implement corruption correcting recv

[alek-p]

This patch implements a new type of zfs receive: corrective receive (-c). This type of recv is used to heal corrupted data when a replica of the data already exists (in the form of a sendfile for example).
Metadata can not be healed using a corrective receive.

This patch enables us to receive a send stream into an existing snapshot for the purpose of correcting data corruption.

This is the updated version of the patch in #9323

Motivation and Context

In the past in the rare cases where ZFS has experienced permanent data corruption, full recovery of the dataset(s) has not always been possible even if replicas existed.
This patch makes recovery from permanent data corruption possible.

Description

For every write record in the send stream, we read the corresponding block from disk and if that read fails with a checksum error we overwrite that block with data from the send stream.
After the data is healed we reread the block to make sure it's healed and remove the healed blocks form the corruption lists seen in zpool status.

To makes sure will have correctly matched the data in the send stream to the right dataset to heal there is a restriction that the GUID for the snapshot being received into must match the GUID in the send stream. There are likely several snapshots referring to the same potentially corrupted data so there may be many snapshots with the above condition holding that are able to heal a single block.

The other thing to point out is that we can only correct data. Specifically, we are only able to heal records of type DRR_WRITE.

To help with the review you can see my OpenZFS dev summit 2019 talk for more context on this work:
video: https://www.youtube.com/watch?v=JldbtDATrOo
slides: https://drive.google.com/file/d/1Ysc_3bJWmsJCETFNTRCzyvpseDpzjjf2/view

How Has This Been Tested?

I've been running unit testing very similar to the test that I've added to the zfs-tests

Future Work

Since DRR_SPILL record also (like DRR_WRITE) contains all of the data needed to recreate the damaged block - a future project could add support for healing of DRR_SPILL records.
The next logical extension for part two of this work is to provide a way for a corrupted pool to tell a backup system to generate a minimal send stream in such a way as to enable the corrupted pool to be healed with this generated send stream.
The interface could be something like the following, but maybe there are better suggestions?

# dumps spa err list that are part of this snapshot and the snapshot guid
zfs send -C data/fs@snap > /tmp/errlist 

# on replica system generates healing sendfile based on the errors list
zfs send -cc /tmp/errlist backup_data > /tmp/healing_sendfile

# heal our data with the minimal healing sendfile
zfs recv -c data/fs@snap < /tmp/healing_sendfile

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[megari]

This feature is indeed really nice to have. However, I am curious about whether it would - even theoretically - be possible to heal metadata using a corrective receive. Support for that would definitely be a killer feature.

[alek-p]

This feature is indeed really nice to have. However, I am curious about whether it would - even theoretically - be possible to heal metadata using a corrective receive. Support for that would definitely be a killer feature.

I agree that it would be great to be able to heal metadata but as far as I know, there isn't enough information in the send file to do that.
We are only able to heal records of type DRR_WRITE and DRR_SPILL since those are the only ones (again afaik) that contain all of the data needed to recreate damaged blocks.

[alek-p]

I've fixed the re-encryption code so this is ready for review now.

[codecov]

Codecov Report

Merging #9372 into master will decrease coverage by <1%.
The diff coverage is 70%.

@@           Coverage Diff            @@
##           master    #9372    +/-   ##
========================================
- Coverage      80%      79%   -<1%     
========================================
  Files         384      384            
  Lines      121788   122069   +281     
========================================
- Hits        96900    96897     -3     
- Misses      24888    25172   +284

Flag	Coverage Δ
#kernel	80% <72%> (ø)	⬇️
#user	67% <15%> (ø)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a340316...d3ec54e. Read the comment docs.

[ahrens]

For human readability of the source code, I'd recommend line-breaking the string after a space.

[ahrens]

For human readability of the source code, I'd recommend line-breaking the string after a space.

[ahrens]

I'm not entirely convinced of the utility of this, because (AIUI) we only remove errors that were reported against the snapshot that we are doing the healing receive into. A block with a checksum error will often be referenced by multiple datasets (due to snapshots), and an error will be reported on any datasets via which we access the bad block. Typical cases are:

• running a scrub, in which case the error will be reported against the first snapshot that references it
• reading from a filesystem, in which case the error will be reported against the filesystem.

In either case, the dataset that we are receiving into may be a different dataset then the one that the error was reported against, in which case the "remove healed errors" logic accomplishes nothing.

Running a scrub after the healing receive (as recommended in the manpage additions) is really the only way to get an updated list of errors.

That said, with the addition of #9175, we could potentially remove all relevant error reports.

[alek-p]

I can remove the error clean up easily if we think that's cleaner.
I figured a relatively common use case for healing recv would be trying to heal using the snapshot that a scrub has IDed as corrupted. We then take this snapshot from the remote side and use it for healing. In this scenario, I figured it would make sense to then remove the errlog entry associated with the fixed blocks.

[ahrens]

I see, that does seem like a realistic use case.

[ahrens]

When would drr_logical_size be less than 32? I think it couldn't since the minimum block size is 512. Why are we reading 32 bytes? Why do we need to kmem_alloc 32 bytes, vs allocating on the stack? Why not just one byte? Do we want to check that drr_logical_size is the same as the object's block size (which I think it might not be if we are toggling the --large-block flag).

[ahrens]

This explains what is happening, which the code also makes fairly obvious. It would be helpful for the comment to explain why we want to do this. For example, EIO indicates that the device is not present/accessible, so writing to it will likely fail. And if the block is healthy, we don't want the added i/o cost, and/or we don't want to overwrite stuff unnecessarily.

[ahrens]

[nit] there's an extra space (2 spaces) after the first comma:

,  &

[ahrens]

it might simplify the error handling in do_corrective_recv() if we expected it to never consume the abuf, in which case we would do if (err == 0) dmu_return_arcbuf(abuf); here

[ahrens]

if err == 0 but no_crypt != 0, I think that we are expected to consume arc_buf (per our caller's requirements). However, in practice I don't think that we can get no_crypt !=0 since we are not dealing with DMU_OT_[INTENT_LOG,DNODE]. I think we could instead ASSERT0(no_crypt), and simply return (err) below.

[ahrens]

I'm pretty sure that compression happens before encryption. Compressing the encrypted data will rarely yield any savings. Assuming I'm right, it seems that these code paths have not been tested. It would be good to add some tests to the test suite to exercise them. e.g.:

• uncompressed stream heals compressed block
• unencrypted stream heals encrypted block
• stream w/different compression heals differently-compressed block
• uncompressed (& unencrypted) stream heals compressed & encrypted block

[alek-p]

fixed

[ahrens]

this might be simplified by using zio_checksum_error_impl(), in which case you could verify the checksum before creation the zio, and not have to save the bp_cksum.

[alek-p]

I'm not sure that using this rather complicated function is simpler than stashing the BP and using the macro

[alek-p]

Thanks for the review Matt! I'll start working through these comments this weekend.

[ghost]

We're already destroying the pool, this isn't necessary.

[ghost]

Why not just rm -f $ibackup $raw_backup $backup.

[ghost]

Can you use a different pool name and leave $TESTPOOL, so you don't have to worry about destroying and recreating it? Otherwise, this should be a bit more tolerant, with poolexists $TESTPOOL && destroy_pool $TESTPOOL here and in cleanup, and cleanup should recreate the pool more like it is set up in setup.ksh to keep surprises to a minimum for the next test (when added).

[alek-p]

Thanks for the review Ryan, I need to expand the the testing to include spill block healing and will try to incorporate your feedback then.

[alek-p]

I've rebased this code, it's close to ready but it still needs more work with regards to how abd/zio is handled. There are some leaks present in the current version...

[codecov-commenter]

Codecov Report

Merging #9372 (54451af) into master (161ed82) will increase coverage by 4.41%.
The diff coverage is 69.27%.

❗ Current head 54451af differs from pull request most recent head b9fce85. Consider uploading reports for the commit b9fce85 to get more accurate results

@@            Coverage Diff             @@
##           master    #9372      +/-   ##
==========================================
+ Coverage   75.17%   79.59%   +4.41%     
==========================================
  Files         402      395       -7     
  Lines      128071   125378    -2693     
==========================================
+ Hits        96283    99789    +3506     
+ Misses      31788    25589    -6199     

Flag	Coverage Δ
kernel	80.39% <69.14%> (+1.63%)	⬆️
user	64.92% <15.54%> (+17.49%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
module/zfs/zio.c	88.77% <ø> (+3.17%)	⬆️
module/zfs/dmu.c	86.49% <50.00%> (+2.76%)	⬆️
module/zfs/dmu_recv.c	74.01% <60.88%> (+5.34%)	⬆️
lib/libzfs/libzfs_sendrecv.c	76.66% <87.80%> (+12.33%)	⬆️
module/zfs/spa_errlog.c	91.27% <92.68%> (-2.62%)	⬇️
cmd/zfs/zfs_main.c	82.82% <100.00%> (+1.21%)	⬆️
lib/libzfs_core/libzfs_core.c	84.86% <100.00%> (+1.66%)	⬆️
module/zfs/spa.c	87.34% <100.00%> (+2.86%)	⬆️
module/zfs/zfs_ioctl.c	86.39% <100.00%> (+1.06%)	⬆️
include/os/linux/zfs/sys/trace_acl.h	33.33% <0.00%> (-33.34%)	⬇️
... and 263 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 34aa0f0...b9fce85. Read the comment docs.

[tony-zfs]

Hi @alek-p - in regards to the memory leaks, the receive_process_write_record (with rwa->heal set) is returning EAGAIN, but it does not add the receive_record_arg structure to the rwa->write_batch listhead. The kmem_free was also removed when it doesn't hit the EAGAIN cases for non corrective use cases.

I modified the writer thread to circumvent this situation in a local branch:

diff --git a/module/zfs/dmu_recv.c b/module/zfs/dmu_recv.c
index 7d29547..816632d 100644
--- a/module/zfs/dmu_recv.c
+++ b/module/zfs/dmu_recv.c
@@ -2955,9 +2955,12 @@ receive_writer_thread(void *arg)
                 * raw->write_batch), and will be used again, so we don't
                 * free it.
                 */
-               if (err != EAGAIN) {
+               if (rwa->heal) {
+                       kmem_free(rrd, sizeof (*rrd));
+               } else if (err != EAGAIN) {
                        if (rwa->err == 0)
                                rwa->err = err;
+                       kmem_free(rrd, sizeof (*rrd));
                }
        }
        kmem_free(rrd, sizeof (*rrd));

[alek-p]

Hi @alek-p - in regards to the memory leaks, the receive_process_write_record (with rwa->heal set) is returning EAGAIN, but it does not add the receive_record_arg structure to the rwa->write_batch listhead. The kmem_free was also removed when it doesn't hit the EAGAIN cases for non corrective use cases.

I modified the writer thread to circumvent this situation in a local branch:

diff --git a/module/zfs/dmu_recv.c b/module/zfs/dmu_recv.c
index 7d29547..816632d 100644
--- a/module/zfs/dmu_recv.c
+++ b/module/zfs/dmu_recv.c
@@ -2955,9 +2955,12 @@ receive_writer_thread(void *arg)
                 * raw->write_batch), and will be used again, so we don't
                 * free it.
                 */
-               if (err != EAGAIN) {
+               if (rwa->heal) {
+                       kmem_free(rrd, sizeof (*rrd));
+               } else if (err != EAGAIN) {
                        if (rwa->err == 0)
                                rwa->err = err;
+                       kmem_free(rrd, sizeof (*rrd));
                }
        }
        kmem_free(rrd, sizeof (*rrd));

thanks for looking into this Tony! Afaik the only thing left now is making sure the testing is robust enough and included spill records healing.

[alek-p]

I've hard a hard time trying to get spill block generated so I did a manual test by running the added corrective recv test with the following patch applied:

diff --git a/module/zfs/sa.c b/module/zfs/sa.c
index 977e729fe..8e4a8c388 100644
--- a/module/zfs/sa.c
+++ b/module/zfs/sa.c
@@ -1016,6 +1016,7 @@ sa_setup(objset_t *os, uint64_t sa_obj, sa_attr_reg_t *reg_attrs, int count,
        sa = kmem_zalloc(sizeof (sa_os_t), KM_SLEEP);
        mutex_init(&sa->sa_lock, NULL, MUTEX_NOLOCKDEP, NULL);
        sa->sa_master_obj = sa_obj;
+       sa->sa_force_spill = B_TRUE;

        os->os_sa = sa;
        mutex_enter(&sa->sa_lock);

I think this is ready for the next round of reviews.

[pepsinio]

Would this fix make it to release soon?

[GregorKopka]

Would this fix make it to release soon?

@behlendorf ?

[behlendorf]

This feature will make it in to the OpenZFS 2.2 release.

[pepsinio]

This is a huge improvement. The last missing piece for my use case with offsite backup, no RaidZ and having low throughput link which makes it difficult to recreate datasets with ease in case of errors. Quite certain i am not the only one on this boat.

[FlorianHeigl]

@pepsinio you're not the only one on that boat. I follow this topic since before the PR was opened. no WAN use case but the generally understanding that this is a major resilience feature that stabilizes many related bits and bytes.