Date: Sat, 18 Nov 2023 14:03:11 -0800 From: Rick Macklem <rick.macklem@gmail.com> To: Ronald Klop <ronald@freebsd.org> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, Rick Macklem <rmacklem@freebsd.org> Subject: Re: NFS exports of ZFS snapshots broken Message-ID: <CAM5tNy7-meUPD-2kZ039E0N-Out9mNdbUZdYp=8sAP0RABkyzw@mail.gmail.com> In-Reply-To: <805acb16-ee6f-4d09-b01b-39d9ae3f8c86@FreeBSD.org> References: <25943.60056.880614.452966@hergotha.csail.mit.edu> <DDC3BBBB-561A-4779-B076-83EC054859C2@karels.net> <CAM5tNy6gcThf0nrcs4iC8r6J8cMFOHdUNcUjfJVDSpTW_tqXKQ@mail.gmail.com> <ACAFC3CD-0024-4076-8C69-CAA3B1550B41@karels.net> <AB4690A9-A8F4-490B-82AA-358CD8118DF0@karels.net> <CAM5tNy5LGWF424i9v_w2u%2B41wtzmW9kn6RZWwo6Pi0Y4wj92UA@mail.gmail.com> <805acb16-ee6f-4d09-b01b-39d9ae3f8c86@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 18, 2023 at 10:47=E2=80=AFAM Ronald Klop <ronald@freebsd.org> w= rote: > > CAUTION: This email originated from outside of the University of Guelph. = Do not click links or open attachments unless you recognize the sender and = know the content is safe. If in doubt, forward suspicious emails to IThelp@= uoguelph.ca. > > > On 11/18/23 17:09, Rick Macklem wrote: > > On Fri, Nov 17, 2023 at 8:19=E2=80=AFPM Mike Karels <mike@karels.net> w= rote: > >> > >> On 17 Nov 2023, at 22:14, Mike Karels wrote: > >> > >>> On 17 Nov 2023, at 21:24, Rick Macklem wrote: > >>> > >>>> Most of the changes in stable/13 that are not in releng/13.2 > >>>> are the "make it work in a jail" stuff. Unfortunately, they are > >>>> a large # of changes (mostly trivial edits adding vnet macros), > >>>> but it also includes export check changes. > >>>> > >>>> I have attached a trivial patch that I think disables the export > >>>> checks for jails. If either of you can try it and see if it fixes > >>>> the problem, that would be great. > >>>> (Note that this is only for testing, although it probably does not > >>>> matter unless you are running nfsd(8) in vnet jails.) > >>> > >>> Yes, I can see snapshots with the patch. This system is just a test > >>> system that doesn't normally run ZFS or NFS, so no problem messing > >>> with permissions. It's a bhyve VM, so I just added a small disk and > >>> enabled ZFS for testing. > >> > >> btw, you might try to get mm@ or maybe mav@ to help out from the ZFS > >> side. It must be doing something differently inside a snapshot than > >> outside, maybe with file handles or something like that. > > Yes. I've added freebsd-current@ (although Garrett is not on it, he is > > cc'd) and these guys specifically... > > > > So, here's what appears to be the problem... > > Commit 88175af (in main and stable/13, but not 13.2) added checks for > > nfsd(8) running in jails by filling in mnt_exjail with a reference to t= he cred > > used when the file system is exported. > > When mnt_exjail is found NULL, the current nfsd code assumes that there > > is no access allowed for the mount. > > > > My vague understanding is that when a ZFS snapshot is accessed, it is > > "pseudo-mounted" by zfsctl_snapdir_lookup() and I am guessing that > > mnt_exjail is NULL as a result. > > Since I do not know the ZFS code and don't even have an easy way to > > test this (thankfully Mike can test easily), I do not know what to do f= rom > > here? > > > > Is there a "struct mount" constructed for this pseudo mount > > (or it actually appears to be the lookup of ".." that fails, so it > > might be the parent of the snapshot subdir?)? > > > > One thought is that I can check to see if the mount pointer is in the > > mountlist (I don't think the snapshot's mount is in the mountlist) and > > avoid the jail test for this case. This would assume that snapshots ar= e > > always within the file system(s) exported via that jail (which includes > > the case of prison0, of course), so that they do not need a separate > > jail check. > > > > If this doesn't work, there will need to be some sort of messing about > > in ZFS to set mnt_exjail for these. > > > > I will try and get a test setup going here, which leads me to.. > > how do I create a ZFS snapshot? (I do have a simple ZFS pool running > > on a test machine, but I've never done a snapshot.) > > # zfs list > ... > zroot/usr/local 4.59G 27.5G 2.76G /usr/loca= l > zroot/usr/ports 1.03G 27.5G 952M /usr/port= s > ... > > # zfs snapshot zroot/usr/local@myfirstsnapshot > -- to view them > # zfs list -t snapshot zroot/usr/local > -- and to remove it: > # zfs destroy zroot/usr/local@myfirstsnapshot > -- more info > # man zfs-snapshot > > If you get used to this you are going to love it. :-) Not likely. My test systems are old laptops and don't need fancy storage. However, I do have one very simple setup for testing. To give you a clue, it's called /example because the description I found to do it used "example" and I didn't even realize it would end up as the name of the mount. However, thanks to Mike and others, I do now have a snapshot on it. Now, as noted in my other post, comes the hard part. I hope I can identify that the "mount is special and refers to a snapshot" from the *mp, so I can avoid the mp->mnt_exjail =3D=3D NULL check for this case. I'd like to avoid having to get ZFS set mnt_exjail for the snapshots. Thanks, rick > > Regards and happy hacking, > Ronald. > > > > > > Although this problem is not in 13.2, it will have shipped in 14.0. > > > > Any help with be appreciated, rick > > > >> > >> Mike > >>> > >>>> rick > >>>> > >>>> On Fri, Nov 17, 2023 at 6:14=E2=80=AFPM Mike Karels <mike@karels.net= > wrote: > >>>>> > >>>>> CAUTION: This email originated from outside of the University of Gu= elph. Do not click links or open attachments unless you recognize the sende= r and know the content is safe. If in doubt, forward suspicious emails to I= Thelp@uoguelph.ca. > >>>>> > >>>>> > >>>>> Rick, have you been following this thread on freebsd-stable? I hav= e been able > >>>>> to reproduce this using a 13-stable server from Oct 7 and a 15-curr= ent system > >>>>> that is up to date using NFSv3. I did not reproduce with a 13.2 se= rver. The > >>>>> client was running 13.2. Any ideas? A full bisect seems fairly pa= inful, but > >>>>> maybe you have an idea of points to try. Fortunately, these are al= l test > >>>>> systems that I can reboot at will. > >>>>> > >>>>> Mike > >>>>> > >>>>> Forwarded message: > >>>>> > >>>>>> From: Garrett Wollman <wollman@bimajority.org> > >>>>>> To: Mike Karels <mike@karels.net> > >>>>>> Cc: freebsd-stable@freebsd.org > >>>>>> Subject: Re: NFS exports of ZFS snapshots broken > >>>>>> Date: Fri, 17 Nov 2023 17:35:04 -0500 > >>>>>> > >>>>>> <<On Fri, 17 Nov 2023 15:57:42 -0600, Mike Karels <mike@karels.net= > said: > >>>>>> > >>>>>>> I have not run into this, so I tried it just now. I had no probl= em. > >>>>>>> The server is 13.2, fully patched, the client is up-to-date -curr= ent, > >>>>>>> and the mount is v4. > >>>>>> > >>>>>> On my 13.2 client and 13-stable server, I see: > >>>>>> > >>>>>> 25034 ls CALL open(0x237d32f9a000,0x120004<O_RDONLY|O_NON= BLOCK|O_DIRECTORY|O_CLOEXEC>) > >>>>>> 25034 ls NAMI "/mnt/tools/.zfs/snapshot/weekly-2023-45" > >>>>>> 25034 ls RET open 4 > >>>>>> 25034 ls CALL fcntl(0x4,F_ISUNIONSTACK,0x0) > >>>>>> 25034 ls RET fcntl 0 > >>>>>> 25034 ls CALL getdirentries(0x4,0x237d32faa000,0x1000,0x2= 37d32fa7028) > >>>>>> 25034 ls RET getdirentries -1 errno 5 Input/output error > >>>>>> 25034 ls CALL close(0x4) > >>>>>> 25034 ls RET close 0 > >>>>>> 25034 ls CALL exit(0) > >>>>>> > >>>>>> Certainly a libc bug here that getdirentries(2) returning [EIO] > >>>>>> results in ls(1) returning EXIT_SUCCESS, but the [EIO] error is > >>>>>> consistent across both FreeBSD and Linux clients. > >>>>>> > >>>>>> Looking at this from the RPC side: > >>>>>> > >>>>>> (PUTFH, GETATTR, LOOKUP(snapshotname), GETFH, GETATTR) > >>>>>> [NFS4_OK for all ops] > >>>>>> (PUTFH, GETATTR) > >>>>>> [NFS4_OK, NFS4_OK] > >>>>>> (PUTFH, ACCESS(0x3f), GETATTR) > >>>>>> [NFS4_OK, NFS4_OK, rights =3D 0x03, NFS4_OK] > >>>>>> (PUTFH, GETATTR, LOOKUPP, GETFH, GETATTR) > >>>>>> [NFS4_OK, NFS4_OK, NFS4ERR_NOFILEHANDLE] > >>>>>> > >>>>>> and at this point the [EIO] is returned. > >>>>>> > >>>>>> It seems that clients always do a LOOKUPP before calling READDIR, = and > >>>>>> this is failing when the subject file handle is the snapshot. The > >>>>>> client is perfectly able to *traverse into* the snapshot: if I try= to > >>>>>> list a subdirectory I know exists in the snapshot, the client is a= ble to > >>>>>> LOOKUP(dirname) just fine, but LOOKUPP still fails with > >>>>>> NFS4ERR_NOFILEHANDLE *on the subndirectory*. > >>>>>> > >>>>>> -GAWollman > >>>>> > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7-meUPD-2kZ039E0N-Out9mNdbUZdYp=8sAP0RABkyzw>