range(dn, chunk_begin, chunk_len, tx);
|
2017-09-28 11:49:13 -04:00
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
dmu_tx_commit(tx);
|
2013-08-20 20:11:52 -08:00
|
|
|
|
2017-02-01 01:44:03 +03:00
|
|
|
length -= chunk_len;
|
2008-12-03 12:09:06 -08:00
|
|
|
}
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_free_long_range(objset_t *os, uint64_t object,
|
|
|
|
uint64_t offset, uint64_t length)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-12-03 12:09:06 -08:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
2018-04-17 11:06:54 -07:00
|
|
|
err = dmu_free_long_range_impl(os, dn, offset, length);
|
2013-08-30 01:19:35 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* It is important to zero out the maxblkid when freeing the entire
|
|
|
|
* file, so that (a) subsequent calls to dmu_free_long_range_impl()
|
|
|
|
* will take the fast path, and (b) dnode_reallocate() can verify
|
|
|
|
* that the entire file has been freed.
|
|
|
|
*/
|
2013-12-09 10:37:51 -08:00
|
|
|
if (err == 0 && offset == 0 && length == DMU_OBJECT_END)
|
2013-08-30 01:19:35 -08:00
|
|
|
dn->dn_maxblkid = 0;
|
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2018-04-17 11:06:54 -07:00
|
|
|
dmu_free_long_object(objset_t *os, uint64_t object)
|
2008-12-03 12:09:06 -08:00
|
|
|
{
|
|
|
|
dmu_tx_t *tx;
|
|
|
|
int err;
|
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
err = dmu_free_long_range(os, object, 0, DMU_OBJECT_END);
|
2008-12-03 12:09:06 -08:00
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
2013-08-20 20:11:52 -08:00
|
|
|
|
|
|
|
tx = dmu_tx_create(os);
|
|
|
|
dmu_tx_hold_bonus(tx, object);
|
|
|
|
dmu_tx_hold_free(tx, object, 0, DMU_OBJECT_END);
|
2014-07-07 11:49:36 -08:00
|
|
|
dmu_tx_mark_netfree(tx);
|
2013-08-20 20:11:52 -08:00
|
|
|
err = dmu_tx_assign(tx, TXG_WAIT);
|
|
|
|
if (err == 0) {
|
2017-10-18 13:08:36 -04:00
|
|
|
if (err == 0)
|
|
|
|
err = dmu_object_free(os, object, tx);
|
2017-09-28 11:49:13 -04:00
|
|
|
|
2013-08-20 20:11:52 -08:00
|
|
|
dmu_tx_commit(tx);
|
2008-12-03 12:09:06 -08:00
|
|
|
} else {
|
2013-08-20 20:11:52 -08:00
|
|
|
dmu_tx_abort(tx);
|
2008-12-03 12:09:06 -08:00
|
|
|
}
|
2013-08-20 20:11:52 -08:00
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
int
|
|
|
|
dmu_free_range(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
uint64_t size, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
2010-05-28 13:45:14 -07:00
|
|
|
int err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
ASSERT(offset < UINT64_MAX);
|
2017-10-27 01:58:38 +02:00
|
|
|
ASSERT(size == DMU_OBJECT_END || size <= UINT64_MAX - offset);
|
2008-11-20 12:01:55 -08:00
|
|
|
dnode_free_range(dn, offset, size, tx);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2017-01-14 01:58:41 +03:00
|
|
|
static int
|
|
|
|
dmu_read_impl(dnode_t *dn, uint64_t offset, uint64_t size,
|
2009-07-02 15:44:48 -07:00
|
|
|
void *buf, uint32_t flags)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
2017-01-14 01:58:41 +03:00
|
|
|
int numbufs, err = 0;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Deal with odd block sizes, where there can't be data past the first
|
|
|
|
* block. If we ever do the tail block optimization, we will need to
|
|
|
|
* handle that here as well.
|
|
|
|
*/
|
2009-08-18 11:43:27 -07:00
|
|
|
if (dn->dn_maxblkid == 0) {
|
2015-04-30 16:20:38 +04:00
|
|
|
uint64_t newsz = offset > dn->dn_datablksz ? 0 :
|
2008-11-20 12:01:55 -08:00
|
|
|
MIN(size, dn->dn_datablksz - offset);
|
|
|
|
bzero((char *)buf + newsz, size - newsz);
|
|
|
|
size = newsz;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (size > 0) {
|
|
|
|
uint64_t mylen = MIN(size, DMU_MAX_ACCESS / 2);
|
2009-08-18 11:43:27 -07:00
|
|
|
int i;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* NB: we could do this block-at-a-time, but it's nice
|
|
|
|
* to be reading in parallel.
|
|
|
|
*/
|
|
|
|
err = dmu_buf_hold_array_by_dnode(dn, offset, mylen,
|
2009-07-02 15:44:48 -07:00
|
|
|
TRUE, FTAG, &numbufs, &dbp, flags);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
2015-04-30 16:20:38 +04:00
|
|
|
uint64_t tocpy;
|
|
|
|
int64_t bufoff;
|
2008-11-20 12:01:55 -08:00
|
|
|
dmu_buf_t *db = dbp[i];
|
|
|
|
|
|
|
|
ASSERT(size > 0);
|
|
|
|
|
|
|
|
bufoff = offset - db->db_offset;
|
2015-04-30 16:20:38 +04:00
|
|
|
tocpy = MIN(db->db_size - bufoff, size);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2015-04-30 16:20:38 +04:00
|
|
|
(void) memcpy(buf, (char *)db->db_data + bufoff, tocpy);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
offset += tocpy;
|
|
|
|
size -= tocpy;
|
|
|
|
buf = (char *)buf + tocpy;
|
|
|
|
}
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
}
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2017-01-14 01:58:41 +03:00
|
|
|
int
|
|
|
|
dmu_read(objset_t *os, uint64_t object, uint64_t offset, uint64_t size,
|
|
|
|
void *buf, uint32_t flags)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2017-01-14 01:58:41 +03:00
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2017-01-14 01:58:41 +03:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (err != 0)
|
|
|
|
return (err);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2017-01-14 01:58:41 +03:00
|
|
|
err = dmu_read_impl(dn, offset, size, buf, flags);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_read_by_dnode(dnode_t *dn, uint64_t offset, uint64_t size, void *buf,
|
|
|
|
uint32_t flags)
|
|
|
|
{
|
|
|
|
return (dmu_read_impl(dn, offset, size, buf, flags));
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_write_impl(dmu_buf_t **dbp, int numbufs, uint64_t offset, uint64_t size,
|
|
|
|
const void *buf, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int i;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
2015-04-30 16:20:38 +04:00
|
|
|
uint64_t tocpy;
|
|
|
|
int64_t bufoff;
|
2008-11-20 12:01:55 -08:00
|
|
|
dmu_buf_t *db = dbp[i];
|
|
|
|
|
|
|
|
ASSERT(size > 0);
|
|
|
|
|
|
|
|
bufoff = offset - db->db_offset;
|
2015-04-30 16:20:38 +04:00
|
|
|
tocpy = MIN(db->db_size - bufoff, size);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
ASSERT(i == 0 || i == numbufs-1 || tocpy == db->db_size);
|
|
|
|
|
|
|
|
if (tocpy == db->db_size)
|
|
|
|
dmu_buf_will_fill(db, tx);
|
|
|
|
else
|
|
|
|
dmu_buf_will_dirty(db, tx);
|
|
|
|
|
2010-08-26 11:45:02 -07:00
|
|
|
(void) memcpy((char *)db->db_data + bufoff, buf, tocpy);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
if (tocpy == db->db_size)
|
|
|
|
dmu_buf_fill_done(db, tx);
|
|
|
|
|
|
|
|
offset += tocpy;
|
|
|
|
size -= tocpy;
|
|
|
|
buf = (char *)buf + tocpy;
|
|
|
|
}
|
2017-01-14 01:58:41 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_write(objset_t *os, uint64_t object, uint64_t offset, uint64_t size,
|
|
|
|
const void *buf, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
int numbufs;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
VERIFY0(dmu_buf_hold_array(os, object, offset, size,
|
|
|
|
FALSE, FTAG, &numbufs, &dbp));
|
|
|
|
dmu_write_impl(dbp, numbufs, offset, size, buf, tx);
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
}
|
|
|
|
|
dmu_tx_wait() hang likely due to cv_signal() in dsl_pool_dirty_delta()
Even though the bug's writeup (Github issue #9136) is very detailed,
we still don't know exactly how we got to that state, thus I wasn't
able to reproduce the bug. That said, we can make an educated guess
combining the information on filled issue with the code.
From the fact that `dp_dirty_total` was 0 (which is less than
`zfs_dirty_data_max`) we know that there was one thread that set it to
0 and then signaled one of the waiters of `dp_spaceavail_cv` [see
`dsl_pool_dirty_delta()` which is also the only place that
`dp_dirty_total` is changed]. Thus, the only logical explaination
then for the bug being hit is that the waiter that just got awaken
didn't go through `dsl_pool_dirty_data()`. Given that this function
is only called by `dsl_pool_dirty_space()` or `dsl_pool_undirty_space()`
I can only think of two possible ways of the above scenario happening:
[1] The waiter didn't call into any of the two functions - which I
find highly unlikely (i.e. why wait on `dp_spaceavail_cv` to begin
with?).
[2] The waiter did call in one of the above function but it passed 0 as
the space/delta to be dirtied (or undirtied) and then the callee
returned immediately (e.g both `dsl_pool_dirty_space()` and
`dsl_pool_undirty_space()` return immediately when space is 0).
In any case and no matter how we got there, the easy fix would be to
just broadcast to all waiters whenever `dp_dirty_total` hits 0. That
said and given that we've never hit this before, it would make sense
to think more on why the above situation occured.
Attempting to mimic what Prakash was doing in the issue filed, I
created a dataset with `sync=always` and started doing contiguous
writes in a file within that dataset. I observed with DTrace that even
though we update the pool's dirty data accounting when we would dirty
stuff, the accounting wouldn't be decremented incrementally as we were
done with the ZIOs of those writes (the reason being that
`dbuf_write_physdone()` isn't be called as we go through the override
code paths, and thus `dsl_pool_undirty_space()` is never called). As a
result we'd have to wait until we get to `dsl_pool_sync()` where we
zero out all dirty data accounting for the pool and the current TXG's
metadata.
In addition, as Matt noted and I later verified, the same issue would
arise when using dedup.
In both cases (sync & dedup) we shouldn't have to wait until
`dsl_pool_sync()` zeros out the accounting data. According to the
comment in that part of the code, the reasons why we do the zeroing,
have nothing to do with what we observe:
````
/*
* We have written all of the accounted dirty data, so our
* dp_space_towrite should now be zero. However, some seldom-used
* code paths do not adhere to this (e.g. dbuf_undirty(), also
* rounding error in dbuf_write_physdone).
* Shore up the accounting of any dirtied space now.
*/
dsl_pool_undirty_space(dp, dp->dp_dirty_pertxg[txg & TXG_MASK], txg);
````
Ideally what we want to do is to undirty in the accounting exactly what
we dirty (I use the word ideally as we can still have rounding errors).
This would make the behavior of the system more clear and predictable.
Another interesting issue that I observed with DTrace was that we
wouldn't update any of the pool's dirty data accounting whenever we
would dirty and/or undirty MOS data. In addition, every time we would
change the size of a dbuf through `dbuf_new_size()` we wouldn't update
the accounted space dirtied in the appropriate dirty record, so when
ZIOs are done we would undirty less that we dirtied from the pool's
accounting point of view.
For the first two issues observed (sync & dedup) this patch ensures
that we still update the pool's accounting when we undirty data,
regardless of the write being physical or not.
For changes in the MOS, we first ensure to zero out the pool's dirty
data accounting in `dsl_pool_sync()` after we synced the MOS. Then we
can go ahead and enable the update of the pool's dirty data accounting
wheneve we change MOS data.
Another fix is that we now update the accounting explicitly for
counting errors in `dbuf_write_done()`.
Finally, `dbuf_new_size()` updates the accounted space of the
appropriate dirty record correctly now.
The problem is that we still don't know how the bug came up in the
issue filled. That said the issues fixed seem to be very relevant, so
instead of going with the broadcasting solution right away,
I decided to leave this patch as is.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Signed-off-by: Serapheim Dimitropoulos <serapheim@delphix.com>
External-issue: DLPX-47285
Closes #9137
2019-08-15 16:53:53 -07:00
|
|
|
/*
|
|
|
|
* Note: Lustre is an external consumer of this interface.
|
|
|
|
*/
|
2017-01-14 01:58:41 +03:00
|
|
|
void
|
|
|
|
dmu_write_by_dnode(dnode_t *dn, uint64_t offset, uint64_t size,
|
|
|
|
const void *buf, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
int numbufs;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
VERIFY0(dmu_buf_hold_array_by_dnode(dn, offset, size,
|
|
|
|
FALSE, FTAG, &numbufs, &dbp, DMU_READ_PREFETCH));
|
|
|
|
dmu_write_impl(dbp, numbufs, offset, size, buf, tx);
|
2008-11-20 12:01:55 -08:00
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
}
|
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
void
|
|
|
|
dmu_prealloc(objset_t *os, uint64_t object, uint64_t offset, uint64_t size,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
int numbufs, i;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
VERIFY(0 == dmu_buf_hold_array(os, object, offset, size,
|
|
|
|
FALSE, FTAG, &numbufs, &dbp));
|
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
|
|
|
dmu_buf_t *db = dbp[i];
|
|
|
|
|
|
|
|
dmu_buf_will_not_fill(db, tx);
|
|
|
|
}
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
}
|
|
|
|
|
2014-06-05 13:19:08 -08:00
|
|
|
void
|
|
|
|
dmu_write_embedded(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
void *data, uint8_t etype, uint8_t comp, int uncompressed_size,
|
|
|
|
int compressed_size, int byteorder, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t *db;
|
|
|
|
|
|
|
|
ASSERT3U(etype, <, NUM_BP_EMBEDDED_TYPES);
|
|
|
|
ASSERT3U(comp, <, ZIO_COMPRESS_FUNCTIONS);
|
|
|
|
VERIFY0(dmu_buf_hold_noread(os, object, offset,
|
|
|
|
FTAG, &db));
|
|
|
|
|
|
|
|
dmu_buf_write_embedded(db,
|
|
|
|
data, (bp_embedded_type_t)etype, (enum zio_compress)comp,
|
|
|
|
uncompressed_size, compressed_size, byteorder, tx);
|
|
|
|
|
|
|
|
dmu_buf_rele(db, FTAG);
|
|
|
|
}
|
|
|
|
|
Implement Redacted Send/Receive
Redacted send/receive allows users to send subsets of their data to
a target system. One possible use case for this feature is to not
transmit sensitive information to a data warehousing, test/dev, or
analytics environment. Another is to save space by not replicating
unimportant data within a given dataset, for example in backup tools
like zrepl.
Redacted send/receive is a three-stage process. First, a clone (or
clones) is made of the snapshot to be sent to the target. In this
clone (or clones), all unnecessary or unwanted data is removed or
modified. This clone is then snapshotted to create the "redaction
snapshot" (or snapshots). Second, the new zfs redact command is used
to create a redaction bookmark. The redaction bookmark stores the
list of blocks in a snapshot that were modified by the redaction
snapshot(s). Finally, the redaction bookmark is passed as a parameter
to zfs send. When sending to the snapshot that was redacted, the
redaction bookmark is used to filter out blocks that contain sensitive
or unwanted information, and those blocks are not included in the send
stream. When sending from the redaction bookmark, the blocks it
contains are considered as candidate blocks in addition to those
blocks in the destination snapshot that were modified since the
creation_txg of the redaction bookmark. This step is necessary to
allow the target to rehydrate data in the case where some blocks are
accidentally or unnecessarily modified in the redaction snapshot.
The changes to bookmarks to enable fast space estimation involve
adding deadlists to bookmarks. There is also logic to manage the
life cycles of these deadlists.
The new size estimation process operates in cases where previously
an accurate estimate could not be provided. In those cases, a send
is performed where no data blocks are read, reducing the runtime
significantly and providing a byte-accurate size estimate.
Reviewed-by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed-by: Matt Ahrens <mahrens@delphix.com>
Reviewed-by: Prashanth Sreenivasa <pks@delphix.com>
Reviewed-by: John Kennedy <john.kennedy@delphix.com>
Reviewed-by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Chris Williamson <chris.williamson@delphix.com>
Reviewed-by: Pavel Zhakarov <pavel.zakharov@delphix.com>
Reviewed-by: Sebastien Roy <sebastien.roy@delphix.com>
Reviewed-by: Prakash Surya <prakash.surya@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Paul Dagnelie <pcd@delphix.com>
Closes #7958
2019-06-19 09:48:13 -07:00
|
|
|
void
|
|
|
|
dmu_redact(objset_t *os, uint64_t object, uint64_t offset, uint64_t size,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
int numbufs, i;
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
|
|
|
|
VERIFY0(dmu_buf_hold_array(os, object, offset, size, FALSE, FTAG,
|
|
|
|
&numbufs, &dbp));
|
|
|
|
for (i = 0; i < numbufs; i++)
|
|
|
|
dmu_buf_redact(dbp[i], tx);
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
/*
|
|
|
|
* DMU support for xuio
|
|
|
|
*/
|
|
|
|
kstat_t *xuio_ksp = NULL;
|
|
|
|
|
2010-08-26 10:26:05 -07:00
|
|
|
typedef struct xuio_stats {
|
|
|
|
/* loaned yet not returned arc_buf */
|
|
|
|
kstat_named_t xuiostat_onloan_rbuf;
|
|
|
|
kstat_named_t xuiostat_onloan_wbuf;
|
|
|
|
/* whether a copy is made when loaning out a read buffer */
|
|
|
|
kstat_named_t xuiostat_rbuf_copied;
|
|
|
|
kstat_named_t xuiostat_rbuf_nocopy;
|
|
|
|
/* whether a copy is made when assigning a write buffer */
|
|
|
|
kstat_named_t xuiostat_wbuf_copied;
|
|
|
|
kstat_named_t xuiostat_wbuf_nocopy;
|
|
|
|
} xuio_stats_t;
|
|
|
|
|
|
|
|
static xuio_stats_t xuio_stats = {
|
|
|
|
{ "onloan_read_buf", KSTAT_DATA_UINT64 },
|
|
|
|
{ "onloan_write_buf", KSTAT_DATA_UINT64 },
|
|
|
|
{ "read_buf_copied", KSTAT_DATA_UINT64 },
|
|
|
|
{ "read_buf_nocopy", KSTAT_DATA_UINT64 },
|
|
|
|
{ "write_buf_copied", KSTAT_DATA_UINT64 },
|
|
|
|
{ "write_buf_nocopy", KSTAT_DATA_UINT64 }
|
|
|
|
};
|
|
|
|
|
2013-11-01 20:26:11 +01:00
|
|
|
#define XUIOSTAT_INCR(stat, val) \
|
|
|
|
atomic_add_64(&xuio_stats.stat.value.ui64, (val))
|
|
|
|
#define XUIOSTAT_BUMP(stat) XUIOSTAT_INCR(stat, 1)
|
2010-08-26 10:26:05 -07:00
|
|
|
|
2016-10-21 02:24:01 +08:00
|
|
|
#ifdef HAVE_UIO_ZEROCOPY
|
2010-05-28 13:45:14 -07:00
|
|
|
int
|
|
|
|
dmu_xuio_init(xuio_t *xuio, int nblk)
|
|
|
|
{
|
|
|
|
dmu_xuio_t *priv;
|
|
|
|
uio_t *uio = &xuio->xu_uio;
|
|
|
|
|
|
|
|
uio->uio_iovcnt = nblk;
|
2014-11-20 19:09:39 -05:00
|
|
|
uio->uio_iov = kmem_zalloc(nblk * sizeof (iovec_t), KM_SLEEP);
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2014-11-20 19:09:39 -05:00
|
|
|
priv = kmem_zalloc(sizeof (dmu_xuio_t), KM_SLEEP);
|
2010-05-28 13:45:14 -07:00
|
|
|
priv->cnt = nblk;
|
2014-11-20 19:09:39 -05:00
|
|
|
priv->bufs = kmem_zalloc(nblk * sizeof (arc_buf_t *), KM_SLEEP);
|
2015-07-30 22:24:36 +08:00
|
|
|
priv->iovp = (iovec_t *)uio->uio_iov;
|
2010-05-28 13:45:14 -07:00
|
|
|
XUIO_XUZC_PRIV(xuio) = priv;
|
|
|
|
|
|
|
|
if (XUIO_XUZC_RW(xuio) == UIO_READ)
|
|
|
|
XUIOSTAT_INCR(xuiostat_onloan_rbuf, nblk);
|
|
|
|
else
|
|
|
|
XUIOSTAT_INCR(xuiostat_onloan_wbuf, nblk);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_xuio_fini(xuio_t *xuio)
|
|
|
|
{
|
|
|
|
dmu_xuio_t *priv = XUIO_XUZC_PRIV(xuio);
|
|
|
|
int nblk = priv->cnt;
|
|
|
|
|
|
|
|
kmem_free(priv->iovp, nblk * sizeof (iovec_t));
|
|
|
|
kmem_free(priv->bufs, nblk * sizeof (arc_buf_t *));
|
|
|
|
kmem_free(priv, sizeof (dmu_xuio_t));
|
|
|
|
|
|
|
|
if (XUIO_XUZC_RW(xuio) == UIO_READ)
|
|
|
|
XUIOSTAT_INCR(xuiostat_onloan_rbuf, -nblk);
|
|
|
|
else
|
|
|
|
XUIOSTAT_INCR(xuiostat_onloan_wbuf, -nblk);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialize iov[priv->next] and priv->bufs[priv->next] with { off, n, abuf }
|
|
|
|
* and increase priv->next by 1.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_xuio_add(xuio_t *xuio, arc_buf_t *abuf, offset_t off, size_t n)
|
|
|
|
{
|
|
|
|
struct iovec *iov;
|
|
|
|
uio_t *uio = &xuio->xu_uio;
|
|
|
|
dmu_xuio_t *priv = XUIO_XUZC_PRIV(xuio);
|
|
|
|
int i = priv->next++;
|
|
|
|
|
|
|
|
ASSERT(i < priv->cnt);
|
2016-07-11 13:45:52 -04:00
|
|
|
ASSERT(off + n <= arc_buf_lsize(abuf));
|
2015-07-30 22:24:36 +08:00
|
|
|
iov = (iovec_t *)uio->uio_iov + i;
|
2010-05-28 13:45:14 -07:00
|
|
|
iov->iov_base = (char *)abuf->b_data + off;
|
|
|
|
iov->iov_len = n;
|
|
|
|
priv->bufs[i] = abuf;
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
dmu_xuio_cnt(xuio_t *xuio)
|
|
|
|
{
|
|
|
|
dmu_xuio_t *priv = XUIO_XUZC_PRIV(xuio);
|
|
|
|
return (priv->cnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
arc_buf_t *
|
|
|
|
dmu_xuio_arcbuf(xuio_t *xuio, int i)
|
|
|
|
{
|
|
|
|
dmu_xuio_t *priv = XUIO_XUZC_PRIV(xuio);
|
|
|
|
|
|
|
|
ASSERT(i < priv->cnt);
|
|
|
|
return (priv->bufs[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_xuio_clear(xuio_t *xuio, int i)
|
|
|
|
{
|
|
|
|
dmu_xuio_t *priv = XUIO_XUZC_PRIV(xuio);
|
|
|
|
|
|
|
|
ASSERT(i < priv->cnt);
|
|
|
|
priv->bufs[i] = NULL;
|
|
|
|
}
|
2016-10-21 02:24:01 +08:00
|
|
|
#endif /* HAVE_UIO_ZEROCOPY */
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
static void
|
|
|
|
xuio_stat_init(void)
|
|
|
|
{
|
|
|
|
xuio_ksp = kstat_create("zfs", 0, "xuio_stats", "misc",
|
|
|
|
KSTAT_TYPE_NAMED, sizeof (xuio_stats) / sizeof (kstat_named_t),
|
|
|
|
KSTAT_FLAG_VIRTUAL);
|
|
|
|
if (xuio_ksp != NULL) {
|
|
|
|
xuio_ksp->ks_data = &xuio_stats;
|
|
|
|
kstat_install(xuio_ksp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
xuio_stat_fini(void)
|
|
|
|
{
|
|
|
|
if (xuio_ksp != NULL) {
|
|
|
|
kstat_delete(xuio_ksp);
|
|
|
|
xuio_ksp = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2017-01-13 15:33:14 -08:00
|
|
|
xuio_stat_wbuf_copied(void)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
|
|
|
XUIOSTAT_BUMP(xuiostat_wbuf_copied);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2017-01-13 15:33:14 -08:00
|
|
|
xuio_stat_wbuf_nocopy(void)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
|
|
|
XUIOSTAT_BUMP(xuiostat_wbuf_nocopy);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
#ifdef _KERNEL
|
2017-06-13 12:18:08 -04:00
|
|
|
int
|
2015-06-16 23:06:27 +02:00
|
|
|
dmu_read_uio_dnode(dnode_t *dn, uio_t *uio, uint64_t size)
|
2010-12-17 09:14:38 -08:00
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
int numbufs, i, err;
|
2016-10-21 02:24:01 +08:00
|
|
|
#ifdef HAVE_UIO_ZEROCOPY
|
2010-12-17 09:14:38 -08:00
|
|
|
xuio_t *xuio = NULL;
|
2016-10-21 02:24:01 +08:00
|
|
|
#endif
|
2010-12-17 09:14:38 -08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* NB: we could do this block-at-a-time, but it's nice
|
|
|
|
* to be reading in parallel.
|
|
|
|
*/
|
2015-06-16 23:06:27 +02:00
|
|
|
err = dmu_buf_hold_array_by_dnode(dn, uio->uio_loffset, size,
|
|
|
|
TRUE, FTAG, &numbufs, &dbp, 0);
|
2010-12-17 09:14:38 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
2015-04-30 16:20:38 +04:00
|
|
|
uint64_t tocpy;
|
|
|
|
int64_t bufoff;
|
2010-12-17 09:14:38 -08:00
|
|
|
dmu_buf_t *db = dbp[i];
|
|
|
|
|
|
|
|
ASSERT(size > 0);
|
|
|
|
|
|
|
|
bufoff = uio->uio_loffset - db->db_offset;
|
2015-04-30 16:20:38 +04:00
|
|
|
tocpy = MIN(db->db_size - bufoff, size);
|
2010-12-17 09:14:38 -08:00
|
|
|
|
2016-10-21 02:24:01 +08:00
|
|
|
#ifdef HAVE_UIO_ZEROCOPY
|
2010-12-17 09:14:38 -08:00
|
|
|
if (xuio) {
|
|
|
|
dmu_buf_impl_t *dbi = (dmu_buf_impl_t *)db;
|
|
|
|
arc_buf_t *dbuf_abuf = dbi->db_buf;
|
|
|
|
arc_buf_t *abuf = dbuf_loan_arcbuf(dbi);
|
|
|
|
err = dmu_xuio_add(xuio, abuf, bufoff, tocpy);
|
|
|
|
if (!err) {
|
|
|
|
uio->uio_resid -= tocpy;
|
|
|
|
uio->uio_loffset += tocpy;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (abuf == dbuf_abuf)
|
|
|
|
XUIOSTAT_BUMP(xuiostat_rbuf_nocopy);
|
|
|
|
else
|
|
|
|
XUIOSTAT_BUMP(xuiostat_rbuf_copied);
|
2016-10-21 02:24:01 +08:00
|
|
|
} else
|
|
|
|
#endif
|
2010-12-17 09:14:38 -08:00
|
|
|
err = uiomove((char *)db->db_data + bufoff, tocpy,
|
|
|
|
UIO_READ, uio);
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
|
|
|
|
size -= tocpy;
|
|
|
|
}
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2015-06-16 23:06:27 +02:00
|
|
|
/*
|
|
|
|
* Read 'size' bytes into the uio buffer.
|
|
|
|
* From object zdb->db_object.
|
|
|
|
* Starting at offset uio->uio_loffset.
|
|
|
|
*
|
|
|
|
* If the caller already has a dbuf in the target object
|
|
|
|
* (e.g. its bonus buffer), this routine is faster than dmu_read_uio(),
|
|
|
|
* because we don't have to find the dnode_t for the object.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_read_uio_dbuf(dmu_buf_t *zdb, uio_t *uio, uint64_t size)
|
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)zdb;
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
err = dmu_read_uio_dnode(dn, uio, size);
|
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Read 'size' bytes into the uio buffer.
|
|
|
|
* From the specified object
|
|
|
|
* Starting at offset uio->uio_loffset.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_read_uio(objset_t *os, uint64_t object, uio_t *uio, uint64_t size)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
err = dmu_read_uio_dnode(dn, uio, size);
|
|
|
|
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2017-06-13 12:18:08 -04:00
|
|
|
int
|
2010-12-17 09:14:38 -08:00
|
|
|
dmu_write_uio_dnode(dnode_t *dn, uio_t *uio, uint64_t size, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t **dbp;
|
|
|
|
int numbufs;
|
|
|
|
int err = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
err = dmu_buf_hold_array_by_dnode(dn, uio->uio_loffset, size,
|
|
|
|
FALSE, FTAG, &numbufs, &dbp, DMU_READ_PREFETCH);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
for (i = 0; i < numbufs; i++) {
|
2015-04-30 16:20:38 +04:00
|
|
|
uint64_t tocpy;
|
|
|
|
int64_t bufoff;
|
2010-12-17 09:14:38 -08:00
|
|
|
dmu_buf_t *db = dbp[i];
|
|
|
|
|
|
|
|
ASSERT(size > 0);
|
|
|
|
|
|
|
|
bufoff = uio->uio_loffset - db->db_offset;
|
2015-04-30 16:20:38 +04:00
|
|
|
tocpy = MIN(db->db_size - bufoff, size);
|
2010-12-17 09:14:38 -08:00
|
|
|
|
|
|
|
ASSERT(i == 0 || i == numbufs-1 || tocpy == db->db_size);
|
|
|
|
|
|
|
|
if (tocpy == db->db_size)
|
|
|
|
dmu_buf_will_fill(db, tx);
|
|
|
|
else
|
|
|
|
dmu_buf_will_dirty(db, tx);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* XXX uiomove could block forever (eg.nfs-backed
|
|
|
|
* pages). There needs to be a uiolockdown() function
|
|
|
|
* to lock the pages in memory, so that uiomove won't
|
|
|
|
* block.
|
|
|
|
*/
|
|
|
|
err = uiomove((char *)db->db_data + bufoff, tocpy,
|
|
|
|
UIO_WRITE, uio);
|
|
|
|
|
|
|
|
if (tocpy == db->db_size)
|
|
|
|
dmu_buf_fill_done(db, tx);
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
|
|
|
|
size -= tocpy;
|
|
|
|
}
|
|
|
|
|
|
|
|
dmu_buf_rele_array(dbp, numbufs, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2015-06-16 23:06:27 +02:00
|
|
|
/*
|
|
|
|
* Write 'size' bytes from the uio buffer.
|
|
|
|
* To object zdb->db_object.
|
|
|
|
* Starting at offset uio->uio_loffset.
|
|
|
|
*
|
|
|
|
* If the caller already has a dbuf in the target object
|
|
|
|
* (e.g. its bonus buffer), this routine is faster than dmu_write_uio(),
|
|
|
|
* because we don't have to find the dnode_t for the object.
|
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
int
|
|
|
|
dmu_write_uio_dbuf(dmu_buf_t *zdb, uio_t *uio, uint64_t size,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)zdb;
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
if (size == 0)
|
|
|
|
return (0);
|
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
err = dmu_write_uio_dnode(dn, uio, size, tx);
|
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
|
|
|
|
return (err);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
2015-06-16 23:06:27 +02:00
|
|
|
/*
|
|
|
|
* Write 'size' bytes from the uio buffer.
|
|
|
|
* To the specified object.
|
|
|
|
* Starting at offset uio->uio_loffset.
|
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
int
|
|
|
|
dmu_write_uio(objset_t *os, uint64_t object, uio_t *uio, uint64_t size,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (size == 0)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
err = dmu_write_uio_dnode(dn, uio, size, tx);
|
|
|
|
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
2010-12-17 09:14:38 -08:00
|
|
|
#endif /* _KERNEL */
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2009-07-02 15:44:48 -07:00
|
|
|
/*
|
|
|
|
* Allocate a loaned anonymous arc buffer.
|
|
|
|
*/
|
|
|
|
arc_buf_t *
|
|
|
|
dmu_request_arcbuf(dmu_buf_t *handle, int size)
|
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)handle;
|
2009-07-02 15:44:48 -07:00
|
|
|
|
2016-07-11 13:45:52 -04:00
|
|
|
return (arc_loan_buf(db->db_objset->os_spa, B_FALSE, size));
|
2009-07-02 15:44:48 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Free a loaned arc buffer.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
dmu_return_arcbuf(arc_buf_t *buf)
|
|
|
|
{
|
|
|
|
arc_return_buf(buf, FTAG);
|
2016-06-02 00:04:53 -04:00
|
|
|
arc_buf_destroy(buf, FTAG);
|
2009-07-02 15:44:48 -07:00
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
void
|
|
|
|
dmu_copy_from_buf(objset_t *os, uint64_t object, uint64_t offset,
|
|
|
|
dmu_buf_t *handle, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_t *dst_handle;
|
|
|
|
dmu_buf_impl_t *dstdb;
|
|
|
|
dmu_buf_impl_t *srcdb = (dmu_buf_impl_t *)handle;
|
2018-08-20 14:03:56 -04:00
|
|
|
dmu_object_type_t type;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
arc_buf_t *abuf;
|
|
|
|
uint64_t datalen;
|
|
|
|
boolean_t byteorder;
|
|
|
|
uint8_t salt[ZIO_DATA_SALT_LEN];
|
|
|
|
uint8_t iv[ZIO_DATA_IV_LEN];
|
|
|
|
uint8_t mac[ZIO_DATA_MAC_LEN];
|
|
|
|
|
|
|
|
ASSERT3P(srcdb->db_buf, !=, NULL);
|
|
|
|
|
|
|
|
/* hold the db that we want to write to */
|
|
|
|
VERIFY0(dmu_buf_hold(os, object, offset, FTAG, &dst_handle,
|
|
|
|
DMU_READ_NO_DECRYPT));
|
|
|
|
dstdb = (dmu_buf_impl_t *)dst_handle;
|
|
|
|
datalen = arc_buf_size(srcdb->db_buf);
|
|
|
|
|
2018-08-20 14:03:56 -04:00
|
|
|
DB_DNODE_ENTER(dstdb);
|
|
|
|
type = DB_DNODE(dstdb)->dn_type;
|
|
|
|
DB_DNODE_EXIT(dstdb);
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
/* allocated an arc buffer that matches the type of srcdb->db_buf */
|
|
|
|
if (arc_is_encrypted(srcdb->db_buf)) {
|
|
|
|
arc_get_raw_params(srcdb->db_buf, &byteorder, salt, iv, mac);
|
|
|
|
abuf = arc_loan_raw_buf(os->os_spa, dmu_objset_id(os),
|
2018-08-20 14:03:56 -04:00
|
|
|
byteorder, salt, iv, mac, type,
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
datalen, arc_buf_lsize(srcdb->db_buf),
|
|
|
|
arc_get_compression(srcdb->db_buf));
|
|
|
|
} else {
|
|
|
|
/* we won't get a compressed db back from dmu_buf_hold() */
|
|
|
|
ASSERT3U(arc_get_compression(srcdb->db_buf),
|
|
|
|
==, ZIO_COMPRESS_OFF);
|
|
|
|
abuf = arc_loan_buf(os->os_spa,
|
2018-08-20 14:03:56 -04:00
|
|
|
DMU_OT_IS_METADATA(type), datalen);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT3U(datalen, ==, arc_buf_size(abuf));
|
|
|
|
|
|
|
|
/* copy the data to the new buffer and assign it to the dstdb */
|
|
|
|
bcopy(srcdb->db_buf->b_data, abuf->b_data, datalen);
|
|
|
|
dbuf_assign_arcbuf(dstdb, abuf, tx);
|
|
|
|
dmu_buf_rele(dst_handle, FTAG);
|
|
|
|
}
|
|
|
|
|
2009-07-02 15:44:48 -07:00
|
|
|
/*
|
|
|
|
* When possible directly assign passed loaned arc buffer to a dbuf.
|
|
|
|
* If this is not possible copy the contents of passed arc buf via
|
|
|
|
* dmu_write().
|
|
|
|
*/
|
2019-01-17 18:47:08 -05:00
|
|
|
int
|
2017-09-28 11:49:13 -04:00
|
|
|
dmu_assign_arcbuf_by_dnode(dnode_t *dn, uint64_t offset, arc_buf_t *buf,
|
2009-07-02 15:44:48 -07:00
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db;
|
2017-09-28 11:49:13 -04:00
|
|
|
objset_t *os = dn->dn_objset;
|
|
|
|
uint64_t object = dn->dn_object;
|
2016-07-11 13:45:52 -04:00
|
|
|
uint32_t blksz = (uint32_t)arc_buf_lsize(buf);
|
2009-07-02 15:44:48 -07:00
|
|
|
uint64_t blkid;
|
|
|
|
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
2015-12-22 02:31:57 +01:00
|
|
|
blkid = dbuf_whichblock(dn, 0, offset);
|
2019-01-17 18:47:08 -05:00
|
|
|
db = dbuf_hold(dn, blkid, FTAG);
|
|
|
|
if (db == NULL)
|
|
|
|
return (SET_ERROR(EIO));
|
2009-07-02 15:44:48 -07:00
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
|
2014-09-13 16:02:18 +02:00
|
|
|
/*
|
|
|
|
* We can only assign if the offset is aligned, the arc buf is the
|
2016-07-11 13:45:52 -04:00
|
|
|
* same size as the dbuf, and the dbuf is not metadata.
|
2014-09-13 16:02:18 +02:00
|
|
|
*/
|
2016-07-11 13:45:52 -04:00
|
|
|
if (offset == db->db.db_offset && blksz == db->db.db_size) {
|
2009-07-02 15:44:48 -07:00
|
|
|
dbuf_assign_arcbuf(db, buf, tx);
|
|
|
|
dbuf_rele(db, FTAG);
|
|
|
|
} else {
|
2016-07-11 13:45:52 -04:00
|
|
|
/* compressed bufs must always be assignable to their dbuf */
|
|
|
|
ASSERT3U(arc_get_compression(buf), ==, ZIO_COMPRESS_OFF);
|
2016-07-13 17:17:41 -04:00
|
|
|
ASSERT(!(buf->b_flags & ARC_BUF_FLAG_COMPRESSED));
|
2016-07-11 13:45:52 -04:00
|
|
|
|
2009-07-02 15:44:48 -07:00
|
|
|
dbuf_rele(db, FTAG);
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_write(os, object, offset, blksz, buf->b_data, tx);
|
2009-07-02 15:44:48 -07:00
|
|
|
dmu_return_arcbuf(buf);
|
2010-05-28 13:45:14 -07:00
|
|
|
XUIOSTAT_BUMP(xuiostat_wbuf_copied);
|
2009-07-02 15:44:48 -07:00
|
|
|
}
|
2019-01-17 18:47:08 -05:00
|
|
|
|
|
|
|
return (0);
|
2009-07-02 15:44:48 -07:00
|
|
|
}
|
|
|
|
|
2019-01-17 18:47:08 -05:00
|
|
|
int
|
2017-09-28 11:49:13 -04:00
|
|
|
dmu_assign_arcbuf_by_dbuf(dmu_buf_t *handle, uint64_t offset, arc_buf_t *buf,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
2019-01-17 18:47:08 -05:00
|
|
|
int err;
|
2017-09-28 11:49:13 -04:00
|
|
|
dmu_buf_impl_t *dbuf = (dmu_buf_impl_t *)handle;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(dbuf);
|
2019-01-17 18:47:08 -05:00
|
|
|
err = dmu_assign_arcbuf_by_dnode(DB_DNODE(dbuf), offset, buf, tx);
|
2017-09-28 11:49:13 -04:00
|
|
|
DB_DNODE_EXIT(dbuf);
|
2019-01-17 18:47:08 -05:00
|
|
|
|
|
|
|
return (err);
|
2017-09-28 11:49:13 -04:00
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
typedef struct {
|
2010-05-28 13:45:14 -07:00
|
|
|
dbuf_dirty_record_t *dsa_dr;
|
|
|
|
dmu_sync_cb_t *dsa_done;
|
|
|
|
zgd_t *dsa_zgd;
|
|
|
|
dmu_tx_t *dsa_tx;
|
2008-11-20 12:01:55 -08:00
|
|
|
} dmu_sync_arg_t;
|
|
|
|
|
2008-12-03 12:09:06 -08:00
|
|
|
/* ARGSUSED */
|
|
|
|
static void
|
|
|
|
dmu_sync_ready(zio_t *zio, arc_buf_t *buf, void *varg)
|
|
|
|
{
|
2010-05-28 13:45:14 -07:00
|
|
|
dmu_sync_arg_t *dsa = varg;
|
|
|
|
dmu_buf_t *db = dsa->dsa_zgd->zgd_db;
|
2008-12-03 12:09:06 -08:00
|
|
|
blkptr_t *bp = zio->io_bp;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
if (zio->io_error == 0) {
|
|
|
|
if (BP_IS_HOLE(bp)) {
|
|
|
|
/*
|
|
|
|
* A block of zeros may compress to a hole, but the
|
|
|
|
* block size still needs to be known for replay.
|
|
|
|
*/
|
|
|
|
BP_SET_LSIZE(bp, db->db_size);
|
2014-06-05 13:19:08 -08:00
|
|
|
} else if (!BP_IS_EMBEDDED(bp)) {
|
2010-05-28 13:45:14 -07:00
|
|
|
ASSERT(BP_GET_LEVEL(bp) == 0);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
BP_SET_FILL(bp, 1);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
2008-12-03 12:09:06 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
static void
|
|
|
|
dmu_sync_late_arrival_ready(zio_t *zio)
|
|
|
|
{
|
|
|
|
dmu_sync_ready(zio, NULL, zio->io_private);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/* ARGSUSED */
|
|
|
|
static void
|
|
|
|
dmu_sync_done(zio_t *zio, arc_buf_t *buf, void *varg)
|
|
|
|
{
|
2010-05-28 13:45:14 -07:00
|
|
|
dmu_sync_arg_t *dsa = varg;
|
|
|
|
dbuf_dirty_record_t *dr = dsa->dsa_dr;
|
2008-11-20 12:01:55 -08:00
|
|
|
dmu_buf_impl_t *db = dr->dr_dbuf;
|
OpenZFS 9962 - zil_commit should omit cache thrash
As a result of the changes made in 8585, it's possible for an excessive
amount of vdev flush commands to be issued under some workloads.
Specifically, when the workload consists of mostly async write activity,
interspersed with some sync write and/or fsync activity, we can end up
issuing more flush commands to the underlying storage than is actually
necessary. As a result of these flush commands, the write latency and
overall throughput of the pool can be poorly impacted (latency
increases, throughput decreases).
Currently, any time an lwb completes, the vdev(s) written to as a result
of that lwb will be issued a flush command. The intenion is so the data
written to that vdev is on stable storage, prior to communicating to any
waiting threads that their data is safe on disk.
The problem with this scheme, is that sometimes an lwb will not have any
threads waiting for it to complete. This can occur when there's async
activity that gets "converted" to sync requests, as a result of calling
the zil_async_to_sync() function via zil_commit_impl(). When this
occurs, the current code may issue many lwbs that don't have waiters
associated with them, resulting in many flush commands, potentially to
the same vdev(s).
For example, given a pool with a single vdev, and a single fsync() call
that results in 10 lwbs being written out (e.g. due to other async
writes), that will result in 10 flush commands to that single vdev (a
flush issued after each lwb write completes). Ideally, we'd only issue a
single flush command to that vdev, after all 10 lwb writes completed.
Further, and most important as it pertains to this change, since the
flush commands are often very impactful to the performance of the pool's
underlying storage, unnecessarily issuing these flush commands can
poorly impact the performance of the lwb writes themselves. Thus, we
need to avoid issuing flush commands when possible, in order to acheive
the best possible performance out of the pool's underlying storage.
This change attempts to address this problem by changing the ZIL's logic
to only issue a vdev flush command when it detects an lwb that has a
thread waiting for it to complete. When an lwb does not have threads
waiting for it, the responsibility of issuing the flush command to the
vdevs involved with that lwb's write is passed on to the "next" lwb.
It's only once a write for an lwb with waiters completes, do we issue
the vdev flush command(s). As a result, now when we issue the flush(s),
we will issue them to the vdevs involved with that specific lwb's write,
but potentially also to vdevs involved with "previous" lwb writes (i.e.
if the previous lwbs did not have waiters associated with them).
Thus, in our prior example with 10 lwbs, it's only once the last lwb
completes (which will be the lwb containing the waiter for the thread
that called fsync) will we issue the vdev flush command; all of the
other lwbs will find they have no waiters, so they'll pass the
responsibility of the flush to the "next" lwb (until reaching the last
lwb that has the waiter).
Porting Notes:
* Reconciled conflicts with the fastwrite feature.
Authored by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Matt Ahrens <matt@delphix.com>
Reviewed by: Brad Lewis <brad.lewis@delphix.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Joshua M. Clulow <josh@sysmgr.org>
Ported-by: Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/9962
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/545190c6
Closes #8188
2018-10-23 14:14:27 -07:00
|
|
|
zgd_t *zgd = dsa->dsa_zgd;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Record the vdev(s) backing this blkptr so they can be flushed after
|
|
|
|
* the writes for the lwb have completed.
|
|
|
|
*/
|
|
|
|
if (zio->io_error == 0) {
|
|
|
|
zil_lwb_add_block(zgd->zgd_lwb, zgd->zgd_bp);
|
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
mutex_enter(&db->db_mtx);
|
|
|
|
ASSERT(dr->dt.dl.dr_override_state == DR_IN_DMU_SYNC);
|
2010-05-28 13:45:14 -07:00
|
|
|
if (zio->io_error == 0) {
|
2013-05-10 12:47:54 -07:00
|
|
|
dr->dt.dl.dr_nopwrite = !!(zio->io_flags & ZIO_FLAG_NOPWRITE);
|
|
|
|
if (dr->dt.dl.dr_nopwrite) {
|
2017-04-14 12:59:18 -07:00
|
|
|
blkptr_t *bp = zio->io_bp;
|
|
|
|
blkptr_t *bp_orig = &zio->io_bp_orig;
|
|
|
|
uint8_t chksum = BP_GET_CHECKSUM(bp_orig);
|
2013-05-10 12:47:54 -07:00
|
|
|
|
|
|
|
ASSERT(BP_EQUAL(bp, bp_orig));
|
2017-04-14 12:59:18 -07:00
|
|
|
VERIFY(BP_EQUAL(bp, db->db_blkptr));
|
2013-05-10 12:47:54 -07:00
|
|
|
ASSERT(zio->io_prop.zp_compress != ZIO_COMPRESS_OFF);
|
2017-04-14 12:59:18 -07:00
|
|
|
VERIFY(zio_checksum_table[chksum].ci_flags &
|
2016-06-15 15:47:05 -07:00
|
|
|
ZCHECKSUM_FLAG_NOPWRITE);
|
2013-05-10 12:47:54 -07:00
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
dr->dt.dl.dr_overridden_by = *zio->io_bp;
|
|
|
|
dr->dt.dl.dr_override_state = DR_OVERRIDDEN;
|
|
|
|
dr->dt.dl.dr_copies = zio->io_prop.zp_copies;
|
2015-03-27 13:03:22 +11:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Old style holes are filled with all zeros, whereas
|
|
|
|
* new-style holes maintain their lsize, type, level,
|
|
|
|
* and birth time (see zio_write_compress). While we
|
|
|
|
* need to reset the BP_SET_LSIZE() call that happened
|
|
|
|
* in dmu_sync_ready for old style holes, we do *not*
|
|
|
|
* want to wipe out the information contained in new
|
|
|
|
* style holes. Thus, only zero out the block pointer if
|
|
|
|
* it's an old style hole.
|
|
|
|
*/
|
|
|
|
if (BP_IS_HOLE(&dr->dt.dl.dr_overridden_by) &&
|
|
|
|
dr->dt.dl.dr_overridden_by.blk_birth == 0)
|
2010-05-28 13:45:14 -07:00
|
|
|
BP_ZERO(&dr->dt.dl.dr_overridden_by);
|
|
|
|
} else {
|
|
|
|
dr->dt.dl.dr_override_state = DR_NOT_OVERRIDDEN;
|
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
cv_broadcast(&db->db_changed);
|
|
|
|
mutex_exit(&db->db_mtx);
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
dsa->dsa_done(dsa->dsa_zgd, zio->io_error);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
kmem_free(dsa, sizeof (*dsa));
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
dmu_sync_late_arrival_done(zio_t *zio)
|
|
|
|
{
|
|
|
|
blkptr_t *bp = zio->io_bp;
|
|
|
|
dmu_sync_arg_t *dsa = zio->io_private;
|
OpenZFS 9962 - zil_commit should omit cache thrash
As a result of the changes made in 8585, it's possible for an excessive
amount of vdev flush commands to be issued under some workloads.
Specifically, when the workload consists of mostly async write activity,
interspersed with some sync write and/or fsync activity, we can end up
issuing more flush commands to the underlying storage than is actually
necessary. As a result of these flush commands, the write latency and
overall throughput of the pool can be poorly impacted (latency
increases, throughput decreases).
Currently, any time an lwb completes, the vdev(s) written to as a result
of that lwb will be issued a flush command. The intenion is so the data
written to that vdev is on stable storage, prior to communicating to any
waiting threads that their data is safe on disk.
The problem with this scheme, is that sometimes an lwb will not have any
threads waiting for it to complete. This can occur when there's async
activity that gets "converted" to sync requests, as a result of calling
the zil_async_to_sync() function via zil_commit_impl(). When this
occurs, the current code may issue many lwbs that don't have waiters
associated with them, resulting in many flush commands, potentially to
the same vdev(s).
For example, given a pool with a single vdev, and a single fsync() call
that results in 10 lwbs being written out (e.g. due to other async
writes), that will result in 10 flush commands to that single vdev (a
flush issued after each lwb write completes). Ideally, we'd only issue a
single flush command to that vdev, after all 10 lwb writes completed.
Further, and most important as it pertains to this change, since the
flush commands are often very impactful to the performance of the pool's
underlying storage, unnecessarily issuing these flush commands can
poorly impact the performance of the lwb writes themselves. Thus, we
need to avoid issuing flush commands when possible, in order to acheive
the best possible performance out of the pool's underlying storage.
This change attempts to address this problem by changing the ZIL's logic
to only issue a vdev flush command when it detects an lwb that has a
thread waiting for it to complete. When an lwb does not have threads
waiting for it, the responsibility of issuing the flush command to the
vdevs involved with that lwb's write is passed on to the "next" lwb.
It's only once a write for an lwb with waiters completes, do we issue
the vdev flush command(s). As a result, now when we issue the flush(s),
we will issue them to the vdevs involved with that specific lwb's write,
but potentially also to vdevs involved with "previous" lwb writes (i.e.
if the previous lwbs did not have waiters associated with them).
Thus, in our prior example with 10 lwbs, it's only once the last lwb
completes (which will be the lwb containing the waiter for the thread
that called fsync) will we issue the vdev flush command; all of the
other lwbs will find they have no waiters, so they'll pass the
responsibility of the flush to the "next" lwb (until reaching the last
lwb that has the waiter).
Porting Notes:
* Reconciled conflicts with the fastwrite feature.
Authored by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Matt Ahrens <matt@delphix.com>
Reviewed by: Brad Lewis <brad.lewis@delphix.com>
Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Joshua M. Clulow <josh@sysmgr.org>
Ported-by: Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
OpenZFS-issue: https://www.illumos.org/issues/9962
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/545190c6
Closes #8188
2018-10-23 14:14:27 -07:00
|
|
|
zgd_t *zgd = dsa->dsa_zgd;
|
|
|
|
|
|
|
|
if (zio->io_error == 0) {
|
|
|
|
/*
|
|
|
|
* Record the vdev(s) backing this blkptr so they can be
|
|
|
|
* flushed after the writes for the lwb have completed.
|
|
|
|
*/
|
|
|
|
zil_lwb_add_block(zgd->zgd_lwb, zgd->zgd_bp);
|
|
|
|
|
|
|
|
if (!BP_IS_HOLE(bp)) {
|
|
|
|
ASSERTV(blkptr_t *bp_orig = &zio->io_bp_orig);
|
|
|
|
ASSERT(!(zio->io_flags & ZIO_FLAG_NOPWRITE));
|
|
|
|
ASSERT(BP_IS_HOLE(bp_orig) || !BP_EQUAL(bp, bp_orig));
|
|
|
|
ASSERT(zio->io_bp->blk_birth == zio->io_txg);
|
|
|
|
ASSERT(zio->io_txg > spa_syncing_txg(zio->io_spa));
|
|
|
|
zio_free(zio->io_spa, zio->io_txg, zio->io_bp);
|
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
dmu_tx_commit(dsa->dsa_tx);
|
|
|
|
|
|
|
|
dsa->dsa_done(dsa->dsa_zgd, zio->io_error);
|
|
|
|
|
2016-07-22 11:52:49 -04:00
|
|
|
abd_put(zio->io_abd);
|
2010-05-28 13:45:14 -07:00
|
|
|
kmem_free(dsa, sizeof (*dsa));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
dmu_sync_late_arrival(zio_t *pio, objset_t *os, dmu_sync_cb_t *done, zgd_t *zgd,
|
2014-06-25 10:37:59 -08:00
|
|
|
zio_prop_t *zp, zbookmark_phys_t *zb)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
|
|
|
dmu_sync_arg_t *dsa;
|
|
|
|
dmu_tx_t *tx;
|
|
|
|
|
|
|
|
tx = dmu_tx_create(os);
|
|
|
|
dmu_tx_hold_space(tx, zgd->zgd_db->db_size);
|
|
|
|
if (dmu_tx_assign(tx, TXG_WAIT) != 0) {
|
|
|
|
dmu_tx_abort(tx);
|
2013-03-08 10:41:28 -08:00
|
|
|
/* Make zl_get_data do txg_waited_synced() */
|
|
|
|
return (SET_ERROR(EIO));
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
OpenZFS 8585 - improve batching done in zil_commit()
Authored by: Prakash Surya <prakash.surya@delphix.com>
Reviewed by: Brad Lewis <brad.lewis@delphix.com>
Reviewed by: Matt Ahrens <mahrens@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Approved by: Dan McDonald <danmcd@joyent.com>
Ported-by: Prakash Surya <prakash.surya@delphix.com>
Problem
=======
The current implementation of zil_commit() can introduce significant
latency, beyond what is inherent due to the latency of the underlying
storage. The additional latency comes from two main problems:
1. When there's outstanding ZIL blocks being written (i.e. there's
already a "writer thread" in progress), then any new calls to
zil_commit() will block waiting for the currently oustanding ZIL
blocks to complete. The blocks written for each "writer thread" is
coined a "batch", and there can only ever be a single "batch" being
written at a time. When a batch is being written, any new ZIL
transactions will have to wait for the next batch to be written,
which won't occur until the current batch finishes.
As a result, the underlying storage may not be used as efficiently
as possible. While "new" threads enter zil_commit() and are blocked
waiting for the next batch, it's possible that the underlying
storage isn't fully utilized by the current batch of ZIL blocks. In
that case, it'd be better to allow these new threads to generate
(and issue) a new ZIL block, such that it could be serviced by the
underlying storage concurrently with the other ZIL blocks that are
being serviced.
2. Any call to zil_commit() must wait for all ZIL blocks in its "batch"
to complete, prior to zil_commit() returning. The size of any given
batch is proportional to the number of ZIL transaction in the queue
at the time that the batch starts processing the queue; which
doesn't occur until the previous batch completes. Thus, if there's a
lot of transactions in the queue, the batch could be composed of
many ZIL blocks, and each call to zil_commit() will have to wait for
all of these writes to complete (even if the thread calling
zil_commit() only cared about one of the transactions in the batch).
To further complicate the situation, these two issues result in the
following side effect:
3. If a given batch takes longer to complete than normal, this results
in larger batch sizes, which then take longer to complete and
further drive up the latency of zil_commit(). This can occur for a
number of reasons, including (but not limited to): transient changes
in the workload, and storage latency irregularites.
Solution
========
The solution attempted by this change has the following goals:
1. no on-disk changes; maintain current on-disk format.
2. modify the "batch size" to be equal to the "ZIL block size".
3. allow new batches to be generated and issued to disk, while there's
already batches being serviced by the disk.
4. allow zil_commit() to wait for as few ZIL blocks as possible.
5. use as few ZIL blocks as possible, for the same amount of ZIL
transactions, without introducing significant latency to any
individual ZIL transaction. i.e. use fewer, but larger, ZIL blocks.
In theory, with these goals met, the new allgorithm will allow the
following improvements:
1. new ZIL blocks can be generated and issued, while there's already
oustanding ZIL blocks being serviced by the storage.
2. the latency of zil_commit() should be proportional to the underlying
storage latency, rather than the incoming synchronous workload.
Porting Notes
=============
Due to the changes made in commit 119a394ab0, the lifetime of an itx
structure differs than in OpenZFS. Specifically, the itx structure is
kept around until the data associated with the itx is considered to be
safe on disk; this is so that the itx's callback can be called after the
data is committed to stable storage. Since OpenZFS doesn't have this itx
callback mechanism, it's able to destroy the itx structure immediately
after the itx is committed to an lwb (before the lwb is written to
disk).
To support this difference, and to ensure the itx's callbacks can still
be called after the itx's data is on disk, a few changes had to be made:
* A list of itxs was added to the lwb structure. This list contains
all of the itxs that have been committed to the lwb, such that the
callbacks for these itxs can be called from zil_lwb_flush_vdevs_done(),
after the data for the itxs is committed to disk.
* A list of itxs was added on the stack of the zil_process_commit_list()
function; the "nolwb_itxs" list. In some circumstances, an itx may
not be committed to an lwb (e.g. if allocating the "next" ZIL block
on disk fails), so this list is used to keep track of which itxs
fall into this state, such that their callbacks can be called after
the ZIL's writer pipeline is "stalled".
* The logic to actually call the itx's callback was moved into the
zil_itx_destroy() function. Since all consumers of zil_itx_destroy()
were effectively performing the same logic (i.e. if callback is
non-null, call the callback), it seemed like useful code cleanup to
consolidate this logic into a single function.
Additionally, the existing Linux tracepoint infrastructure dealing with
the ZIL's probes and structures had to be updated to reflect these code
changes. Specifically:
* The "zil__cw1" and "zil__cw2" probes were removed, so they had to be
removed from "trace_zil.h" as well.
* Some of the zilog structure's fields were removed, which affected
the tracepoint definitions of the structure.
* New tracepoints had to be added for the following 3 new probes:
* zil__process__commit__itx
* zil__process__normal__itx
* zil__commit__io__error
OpenZFS-issue: https://www.illumos.org/issues/8585
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/5d95a3a
Closes #6566
2017-12-05 09:39:16 -08:00
|
|
|
/*
|
|
|
|
* In order to prevent the zgd's lwb from being free'd prior to
|
|
|
|
* dmu_sync_late_arrival_done() being called, we have to ensure
|
|
|
|
* the lwb's "max txg" takes this tx's txg into account.
|
|
|
|
*/
|
|
|
|
zil_lwb_add_txg(zgd->zgd_lwb, dmu_tx_get_txg(tx));
|
|
|
|
|
2014-11-20 19:09:39 -05:00
|
|
|
dsa = kmem_alloc(sizeof (dmu_sync_arg_t), KM_SLEEP);
|
2010-05-28 13:45:14 -07:00
|
|
|
dsa->dsa_dr = NULL;
|
|
|
|
dsa->dsa_done = done;
|
|
|
|
dsa->dsa_zgd = zgd;
|
|
|
|
dsa->dsa_tx = tx;
|
|
|
|
|
2017-04-14 12:59:18 -07:00
|
|
|
/*
|
|
|
|
* Since we are currently syncing this txg, it's nontrivial to
|
|
|
|
* determine what BP to nopwrite against, so we disable nopwrite.
|
|
|
|
*
|
|
|
|
* When syncing, the db_blkptr is initially the BP of the previous
|
|
|
|
* txg. We can not nopwrite against it because it will be changed
|
|
|
|
* (this is similar to the non-late-arrival case where the dbuf is
|
|
|
|
* dirty in a future txg).
|
|
|
|
*
|
|
|
|
* Then dbuf_write_ready() sets bp_blkptr to the location we will write.
|
|
|
|
* We can not nopwrite against it because although the BP will not
|
|
|
|
* (typically) be changed, the data has not yet been persisted to this
|
|
|
|
* location.
|
|
|
|
*
|
|
|
|
* Finally, when dbuf_write_done() is called, it is theoretically
|
|
|
|
* possible to always nopwrite, because the data that was written in
|
|
|
|
* this txg is the same data that we are trying to write. However we
|
|
|
|
* would need to check that this dbuf is not dirty in any future
|
|
|
|
* txg's (as we do in the normal dmu_sync() path). For simplicity, we
|
|
|
|
* don't nopwrite in this case.
|
|
|
|
*/
|
|
|
|
zp->zp_nopwrite = B_FALSE;
|
|
|
|
|
2016-07-22 11:52:49 -04:00
|
|
|
zio_nowait(zio_write(pio, os->os_spa, dmu_tx_get_txg(tx), zgd->zgd_bp,
|
|
|
|
abd_get_from_buf(zgd->zgd_db->db_data, zgd->zgd_db->db_size),
|
|
|
|
zgd->zgd_db->db_size, zgd->zgd_db->db_size, zp,
|
|
|
|
dmu_sync_late_arrival_ready, NULL, NULL, dmu_sync_late_arrival_done,
|
|
|
|
dsa, ZIO_PRIORITY_SYNC_WRITE, ZIO_FLAG_CANFAIL, zb));
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
return (0);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Intent log support: sync the block associated with db to disk.
|
|
|
|
* N.B. and XXX: the caller is responsible for making sure that the
|
|
|
|
* data isn't changing while dmu_sync() is writing it.
|
|
|
|
*
|
|
|
|
* Return values:
|
|
|
|
*
|
2013-05-10 12:47:54 -07:00
|
|
|
* EEXIST: this txg has already been synced, so there's nothing to do.
|
2008-11-20 12:01:55 -08:00
|
|
|
* The caller should not log the write.
|
|
|
|
*
|
|
|
|
* ENOENT: the block was dbuf_free_range()'d, so there's nothing to do.
|
|
|
|
* The caller should not log the write.
|
|
|
|
*
|
|
|
|
* EALREADY: this block is already in the process of being synced.
|
|
|
|
* The caller should track its progress (somehow).
|
|
|
|
*
|
2010-05-28 13:45:14 -07:00
|
|
|
* EIO: could not do the I/O.
|
|
|
|
* The caller should do a txg_wait_synced().
|
2008-11-20 12:01:55 -08:00
|
|
|
*
|
2010-05-28 13:45:14 -07:00
|
|
|
* 0: the I/O has been initiated.
|
|
|
|
* The caller should log this blkptr in the done callback.
|
|
|
|
* It is possible that the I/O will fail, in which case
|
|
|
|
* the error will be reported to the done callback and
|
|
|
|
* propagated to pio from zio_done().
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
|
|
|
int
|
2010-05-28 13:45:14 -07:00
|
|
|
dmu_sync(zio_t *pio, uint64_t txg, dmu_sync_cb_t *done, zgd_t *zgd)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2010-05-28 13:45:14 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)zgd->zgd_db;
|
|
|
|
objset_t *os = db->db_objset;
|
|
|
|
dsl_dataset_t *ds = os->os_dsl_dataset;
|
2008-11-20 12:01:55 -08:00
|
|
|
dbuf_dirty_record_t *dr;
|
2010-05-28 13:45:14 -07:00
|
|
|
dmu_sync_arg_t *dsa;
|
2014-06-25 10:37:59 -08:00
|
|
|
zbookmark_phys_t zb;
|
2010-05-28 13:45:14 -07:00
|
|
|
zio_prop_t zp;
|
2010-08-26 14:24:34 -07:00
|
|
|
dnode_t *dn;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
ASSERT(pio != NULL);
|
2008-11-20 12:01:55 -08:00
|
|
|
ASSERT(txg != 0);
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
SET_BOOKMARK(&zb, ds->ds_object,
|
|
|
|
db->db.db_object, db->db_level, db->db_blkid);
|
|
|
|
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
2017-03-23 09:07:27 -07:00
|
|
|
dmu_write_policy(os, dn, db->db_level, WP_DMU_SYNC, &zp);
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* If we're frozen (running ziltest), we always need to generate a bp.
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
if (txg > spa_freeze_txg(os->os_spa))
|
|
|
|
return (dmu_sync_late_arrival(pio, os, done, zgd, &zp, &zb));
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* Grabbing db_mtx now provides a barrier between dbuf_sync_leaf()
|
|
|
|
* and us. If we determine that this txg is not yet syncing,
|
|
|
|
* but it begins to sync a moment later, that's OK because the
|
|
|
|
* sync thread will block in dbuf_sync_leaf() until we drop db_mtx.
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
mutex_enter(&db->db_mtx);
|
|
|
|
|
|
|
|
if (txg <= spa_last_synced_txg(os->os_spa)) {
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* This txg has already synced. There's nothing to do.
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
2010-05-28 13:45:14 -07:00
|
|
|
mutex_exit(&db->db_mtx);
|
2013-03-08 10:41:28 -08:00
|
|
|
return (SET_ERROR(EEXIST));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
if (txg <= spa_syncing_txg(os->os_spa)) {
|
|
|
|
/*
|
|
|
|
* This txg is currently syncing, so we can't mess with
|
|
|
|
* the dirty record anymore; just write a new log block.
|
|
|
|
*/
|
|
|
|
mutex_exit(&db->db_mtx);
|
|
|
|
return (dmu_sync_late_arrival(pio, os, done, zgd, &zp, &zb));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
dr = db->db_last_dirty;
|
2010-05-28 13:45:14 -07:00
|
|
|
while (dr && dr->dr_txg != txg)
|
2008-11-20 12:01:55 -08:00
|
|
|
dr = dr->dr_next;
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
if (dr == NULL) {
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* There's no dr for this dbuf, so it must have been freed.
|
2008-11-20 12:01:55 -08:00
|
|
|
* There's no need to log writes to freed blocks, so we're done.
|
|
|
|
*/
|
|
|
|
mutex_exit(&db->db_mtx);
|
2013-03-08 10:41:28 -08:00
|
|
|
return (SET_ERROR(ENOENT));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
ASSERT(dr->dr_next == NULL || dr->dr_next->dr_txg < txg);
|
|
|
|
|
2017-04-14 12:59:18 -07:00
|
|
|
if (db->db_blkptr != NULL) {
|
|
|
|
/*
|
|
|
|
* We need to fill in zgd_bp with the current blkptr so that
|
|
|
|
* the nopwrite code can check if we're writing the same
|
|
|
|
* data that's already on disk. We can only nopwrite if we
|
|
|
|
* are sure that after making the copy, db_blkptr will not
|
|
|
|
* change until our i/o completes. We ensure this by
|
|
|
|
* holding the db_mtx, and only allowing nopwrite if the
|
|
|
|
* block is not already dirty (see below). This is verified
|
|
|
|
* by dmu_sync_done(), which VERIFYs that the db_blkptr has
|
|
|
|
* not changed.
|
|
|
|
*/
|
|
|
|
*zgd->zgd_bp = *db->db_blkptr;
|
|
|
|
}
|
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
/*
|
2015-04-11 11:35:03 -07:00
|
|
|
* Assume the on-disk data is X, the current syncing data (in
|
|
|
|
* txg - 1) is Y, and the current in-memory data is Z (currently
|
|
|
|
* in dmu_sync).
|
|
|
|
*
|
|
|
|
* We usually want to perform a nopwrite if X and Z are the
|
|
|
|
* same. However, if Y is different (i.e. the BP is going to
|
|
|
|
* change before this write takes effect), then a nopwrite will
|
|
|
|
* be incorrect - we would override with X, which could have
|
|
|
|
* been freed when Y was written.
|
|
|
|
*
|
|
|
|
* (Note that this is not a concern when we are nop-writing from
|
|
|
|
* syncing context, because X and Y must be identical, because
|
|
|
|
* all previous txgs have been synced.)
|
|
|
|
*
|
|
|
|
* Therefore, we disable nopwrite if the current BP could change
|
|
|
|
* before this TXG. There are two ways it could change: by
|
|
|
|
* being dirty (dr_next is non-NULL), or by being freed
|
|
|
|
* (dnode_block_freed()). This behavior is verified by
|
|
|
|
* zio_done(), which VERIFYs that the override BP is identical
|
|
|
|
* to the on-disk BP.
|
2013-05-10 12:47:54 -07:00
|
|
|
*/
|
2015-04-11 11:35:03 -07:00
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
if (dr->dr_next != NULL || dnode_block_freed(dn, db->db_blkid))
|
2013-05-10 12:47:54 -07:00
|
|
|
zp.zp_nopwrite = B_FALSE;
|
2015-04-11 11:35:03 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
2013-05-10 12:47:54 -07:00
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
ASSERT(dr->dr_txg == txg);
|
2010-05-28 13:45:14 -07:00
|
|
|
if (dr->dt.dl.dr_override_state == DR_IN_DMU_SYNC ||
|
|
|
|
dr->dt.dl.dr_override_state == DR_OVERRIDDEN) {
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
2010-05-28 13:45:14 -07:00
|
|
|
* We have already issued a sync write for this buffer,
|
|
|
|
* or this buffer has already been synced. It could not
|
2008-11-20 12:01:55 -08:00
|
|
|
* have been dirtied since, or we would have cleared the state.
|
|
|
|
*/
|
|
|
|
mutex_exit(&db->db_mtx);
|
2013-03-08 10:41:28 -08:00
|
|
|
return (SET_ERROR(EALREADY));
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
ASSERT(dr->dt.dl.dr_override_state == DR_NOT_OVERRIDDEN);
|
2008-11-20 12:01:55 -08:00
|
|
|
dr->dt.dl.dr_override_state = DR_IN_DMU_SYNC;
|
|
|
|
mutex_exit(&db->db_mtx);
|
|
|
|
|
2014-11-20 19:09:39 -05:00
|
|
|
dsa = kmem_alloc(sizeof (dmu_sync_arg_t), KM_SLEEP);
|
2010-05-28 13:45:14 -07:00
|
|
|
dsa->dsa_dr = dr;
|
|
|
|
dsa->dsa_done = done;
|
|
|
|
dsa->dsa_zgd = zgd;
|
|
|
|
dsa->dsa_tx = NULL;
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
zio_nowait(arc_write(pio, os->os_spa, txg,
|
2017-04-14 12:59:18 -07:00
|
|
|
zgd->zgd_bp, dr->dt.dl.dr_data, DBUF_IS_L2CACHEABLE(db),
|
2016-06-02 00:04:53 -04:00
|
|
|
&zp, dmu_sync_ready, NULL, NULL, dmu_sync_done, dsa,
|
2016-05-15 08:02:28 -07:00
|
|
|
ZIO_PRIORITY_SYNC_WRITE, ZIO_FLAG_CANFAIL, &zb));
|
2008-12-03 12:09:06 -08:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
return (0);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
int
|
|
|
|
dmu_object_set_nlevels(objset_t *os, uint64_t object, int nlevels, dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
err = dnode_set_nlevels(dn, nlevels, tx);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
int
|
|
|
|
dmu_object_set_blocksize(objset_t *os, uint64_t object, uint64_t size, int ibs,
|
2017-01-21 00:17:55 +03:00
|
|
|
dmu_tx_t *tx)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
err = dnode_set_blksz(dn, size, ibs, tx);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2017-11-08 14:12:59 -05:00
|
|
|
int
|
|
|
|
dmu_object_set_maxblkid(objset_t *os, uint64_t object, uint64_t maxblkid,
|
|
|
|
dmu_tx_t *tx)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_WRITER);
|
2019-03-13 13:52:01 -04:00
|
|
|
dnode_new_blkid(dn, maxblkid, tx, B_FALSE, B_TRUE);
|
2017-11-08 14:12:59 -05:00
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
void
|
|
|
|
dmu_object_set_checksum(objset_t *os, uint64_t object, uint8_t checksum,
|
2017-01-21 00:17:55 +03:00
|
|
|
dmu_tx_t *tx)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
|
2014-06-05 13:19:08 -08:00
|
|
|
/*
|
|
|
|
* Send streams include each object's checksum function. This
|
|
|
|
* check ensures that the receiving system can understand the
|
|
|
|
* checksum function transmitted.
|
|
|
|
*/
|
|
|
|
ASSERT3U(checksum, <, ZIO_CHECKSUM_LEGACY_FUNCTIONS);
|
|
|
|
|
|
|
|
VERIFY0(dnode_hold(os, object, FTAG, &dn));
|
|
|
|
ASSERT3U(checksum, <, ZIO_CHECKSUM_FUNCTIONS);
|
2008-11-20 12:01:55 -08:00
|
|
|
dn->dn_checksum = checksum;
|
|
|
|
dnode_setdirty(dn, tx);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_object_set_compress(objset_t *os, uint64_t object, uint8_t compress,
|
2017-01-21 00:17:55 +03:00
|
|
|
dmu_tx_t *tx)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
|
2014-06-05 13:19:08 -08:00
|
|
|
/*
|
|
|
|
* Send streams include each object's compression function. This
|
|
|
|
* check ensures that the receiving system can understand the
|
|
|
|
* compression function transmitted.
|
|
|
|
*/
|
|
|
|
ASSERT3U(compress, <, ZIO_COMPRESS_LEGACY_FUNCTIONS);
|
|
|
|
|
|
|
|
VERIFY0(dnode_hold(os, object, FTAG, &dn));
|
2008-11-20 12:01:55 -08:00
|
|
|
dn->dn_compress = compress;
|
|
|
|
dnode_setdirty(dn, tx);
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
}
|
|
|
|
|
2014-05-23 08:21:07 -08:00
|
|
|
/*
|
|
|
|
* When the "redundant_metadata" property is set to "most", only indirect
|
|
|
|
* blocks of this level and higher will have an additional ditto block.
|
|
|
|
*/
|
|
|
|
int zfs_redundant_metadata_most_ditto_level = 2;
|
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
void
|
2017-03-23 09:07:27 -07:00
|
|
|
dmu_write_policy(objset_t *os, dnode_t *dn, int level, int wp, zio_prop_t *zp)
|
2010-05-28 13:45:14 -07:00
|
|
|
{
|
|
|
|
dmu_object_type_t type = dn ? dn->dn_type : DMU_OT_OBJSET;
|
2012-12-13 15:24:15 -08:00
|
|
|
boolean_t ismd = (level > 0 || DMU_OT_IS_METADATA(type) ||
|
2010-08-26 14:24:34 -07:00
|
|
|
(wp & WP_SPILL));
|
2010-05-28 13:45:14 -07:00
|
|
|
enum zio_checksum checksum = os->os_checksum;
|
|
|
|
enum zio_compress compress = os->os_compress;
|
|
|
|
enum zio_checksum dedup_checksum = os->os_dedup_checksum;
|
2013-05-10 12:47:54 -07:00
|
|
|
boolean_t dedup = B_FALSE;
|
|
|
|
boolean_t nopwrite = B_FALSE;
|
2010-05-28 13:45:14 -07:00
|
|
|
boolean_t dedup_verify = os->os_dedup_verify;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
boolean_t encrypt = B_FALSE;
|
2010-05-28 13:45:14 -07:00
|
|
|
int copies = os->os_copies;
|
2017-04-11 21:56:54 +00:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
/*
|
2013-05-10 12:47:54 -07:00
|
|
|
* We maintain different write policies for each of the following
|
|
|
|
* types of data:
|
|
|
|
* 1. metadata
|
|
|
|
* 2. preallocated blocks (i.e. level-0 blocks of a dump device)
|
|
|
|
* 3. all other level 0 blocks
|
2010-05-28 13:45:14 -07:00
|
|
|
*/
|
|
|
|
if (ismd) {
|
2018-02-21 15:28:52 -05:00
|
|
|
/*
|
|
|
|
* XXX -- we should design a compression algorithm
|
|
|
|
* that specializes in arrays of bps.
|
|
|
|
*/
|
|
|
|
compress = zio_compress_select(os->os_spa,
|
|
|
|
ZIO_COMPRESS_ON, ZIO_COMPRESS_ON);
|
2013-05-10 12:47:54 -07:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
/*
|
|
|
|
* Metadata always gets checksummed. If the data
|
|
|
|
* checksum is multi-bit correctable, and it's not a
|
|
|
|
* ZBT-style checksum, then it's suitable for metadata
|
|
|
|
* as well. Otherwise, the metadata checksum defaults
|
|
|
|
* to fletcher4.
|
|
|
|
*/
|
2016-06-15 15:47:05 -07:00
|
|
|
if (!(zio_checksum_table[checksum].ci_flags &
|
|
|
|
ZCHECKSUM_FLAG_METADATA) ||
|
|
|
|
(zio_checksum_table[checksum].ci_flags &
|
|
|
|
ZCHECKSUM_FLAG_EMBEDDED))
|
2010-05-28 13:45:14 -07:00
|
|
|
checksum = ZIO_CHECKSUM_FLETCHER_4;
|
2014-05-23 08:21:07 -08:00
|
|
|
|
|
|
|
if (os->os_redundant_metadata == ZFS_REDUNDANT_METADATA_ALL ||
|
|
|
|
(os->os_redundant_metadata ==
|
|
|
|
ZFS_REDUNDANT_METADATA_MOST &&
|
|
|
|
(level >= zfs_redundant_metadata_most_ditto_level ||
|
|
|
|
DMU_OT_IS_METADATA(type) || (wp & WP_SPILL))))
|
|
|
|
copies++;
|
2013-05-10 12:47:54 -07:00
|
|
|
} else if (wp & WP_NOFILL) {
|
|
|
|
ASSERT(level == 0);
|
2010-05-28 13:45:14 -07:00
|
|
|
|
|
|
|
/*
|
2013-05-10 12:47:54 -07:00
|
|
|
* If we're writing preallocated blocks, we aren't actually
|
|
|
|
* writing them so don't set any policy properties. These
|
|
|
|
* blocks are currently only used by an external subsystem
|
|
|
|
* outside of zfs (i.e. dump) and not written by the zio
|
|
|
|
* pipeline.
|
2010-05-28 13:45:14 -07:00
|
|
|
*/
|
2013-05-10 12:47:54 -07:00
|
|
|
compress = ZIO_COMPRESS_OFF;
|
|
|
|
checksum = ZIO_CHECKSUM_OFF;
|
2010-05-28 13:45:14 -07:00
|
|
|
} else {
|
2015-07-06 03:55:32 +02:00
|
|
|
compress = zio_compress_select(os->os_spa, dn->dn_compress,
|
|
|
|
compress);
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
checksum = (dedup_checksum == ZIO_CHECKSUM_OFF) ?
|
|
|
|
zio_checksum_select(dn->dn_checksum, checksum) :
|
|
|
|
dedup_checksum;
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
/*
|
|
|
|
* Determine dedup setting. If we are in dmu_sync(),
|
|
|
|
* we won't actually dedup now because that's all
|
|
|
|
* done in syncing context; but we do want to use the
|
2019-09-03 02:56:41 +02:00
|
|
|
* dedup checksum. If the checksum is not strong
|
2013-05-10 12:47:54 -07:00
|
|
|
* enough to ensure unique signatures, force
|
|
|
|
* dedup_verify.
|
|
|
|
*/
|
|
|
|
if (dedup_checksum != ZIO_CHECKSUM_OFF) {
|
|
|
|
dedup = (wp & WP_DMU_SYNC) ? B_FALSE : B_TRUE;
|
2016-06-15 15:47:05 -07:00
|
|
|
if (!(zio_checksum_table[checksum].ci_flags &
|
|
|
|
ZCHECKSUM_FLAG_DEDUP))
|
2013-05-10 12:47:54 -07:00
|
|
|
dedup_verify = B_TRUE;
|
|
|
|
}
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2013-05-10 12:47:54 -07:00
|
|
|
/*
|
2016-06-15 15:47:05 -07:00
|
|
|
* Enable nopwrite if we have secure enough checksum
|
|
|
|
* algorithm (see comment in zio_nop_write) and
|
|
|
|
* compression is enabled. We don't enable nopwrite if
|
|
|
|
* dedup is enabled as the two features are mutually
|
|
|
|
* exclusive.
|
2013-05-10 12:47:54 -07:00
|
|
|
*/
|
2016-06-15 15:47:05 -07:00
|
|
|
nopwrite = (!dedup && (zio_checksum_table[checksum].ci_flags &
|
|
|
|
ZCHECKSUM_FLAG_NOPWRITE) &&
|
2013-05-10 12:47:54 -07:00
|
|
|
compress != ZIO_COMPRESS_OFF && zfs_nopwrite_enabled);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
/*
|
|
|
|
* All objects in an encrypted objset are protected from modification
|
|
|
|
* via a MAC. Encrypted objects store their IV and salt in the last DVA
|
|
|
|
* in the bp, so we cannot use all copies. Encrypted objects are also
|
|
|
|
* not subject to nopwrite since writing the same data will still
|
|
|
|
* result in a new ciphertext. Only encrypted blocks can be dedup'd
|
|
|
|
* to avoid ambiguity in the dedup code since the DDT does not store
|
|
|
|
* object types.
|
|
|
|
*/
|
|
|
|
if (os->os_encrypted && (wp & WP_NOFILL) == 0) {
|
|
|
|
encrypt = B_TRUE;
|
|
|
|
|
|
|
|
if (DMU_OT_IS_ENCRYPTED(type)) {
|
|
|
|
copies = MIN(copies, SPA_DVAS_PER_BP - 1);
|
|
|
|
nopwrite = B_FALSE;
|
|
|
|
} else {
|
|
|
|
dedup = B_FALSE;
|
|
|
|
}
|
|
|
|
|
2017-11-08 14:12:59 -05:00
|
|
|
if (level <= 0 &&
|
|
|
|
(type == DMU_OT_DNODE || type == DMU_OT_OBJSET)) {
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
compress = ZIO_COMPRESS_EMPTY;
|
2017-11-08 14:12:59 -05:00
|
|
|
}
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
}
|
2016-07-11 13:45:52 -04:00
|
|
|
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
zp->zp_compress = compress;
|
|
|
|
zp->zp_checksum = checksum;
|
2010-05-28 13:45:14 -07:00
|
|
|
zp->zp_type = (wp & WP_SPILL) ? dn->dn_bonustype : type;
|
|
|
|
zp->zp_level = level;
|
2014-05-23 08:21:07 -08:00
|
|
|
zp->zp_copies = MIN(copies, spa_max_replication(os->os_spa));
|
2010-05-28 13:45:14 -07:00
|
|
|
zp->zp_dedup = dedup;
|
|
|
|
zp->zp_dedup_verify = dedup && dedup_verify;
|
2013-05-10 12:47:54 -07:00
|
|
|
zp->zp_nopwrite = nopwrite;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
zp->zp_encrypt = encrypt;
|
|
|
|
zp->zp_byteorder = ZFS_HOST_BYTEORDER;
|
|
|
|
bzero(zp->zp_salt, ZIO_DATA_SALT_LEN);
|
|
|
|
bzero(zp->zp_iv, ZIO_DATA_IV_LEN);
|
|
|
|
bzero(zp->zp_mac, ZIO_DATA_MAC_LEN);
|
2018-09-05 19:33:36 -06:00
|
|
|
zp->zp_zpl_smallblk = DMU_OT_IS_FILE(zp->zp_type) ?
|
|
|
|
os->os_zpl_special_smallblock : 0;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
|
|
|
|
ASSERT3U(zp->zp_compress, !=, ZIO_COMPRESS_INHERIT);
|
2010-05-28 13:45:14 -07:00
|
|
|
}
|
|
|
|
|
2017-03-24 17:28:38 -04:00
|
|
|
/*
|
|
|
|
* This function is only called from zfs_holey_common() for zpl_llseek()
|
|
|
|
* in order to determine the location of holes. In order to accurately
|
|
|
|
* report holes all dirty data must be synced to disk. This causes extremely
|
|
|
|
* poor performance when seeking for holes in a dirty file. As a compromise,
|
|
|
|
* only provide hole data when the dnode is clean. When a dnode is dirty
|
|
|
|
* report the dnode as having no holes which is always a safe thing to do.
|
|
|
|
*/
|
2008-11-20 12:01:55 -08:00
|
|
|
int
|
|
|
|
dmu_offset_next(objset_t *os, uint64_t object, boolean_t hole, uint64_t *off)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
|
|
|
int i, err;
|
2017-03-24 17:28:38 -04:00
|
|
|
boolean_t clean = B_TRUE;
|
2008-11-20 12:01:55 -08:00
|
|
|
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
2017-03-24 17:28:38 -04:00
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
/*
|
2019-05-30 17:13:18 -07:00
|
|
|
* Check if dnode is dirty
|
2008-11-20 12:01:55 -08:00
|
|
|
*/
|
2017-11-15 10:19:32 -08:00
|
|
|
for (i = 0; i < TXG_SIZE; i++) {
|
2018-04-10 14:15:05 -04:00
|
|
|
if (multilist_link_active(&dn->dn_dirty_link[i])) {
|
2019-05-30 17:13:18 -07:00
|
|
|
clean = B_FALSE;
|
2019-03-21 10:30:15 -07:00
|
|
|
break;
|
2019-05-30 17:13:18 -07:00
|
|
|
}
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
2017-03-24 17:28:38 -04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If compatibility option is on, sync any current changes before
|
|
|
|
* we go trundling through the block pointers.
|
|
|
|
*/
|
|
|
|
if (!clean && zfs_dmu_offset_next_sync) {
|
|
|
|
clean = B_TRUE;
|
2008-11-20 12:01:55 -08:00
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
txg_wait_synced(dmu_objset_pool(os), 0);
|
2010-05-28 13:45:14 -07:00
|
|
|
err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
2017-03-24 17:28:38 -04:00
|
|
|
if (clean)
|
|
|
|
err = dnode_next_offset(dn,
|
|
|
|
(hole ? DNODE_FIND_HOLE : 0), off, 1, 1, 0);
|
|
|
|
else
|
|
|
|
err = SET_ERROR(EBUSY);
|
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
|
|
|
|
return (err);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2013-10-02 17:11:19 -07:00
|
|
|
__dmu_object_info_from_dnode(dnode_t *dn, dmu_object_info_t *doi)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2013-10-02 17:11:19 -07:00
|
|
|
dnode_phys_t *dnp = dn->dn_phys;
|
2010-05-28 13:45:14 -07:00
|
|
|
|
2008-11-20 12:01:55 -08:00
|
|
|
doi->doi_data_block_size = dn->dn_datablksz;
|
|
|
|
doi->doi_metadata_block_size = dn->dn_indblkshift ?
|
|
|
|
1ULL << dn->dn_indblkshift : 0;
|
2010-05-28 13:45:14 -07:00
|
|
|
doi->doi_type = dn->dn_type;
|
|
|
|
doi->doi_bonus_type = dn->dn_bonustype;
|
|
|
|
doi->doi_bonus_size = dn->dn_bonuslen;
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-16 18:25:34 -07:00
|
|
|
doi->doi_dnodesize = dn->dn_num_slots << DNODE_SHIFT;
|
2008-11-20 12:01:55 -08:00
|
|
|
doi->doi_indirection = dn->dn_nlevels;
|
|
|
|
doi->doi_checksum = dn->dn_checksum;
|
|
|
|
doi->doi_compress = dn->dn_compress;
|
2014-09-12 05:28:35 +02:00
|
|
|
doi->doi_nblkptr = dn->dn_nblkptr;
|
2010-05-28 13:45:14 -07:00
|
|
|
doi->doi_physical_blocks_512 = (DN_USED_BYTES(dnp) + 256) >> 9;
|
2013-07-05 15:37:16 -04:00
|
|
|
doi->doi_max_offset = (dn->dn_maxblkid + 1) * dn->dn_datablksz;
|
2010-05-28 13:45:14 -07:00
|
|
|
doi->doi_fill_count = 0;
|
2017-11-04 14:25:13 -06:00
|
|
|
for (int i = 0; i < dnp->dn_nblkptr; i++)
|
2014-06-05 13:19:08 -08:00
|
|
|
doi->doi_fill_count += BP_GET_FILL(&dnp->dn_blkptr[i]);
|
2013-10-02 17:11:19 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_object_info_from_dnode(dnode_t *dn, dmu_object_info_t *doi)
|
|
|
|
{
|
|
|
|
rw_enter(&dn->dn_struct_rwlock, RW_READER);
|
|
|
|
mutex_enter(&dn->dn_mtx);
|
|
|
|
|
|
|
|
__dmu_object_info_from_dnode(dn, doi);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
mutex_exit(&dn->dn_mtx);
|
|
|
|
rw_exit(&dn->dn_struct_rwlock);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get information on a DMU object.
|
|
|
|
* If doi is NULL, just indicates whether the object exists.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
dmu_object_info(objset_t *os, uint64_t object, dmu_object_info_t *doi)
|
|
|
|
{
|
|
|
|
dnode_t *dn;
|
2010-05-28 13:45:14 -07:00
|
|
|
int err = dnode_hold(os, object, FTAG, &dn);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
if (err)
|
|
|
|
return (err);
|
|
|
|
|
|
|
|
if (doi != NULL)
|
|
|
|
dmu_object_info_from_dnode(dn, doi);
|
|
|
|
|
|
|
|
dnode_rele(dn, FTAG);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* As above, but faster; can be used when you have a held dbuf in hand.
|
|
|
|
*/
|
|
|
|
void
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_object_info_from_db(dmu_buf_t *db_fake, dmu_object_info_t *doi)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dmu_object_info_from_dnode(DB_DNODE(db), doi);
|
|
|
|
DB_DNODE_EXIT(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Faster still when you only care about the size.
|
|
|
|
* This is specifically optimized for zfs_getattr().
|
|
|
|
*/
|
|
|
|
void
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_object_size_from_db(dmu_buf_t *db_fake, uint32_t *blksize,
|
|
|
|
u_longlong_t *nblk512)
|
2008-11-20 12:01:55 -08:00
|
|
|
{
|
2010-08-26 14:24:34 -07:00
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
|
|
|
|
*blksize = dn->dn_datablksz;
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-16 18:25:34 -07:00
|
|
|
/* add in number of slots used for the dnode itself */
|
2008-11-20 12:01:55 -08:00
|
|
|
*nblk512 = ((DN_USED_BYTES(dn->dn_phys) + SPA_MINBLOCKSIZE/2) >>
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-16 18:25:34 -07:00
|
|
|
SPA_MINBLOCKSHIFT) + dn->dn_num_slots;
|
|
|
|
DB_DNODE_EXIT(db);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_object_dnsize_from_db(dmu_buf_t *db_fake, int *dnsize)
|
|
|
|
{
|
|
|
|
dmu_buf_impl_t *db = (dmu_buf_impl_t *)db_fake;
|
|
|
|
dnode_t *dn;
|
|
|
|
|
|
|
|
DB_DNODE_ENTER(db);
|
|
|
|
dn = DB_DNODE(db);
|
|
|
|
*dnsize = dn->dn_num_slots << DNODE_SHIFT;
|
2010-08-26 14:24:34 -07:00
|
|
|
DB_DNODE_EXIT(db);
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
byteswap_uint64_array(void *vbuf, size_t size)
|
|
|
|
{
|
|
|
|
uint64_t *buf = vbuf;
|
|
|
|
size_t count = size >> 3;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
ASSERT((size & 7) == 0);
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
buf[i] = BSWAP_64(buf[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
byteswap_uint32_array(void *vbuf, size_t size)
|
|
|
|
{
|
|
|
|
uint32_t *buf = vbuf;
|
|
|
|
size_t count = size >> 2;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
ASSERT((size & 3) == 0);
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
buf[i] = BSWAP_32(buf[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
byteswap_uint16_array(void *vbuf, size_t size)
|
|
|
|
{
|
|
|
|
uint16_t *buf = vbuf;
|
|
|
|
size_t count = size >> 1;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
ASSERT((size & 1) == 0);
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
buf[i] = BSWAP_16(buf[i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ARGSUSED */
|
|
|
|
void
|
|
|
|
byteswap_uint8_array(void *vbuf, size_t size)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_init(void)
|
|
|
|
{
|
2016-07-22 11:52:49 -04:00
|
|
|
abd_init();
|
2010-05-28 13:45:14 -07:00
|
|
|
zfs_dbgmsg_init();
|
2010-08-26 14:24:34 -07:00
|
|
|
sa_cache_init();
|
|
|
|
xuio_stat_init();
|
|
|
|
dmu_objset_init();
|
2008-11-20 12:01:55 -08:00
|
|
|
dnode_init();
|
2010-05-28 13:45:14 -07:00
|
|
|
zfetch_init();
|
2012-01-20 10:58:57 -08:00
|
|
|
dmu_tx_init();
|
2008-11-20 12:01:55 -08:00
|
|
|
l2arc_init();
|
2012-12-14 16:13:40 -08:00
|
|
|
arc_init();
|
2016-06-02 00:04:53 -04:00
|
|
|
dbuf_init();
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
dmu_fini(void)
|
|
|
|
{
|
2013-06-11 09:12:34 -08:00
|
|
|
arc_fini(); /* arc depends on l2arc, so arc must go first */
|
2012-12-14 16:13:40 -08:00
|
|
|
l2arc_fini();
|
2012-01-20 10:58:57 -08:00
|
|
|
dmu_tx_fini();
|
2010-05-28 13:45:14 -07:00
|
|
|
zfetch_fini();
|
2008-11-20 12:01:55 -08:00
|
|
|
dbuf_fini();
|
2010-08-26 14:24:34 -07:00
|
|
|
dnode_fini();
|
|
|
|
dmu_objset_fini();
|
2010-05-28 13:45:14 -07:00
|
|
|
xuio_stat_fini();
|
|
|
|
sa_cache_fini();
|
|
|
|
zfs_dbgmsg_fini();
|
2016-07-22 11:52:49 -04:00
|
|
|
abd_fini();
|
2008-11-20 12:01:55 -08:00
|
|
|
}
|
2010-08-26 11:49:16 -07:00
|
|
|
|
|
|
|
EXPORT_SYMBOL(dmu_bonus_hold);
|
2019-01-10 14:37:43 -08:00
|
|
|
EXPORT_SYMBOL(dmu_bonus_hold_by_dnode);
|
2012-02-17 12:09:21 -08:00
|
|
|
EXPORT_SYMBOL(dmu_buf_hold_array_by_bonus);
|
|
|
|
EXPORT_SYMBOL(dmu_buf_rele_array);
|
2013-08-01 09:39:46 -07:00
|
|
|
EXPORT_SYMBOL(dmu_prefetch);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_free_range);
|
2013-08-01 09:39:46 -07:00
|
|
|
EXPORT_SYMBOL(dmu_free_long_range);
|
2013-08-20 20:11:52 -08:00
|
|
|
EXPORT_SYMBOL(dmu_free_long_object);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_read);
|
2017-01-14 01:58:41 +03:00
|
|
|
EXPORT_SYMBOL(dmu_read_by_dnode);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_write);
|
2017-01-14 01:58:41 +03:00
|
|
|
EXPORT_SYMBOL(dmu_write_by_dnode);
|
2013-08-01 09:39:46 -07:00
|
|
|
EXPORT_SYMBOL(dmu_prealloc);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_object_info);
|
|
|
|
EXPORT_SYMBOL(dmu_object_info_from_dnode);
|
|
|
|
EXPORT_SYMBOL(dmu_object_info_from_db);
|
|
|
|
EXPORT_SYMBOL(dmu_object_size_from_db);
|
Implement large_dnode pool feature
Justification
-------------
This feature adds support for variable length dnodes. Our motivation is
to eliminate the overhead associated with using spill blocks. Spill
blocks are used to store system attribute data (i.e. file metadata) that
does not fit in the dnode's bonus buffer. By allowing a larger bonus
buffer area the use of a spill block can be avoided. Spill blocks
potentially incur an additional read I/O for every dnode in a dnode
block. As a worst case example, reading 32 dnodes from a 16k dnode block
and all of the spill blocks could issue 33 separate reads. Now suppose
those dnodes have size 1024 and therefore don't need spill blocks. Then
the worst case number of blocks read is reduced to from 33 to two--one
per dnode block. In practice spill blocks may tend to be co-located on
disk with the dnode blocks so the reduction in I/O would not be this
drastic. In a badly fragmented pool, however, the improvement could be
significant.
ZFS-on-Linux systems that make heavy use of extended attributes would
benefit from this feature. In particular, ZFS-on-Linux supports the
xattr=sa dataset property which allows file extended attribute data
to be stored in the dnode bonus buffer as an alternative to the
traditional directory-based format. Workloads such as SELinux and the
Lustre distributed filesystem often store enough xattr data to force
spill bocks when xattr=sa is in effect. Large dnodes may therefore
provide a performance benefit to such systems.
Other use cases that may benefit from this feature include files with
large ACLs and symbolic links with long target names. Furthermore,
this feature may be desirable on other platforms in case future
applications or features are developed that could make use of a
larger bonus buffer area.
Implementation
--------------
The size of a dnode may be a multiple of 512 bytes up to the size of
a dnode block (currently 16384 bytes). A dn_extra_slots field was
added to the current on-disk dnode_phys_t structure to describe the
size of the physical dnode on disk. The 8 bits for this field were
taken from the zero filled dn_pad2 field. The field represents how
many "extra" dnode_phys_t slots a dnode consumes in its dnode block.
This convention results in a value of 0 for 512 byte dnodes which
preserves on-disk format compatibility with older software.
Similarly, the in-memory dnode_t structure has a new dn_num_slots field
to represent the total number of dnode_phys_t slots consumed on disk.
Thus dn->dn_num_slots is 1 greater than the corresponding
dnp->dn_extra_slots. This difference in convention was adopted
because, unlike on-disk structures, backward compatibility is not a
concern for in-memory objects, so we used a more natural way to
represent size for a dnode_t.
The default size for newly created dnodes is determined by the value of
a new "dnodesize" dataset property. By default the property is set to
"legacy" which is compatible with older software. Setting the property
to "auto" will allow the filesystem to choose the most suitable dnode
size. Currently this just sets the default dnode size to 1k, but future
code improvements could dynamically choose a size based on observed
workload patterns. Dnodes of varying sizes can coexist within the same
dataset and even within the same dnode block. For example, to enable
automatically-sized dnodes, run
# zfs set dnodesize=auto tank/fish
The user can also specify literal values for the dnodesize property.
These are currently limited to powers of two from 1k to 16k. The
power-of-2 limitation is only for simplicity of the user interface.
Internally the implementation can handle any multiple of 512 up to 16k,
and consumers of the DMU API can specify any legal dnode value.
The size of a new dnode is determined at object allocation time and
stored as a new field in the znode in-memory structure. New DMU
interfaces are added to allow the consumer to specify the dnode size
that a newly allocated object should use. Existing interfaces are
unchanged to avoid having to update every call site and to preserve
compatibility with external consumers such as Lustre. The new
interfaces names are given below. The versions of these functions that
don't take a dnodesize parameter now just call the _dnsize() versions
with a dnodesize of 0, which means use the legacy dnode size.
New DMU interfaces:
dmu_object_alloc_dnsize()
dmu_object_claim_dnsize()
dmu_object_reclaim_dnsize()
New ZAP interfaces:
zap_create_dnsize()
zap_create_norm_dnsize()
zap_create_flags_dnsize()
zap_create_claim_norm_dnsize()
zap_create_link_dnsize()
The constant DN_MAX_BONUSLEN is renamed to DN_OLD_MAX_BONUSLEN. The
spa_maxdnodesize() function should be used to determine the maximum
bonus length for a pool.
These are a few noteworthy changes to key functions:
* The prototype for dnode_hold_impl() now takes a "slots" parameter.
When the DNODE_MUST_BE_FREE flag is set, this parameter is used to
ensure the hole at the specified object offset is large enough to
hold the dnode being created. The slots parameter is also used
to ensure a dnode does not span multiple dnode blocks. In both of
these cases, if a failure occurs, ENOSPC is returned. Keep in mind,
these failure cases are only possible when using DNODE_MUST_BE_FREE.
If the DNODE_MUST_BE_ALLOCATED flag is set, "slots" must be 0.
dnode_hold_impl() will check if the requested dnode is already
consumed as an extra dnode slot by an large dnode, in which case
it returns ENOENT.
* The function dmu_object_alloc() advances to the next dnode block
if dnode_hold_impl() returns an error for a requested object.
This is because the beginning of the next dnode block is the only
location it can safely assume to either be a hole or a valid
starting point for a dnode.
* dnode_next_offset_level() and other functions that iterate
through dnode blocks may no longer use a simple array indexing
scheme. These now use the current dnode's dn_num_slots field to
advance to the next dnode in the block. This is to ensure we
properly skip the current dnode's bonus area and don't interpret it
as a valid dnode.
zdb
---
The zdb command was updated to display a dnode's size under the
"dnsize" column when the object is dumped.
For ZIL create log records, zdb will now display the slot count for
the object.
ztest
-----
Ztest chooses a random dnodesize for every newly created object. The
random distribution is more heavily weighted toward small dnodes to
better simulate real-world datasets.
Unused bonus buffer space is filled with non-zero values computed from
the object number, dataset id, offset, and generation number. This
helps ensure that the dnode traversal code properly skips the interior
regions of large dnodes, and that these interior regions are not
overwritten by data belonging to other dnodes. A new test visits each
object in a dataset. It verifies that the actual dnode size matches what
was stored in the ztest block tag when it was created. It also verifies
that the unused bonus buffer space is filled with the expected data
patterns.
ZFS Test Suite
--------------
Added six new large dnode-specific tests, and integrated the dnodesize
property into existing tests for zfs allow and send/recv.
Send/Receive
------------
ZFS send streams for datasets containing large dnodes cannot be received
on pools that don't support the large_dnode feature. A send stream with
large dnodes sets a DMU_BACKUP_FEATURE_LARGE_DNODE flag which will be
unrecognized by an incompatible receiving pool so that the zfs receive
will fail gracefully.
While not implemented here, it may be possible to generate a
backward-compatible send stream from a dataset containing large
dnodes. The implementation may be tricky, however, because the send
object record for a large dnode would need to be resized to a 512
byte dnode, possibly kicking in a spill block in the process. This
means we would need to construct a new SA layout and possibly
register it in the SA layout object. The SA layout is normally just
sent as an ordinary object record. But if we are constructing new
layouts while generating the send stream we'd have to build the SA
layout object dynamically and send it at the end of the stream.
For sending and receiving between pools that do support large dnodes,
the drr_object send record type is extended with a new field to store
the dnode slot count. This field was repurposed from unused padding
in the structure.
ZIL Replay
----------
The dnode slot count is stored in the uppermost 8 bits of the lr_foid
field. The bits were unused as the object id is currently capped at
48 bits.
Resizing Dnodes
---------------
It should be possible to resize a dnode when it is dirtied if the
current dnodesize dataset property differs from the dnode's size, but
this functionality is not currently implemented. Clearly a dnode can
only grow if there are sufficient contiguous unused slots in the
dnode block, but it should always be possible to shrink a dnode.
Growing dnodes may be useful to reduce fragmentation in a pool with
many spill blocks in use. Shrinking dnodes may be useful to allow
sending a dataset to a pool that doesn't support the large_dnode
feature.
Feature Reference Counting
--------------------------
The reference count for the large_dnode pool feature tracks the
number of datasets that have ever contained a dnode of size larger
than 512 bytes. The first time a large dnode is created in a dataset
the dataset is converted to an extensible dataset. This is a one-way
operation and the only way to decrement the feature count is to
destroy the dataset, even if the dataset no longer contains any large
dnodes. The complexity of reference counting on a per-dnode basis was
too high, so we chose to track it on a per-dataset basis similarly to
the large_block feature.
Signed-off-by: Ned Bass <bass6@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #3542
2016-03-16 18:25:34 -07:00
|
|
|
EXPORT_SYMBOL(dmu_object_dnsize_from_db);
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 13:36:48 -04:00
|
|
|
EXPORT_SYMBOL(dmu_object_set_nlevels);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_object_set_blocksize);
|
2017-11-08 14:12:59 -05:00
|
|
|
EXPORT_SYMBOL(dmu_object_set_maxblkid);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_object_set_checksum);
|
|
|
|
EXPORT_SYMBOL(dmu_object_set_compress);
|
2013-08-01 09:39:46 -07:00
|
|
|
EXPORT_SYMBOL(dmu_write_policy);
|
|
|
|
EXPORT_SYMBOL(dmu_sync);
|
2012-02-10 11:53:09 -08:00
|
|
|
EXPORT_SYMBOL(dmu_request_arcbuf);
|
|
|
|
EXPORT_SYMBOL(dmu_return_arcbuf);
|
2017-09-28 11:49:13 -04:00
|
|
|
EXPORT_SYMBOL(dmu_assign_arcbuf_by_dnode);
|
|
|
|
EXPORT_SYMBOL(dmu_assign_arcbuf_by_dbuf);
|
2012-02-10 11:53:09 -08:00
|
|
|
EXPORT_SYMBOL(dmu_buf_hold);
|
2010-08-26 11:49:16 -07:00
|
|
|
EXPORT_SYMBOL(dmu_ot);
|
2012-04-27 16:20:31 -07:00
|
|
|
|
2017-02-07 10:44:03 -07:00
|
|
|
/* BEGIN CSTYLED */
|
2019-09-05 14:49:49 -07:00
|
|
|
ZFS_MODULE_PARAM(zfs, zfs_, nopwrite_enabled, INT, ZMOD_RW,
|
|
|
|
"Enable NOP writes");
|
2013-05-10 12:47:54 -07:00
|
|
|
|
2019-09-05 14:49:49 -07:00
|
|
|
ZFS_MODULE_PARAM(zfs, zfs_, per_txg_dirty_frees_percent, ULONG, ZMOD_RW,
|
|
|
|
"Percentage of dirtied blocks from frees in one TXG");
|
2017-03-24 17:28:38 -04:00
|
|
|
|
2019-09-05 14:49:49 -07:00
|
|
|
ZFS_MODULE_PARAM(zfs, zfs_, dmu_offset_next_sync, INT, ZMOD_RW,
|
2017-03-24 17:28:38 -04:00
|
|
|
"Enable forcing txg sync to find holes");
|
|
|
|
|
2019-09-05 14:49:49 -07:00
|
|
|
ZFS_MODULE_PARAM(zfs, , dmu_prefetch_max, INT, ZMOD_RW,
|
2019-06-12 13:13:09 -07:00
|
|
|
"Limit one prefetch call to this size");
|
2017-02-07 10:44:03 -07:00
|
|
|
/* END CSTYLED */
|