From: Jeff Layton <jlayton@redhat.com>
To: Gregory Farnum <gfarnum@redhat.com>
Cc: Patrick Donnelly <pdonnell@redhat.com>, dev <dev@ceph.io>,
"open list:CEPH DISTRIBUTED..." <ceph-devel@vger.kernel.org>
Subject: Re: fscrypt and file truncation on cephfs
Date: Fri, 12 Mar 2021 15:24:24 -0500 [thread overview]
Message-ID: <ba57992848772901cd04d56ab0530360d2b9423c.camel@redhat.com> (raw)
In-Reply-To: <CAJ4mKGZ2vC7AcmR2BKR30ZuipLNC4GB-3gpS4K1zfeEHH4fwbQ@mail.gmail.com>
On Fri, 2021-03-12 at 11:45 -0800, Gregory Farnum wrote:
> On Fri, Mar 12, 2021 at 4:49 AM Jeff Layton <jlayton@redhat.com> wrote:
> >
> > On Fri, 2021-03-12 at 00:43 -0800, Gregory Farnum wrote:
>
> > > ...although in my current sleep-addled state, I'm actually not sure we
> > > need to add any permanent storage to the MDS to handle this case! We
> > > can probably just extend the front-end truncate op so that it can take
> > > a separate "real-truncate-size" and the logical file size, can't we?
> >
> > That would be one nice thing about the approach of #1. Truncating the
> > size downward is always done via an explicit SETATTR op (I think), so we
> > could just extend that with a new field for that tells the MDS where to
> > stop truncating.
> >
> > Note that regardless of the approach we choose, the client will still
> > need to do a read/modify/write on the edge block before we can really
> > treat the truncation as "done". I'm not yet sure whether that has any
> > bearing on the consistency/safety of the truncation process.
>
> Wait what? Let's talk more about that: I can't emphasize enough how
> much you really, *really* don't want to require clients to do a RMW to
> RADOS that is coordinated with MDS state changes that may modify the
> same objects.
>
> Isn't it enough for:
> 1) truncate op sets file size to new logical size, and truncate_size
> to end of crypto block
> 2) clients do rados reads until the end of the crypto block and throw
> away the data past the logical end-of-file when serving IO
> 3) clients can remove the old data on a write when they feel like it
> and then set truncate_size to the real file size
>
> The only tricky bit there is making sure the MDS respects the
> truncate_size everywhere it needs to, and doesn't inadvertently force
> it down to the file size when we don't want that happening.
>
That sounds like it would work. I'll probably take something like that
approach.
In principle, the MDS really should not care about the logical size of
the file at all. All it needs to know is how big the actual backing
objects are, and that will always be rounded up to the next crypto
block.
So, I'm sort of a fan of the idea of having a "private" size field that
only the clients with valid the crypto keys use. Everything else would
just report (and deal with) the rounded-up size. So, the clients would
always set the current inode size field to the rounded-up size, and then
maintain the actual logical file size in their private field.
This has the advantage that we don't need to tinker with the MDS
mechanics so much -- only extend the inode with the new field (which
sucks, but is a reasonably mechanical change).
This also dovetails nicely with having the client "lazily" zero-pad the
EOF block after resetting the size.
> I do foresee one leak, which is how we handle probing for file size
> when a client with write caps disappears[2], but that's going to be
> the case no matter what solution we come up with unless we're willing
> to tolerate a two-phase commit. Which would be *awful*[1].
> -Greg
>
> [1]: We're talking about needing to send a crypto-truncate to the MDS,
> have it withdraw all client caps, return a new "start your phase"
> message/state which grants read and write caps to the truncating
> client (which I have no idea how we'd do while a logical MDS write is
> happening), have the client do the RMW on the tail object and return
> its caps, commit the new file size, and then return the final op and
> re-issue caps — and handle cleaning up if the client fails at any
> point in that process. I guess if we did manage to jump through all
> those hoops, client failure recovery would be deterministic and
> accurate based on if the final object size was larger than or equal to
> the attempted new size...
How does this probing work today?
> [2]: And now that I think about the implications of crypto some more,
> we can even fix this. Since crypto clients can never do rados append
> ops (and I don't think we can in the FS *anyway*?) we can just have
> all crypto-client writes include setting a "logical size" xattr on the
> rados object that the MDS can use when probing. We maybe should do
> that for everything, actually...
>
That does sound like a good idea, and it wouldn't be too difficult to
implement since we're already going to be moving to doing more multi-op
OSD write calls anyway.
--
Jeff Layton <jlayton@redhat.com>
next prev parent reply other threads:[~2021-03-12 20:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-11 16:14 fscrypt and file truncation on cephfs Jeff Layton
2021-03-12 4:17 ` Patrick Donnelly
2021-03-12 8:43 ` Gregory Farnum
2021-03-12 12:48 ` Jeff Layton
2021-03-12 19:45 ` Gregory Farnum
2021-03-12 20:24 ` Jeff Layton [this message]
2021-03-12 23:36 ` Gregory Farnum
2021-03-18 19:20 ` Jeff Layton
2021-03-19 18:53 ` Gregory Farnum
2021-03-12 12:38 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ba57992848772901cd04d56ab0530360d2b9423c.camel@redhat.com \
--to=jlayton@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=dev@ceph.io \
--cc=gfarnum@redhat.com \
--cc=pdonnell@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).