zfs_rename: support RENAME_* flags

[cyphar]

Motivation and Context

In order to allow overlayfs-on-ZFS (#8648), we need to support the renameat(2)
flags (most importantly, RENAME_WHITEOUT and RENAME_EXCHANGE). This
requires quite a few changes to the ordering of link operations during
rename (and the related error paths).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

How Has This Been Tested?

I conducted a variety of smoke-tests to check that all of the renameat(2) flags (and ordinary rename) all operated correctly. After all the runs, I checked that there were no leaks with zdb -bbb. However, I have not tested the error path at all (and I have a feeling this is almost certainly where I've made mistakes).

• TODO: Run the rename-related xfstests.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[cyphar]

I think this is ready for review (this is my first ZFS patch, so I'm sure I've made quite a few bad mistakes but I've smoke-tested that the functionality works).

/cc @behlendorf

[rlaager]

I'm not well-versed in the ZFS kernel code, so perhaps this is obvious, but... what does the whiteout inode look like "on disk"? More specifically, is there a backwards compatibility issue here? In other words, what happens if I create a whiteout inode and then import my pool and mount the filesystem on a version of ZFS that predates your commits?

[cyphar]

@rlaager The whiteout inode in overlayfs is just a character device with major and minor numbers 0 (this is distinct from BSD's own whiteout concept which is a whole different kettle of fish). There is no special treatment in ZFS of such character devices, the only reason we have to treat it specially in zfs_rename is because the creation of the whiteout inode during the rename has to be done atomically.

So importing old pools or new pools on old machines won't change anything since the inode is just a bog-standard character device. You could make one with mknod foo c 0 0.

[rlaager]

@rlaager The whiteout inode in overlayfs is just a character device with major and minor numbers 0 (this is distinct from BSD's own whiteout concept which is a whole different kettle of fish). There is no special treatment in ZFS of such character devices, the only reason we have to treat it specially in zfs_rename is because the creation of the whiteout inode during the rename has to be done atomically.

Thanks. For other filesystems, do whiteout nodes work when the filesystem is mounted nodev? With your changes, is ZFS following that behavior with nodev/devices=off?

If the answer to the first question is "no", then that's an argument against devices=off in the Root-on-ZFS HOWTOs that I maintain, and I'd want to remove it.

[cyphar]

@rlaager MS_NODEV only disallows access to device inodes, it doesn't affect their creation. So RENAME_WHITEOUT does work (as does mknod) on a nodev-mounted filesystem. Since the purpose of a whiteout is to represent a tombstone for a file (which then overlayfs or other filesystems can use for internal representation), there's no need to ever access them.

It is my understanding that devices=off is supposed to operate in the same way, and from my testing it does.

[rlaager]

@cyphar Thanks!

[behlendorf]

@cyphar sorry about the delay in getting this reviewed. I should be able to take a proper look in the next week or so. Thank you in advance for implementing this needed functionality.

[cyphar]

No problem, totally understandable. :D

I haven't worked on ZFS code before so hopefully I didn't make too many mistakes with regards to the error path and how txgs actually operate (as far as I can tell, there's isn't a rollback-on-failure mechanism?). It's also possible that zfs_drop_nlink is completely un-necessary because re-linking should always succeed.

[cyphar]

/ping now that 0.8.1 is out.

[behlendorf]

@cyphar sorry for the delay, thanks for your patience. The broad stokes of the patch look reasonable to me. From my perspective, what's needed is to resolve the accidental on-disk format change and to add some test coverage. Additional comments inline.

[cyphar]

Alright @behlendorf, I've made the discussed changes. The only one that isn't yet possible to do is:

Since the target use case is overlayfs-on-ZFS let's make sure to add a test case for it.

Because we still need to solve the d_revalidate issue in #8774.

[cyphar]

@behlendorf When you take a look at this next can you please let me know whether zfs_drop_nlink() is actually needed and/or safe? My understanding of the link-related errors is that you shouldn't get one from zfs_link_create given that we just removed the link in this function (so zfs_drop_nlink() might be completely unnecessary).

I also don't like that this will basically BUG_ON if we happen to hit this error with a non-empty directory...

[behlendorf]

You should be able to use zfs_dirent_lock to lock the specific names to protect them. Then you wouldn't need to call zfs_drop_nlink here, since it shouldn't be possible for these operations to fail.

[codecov]

Codecov Report

Merging #8667 into master will decrease coverage by 1.24%.
The diff coverage is 42.85%.

@@            Coverage Diff             @@
##           master    #8667      +/-   ##
==========================================
- Coverage   78.71%   77.46%   -1.25%     
==========================================
  Files         388      377      -11     
  Lines      120071   119677     -394     
==========================================
- Hits        94512    92706    -1806     
- Misses      25559    26971    +1412

Flag	Coverage Δ
#kernel	77.54% <42.85%> (-1.97%)	⬇️
#user	65.86% <ø> (-0.65%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 186898b...4ea6f30. Read the comment docs.

[behlendorf]

nit: can you rename this zfs_replay_rename_impl which is the convention used by the rest of the code base.

[behlendorf]

Until now I didn't realize that glibc doesn't provide a wrapper for renameat2. I'd mention that here, or in the comment above, so it clear why this is needed.

[behlendorf]

nit: For new tests we've been moving away from the 00x prefix so let's remove it, and simply go with renameat2_noreplace.ksh, renameat2_exchange.ksh, renameat2_whiteout.ksh.

You're also going to need to add the following block to the tests/runfiles/linux.run file. This file controls which test cases get run, and defines some groups to make it easy to select tests.

index b73528e43..fec8cff5c 100644
--- a/tests/runfiles/linux.run
+++ b/tests/runfiles/linux.run
@@ -778,6 +778,10 @@ tests = ['removal_all_vdev', 'removal_check_space',
     'remove_mirror', 'remove_mirror_sanity', 'remove_raidz']
 tags = ['functional', 'removal']
 
+[tests/functional/renameat2]
+tests = ['renameat2_noreplace', 'renameat2_exchange', 'renameat2_whiteout']
+tags = ['functional', 'renameat2']
+
 [tests/functional/rename_dirs]
 tests = ['rename_dirs_001_pos']
 tags = ['functional', 'rename_dirs']

$ ./scripts/zfs-tests.sh -T renameat2
Test: /home/fedora/src/git/zfs/tests/zfs-tests/tests/functional/renameat2/setup (run as root) [00:00] [PASS]
...

[behlendorf]

Additionally, this new test command needs to be added to the command.cfg file. This allows the test suite to locate the command when running in the source tree.

index f8ad02246..e69c4c216 100644
--- a/tests/zfs-tests/include/commands.cfg
+++ b/tests/zfs-tests/include/commands.cfg
@@ -178,6 +178,7 @@ export ZFSTEST_FILES='chg_usr_exec
     randfree_file
     randwritecomp
     readmmap
+    renameat2
     rename_dir
     rm_lnkcnt_zero_file
     threadsappend

[behlendorf]

The tests/test-runner/bin/zts-report.py script is used by the test suite to try and summarize the overall test results. When a test might be legitimately skipped, it should be added to the maybe section of the script along with a brief reason. This prevents it from being marked as an unexpected failure.

I'd suggest modeling this after the functional/user_namespace tests which may also be skipped. By moving this check in to the setup.sh the entire test group can be skipped.

[behlendorf]

You've probably noticed when looking at some of the other code that we do allow declaring the variable closer to where they're first used. I'd suggest doing that with some of these to make their scope as clear as possible since this is a large function.

[behlendorf]

nit: what do you think about moving this check in to an else block to remove the redundant tzp check?

        /*
         * Does target exist?
         */
        if (tzp) {
                ...
        } else {
                /* Target must exist for RENAME_EXCHANGE. */
                if (txtype == TX_EXCHANGE) {
                        error = SET_ERROR(ENOENT);
                        goto out;
                }
        }

[behlendorf]

Rather than modify this existing complicated function so extensively, what if instead you added a new zfs_renameat2 which is solely responsible for handling RENAME_EXCHANGE and TX_WHITEOUT. That would potentially allow it to be simpler and remove the risk of accidentally breaking zfs_rename in some subtle way. (Or even a zfs_renameat2_exchange() and zfs_renameat2_whiteout if that falls out more cleanly).

[cyphar]

I could give this a shot, though there is a fair amount of shared code -- the main difference is right at the end in zfs_rename.

[behlendorf]

thee

[behlendorf]

You should be able to use zfs_dirent_lock to lock the specific names to protect them. Then you wouldn't need to call zfs_drop_nlink here, since it shouldn't be possible for these operations to fail.

[snajpa]

Well I gave it a shot and we can't rely on the dirent locks, the zfs_link_create is still allowed fail in one "edge" case. This test lays it out nicely (that's pretty much the only case this is allowed to fail and has to still return a nice error and not panic) ->

https://github.com/zfsonlinux/zfs/blob/master/tests/zfs-tests/tests/functional/casenorm/mixed_create_failure.ksh#L19

I've also considered separate functions for whiteout/exchange and still @cyphar's solution clearly wins to me (the functions would come out really similar, so it'd even make it harder to understand what the subtle differences are).

So I'll revert to using these patches in full and then just tend to the intent log part - at least if nobody has no better ideas...

[cyphar]

@snajpa I can't think of any other workarounds -- my only concern is whether zfs_drop_nlinks is subtly broken somehow (and the fact that it completely borks if you are doing a RENAME_EXCHANGE of a non-empty directory). Personally I find the way errors are handled within ZFS to be really strange (given ZFS is transactional in nature, I was surprised that error handling couldn't be done with "simple" rollbacks to the state before the transaction started).

[cyphar]

This is being carried by #9414.