Re: Incremental receive completes succesfully despite missing files

From: Dennis Katsonis <dennisk@netspace.net.au>
To: unlisted-recipients:; (no To-header on input)
Cc: Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: Incremental receive completes succesfully despite missing files
Date: Wed, 23 Jan 2019 21:44:24 +1100	[thread overview]
Message-ID: <3cfb98e1-92d4-150c-445c-9357cec9adca@netspace.net.au> (raw)
In-Reply-To: <CAJCQCtSOBcK=MXLUFVZk6YCrFx60UEH7PgOtPYbcRkfjG0XDyQ@mail.gmail.com>

On 1/22/19 9:23 AM, Chris Murphy wrote:
> On Sun, Jan 20, 2019 at 3:34 AM Dennis K <dennisk@netspace.net.au> wrote:
>>
>> Apologies in advance, if the issue I put forward is actually the
>> intended behavior of BTRFS.
>>
>> I have noted while playing with sub-volumes, and trying to determine
>> what exactly are the requirements for a subvolume to act as a legitimate
>> parent during a receive operation, that modification of one subvolume,
>> can affect children subvolumes that are received.
>>
>> It's possible I have noted this before when directories which I though
>> should have existed in the destination volume, where not present,
>> despite being present in the snapshot at the sending end.  (ie, a
>> subvolume is sent incrementally, but the received subvolume is missing
>> files that exist on the sent side).
>>
>> I can replicate this as follows
>>
>> Create the subvolumes and put some files in them.
>> # btrfs sub create 1
>> # btrfs sub create 2
>> # cd 1
>> # dd if=/dev/urandom bs=1M count=10 of=test
>> # cd ..
>> # btrfs sub snap 1 2
>> # dd if=/dev/urandom bs=1M count=1 of=test2
>> # cd ..
>>
>> Now set as read-only to send.  Subvolume 1 has the file "test, and
>> subvolume 2 has the files "test" and "test2".
>> # btrfs prop set 1 ro true
>> # btrfs prop set 2 ro true
>>
>> Send, snapshot 2 is an incremental send.  The files created are the
>> expected sizes.
>> # btrfs send 1 -f /tmp/1
>> # btrfs send -p 1 2 -f /tmp 2
>>
>> Now we make subvolume one read-write
>> # btrfs prop set 1 ro false
>> # rm 1/test
>>
>> Delete subvolume 2 and then recreate it be receiving it.
>> # btrfs sub del 2
>> # btrfs receive -f /tmp/2 .
> 
> This is an unworkable workflow, for multiple reasons. Your 1 and 2
> subvolumes are not related to each other, and incremental send should
> fail. So I think you might have stumbled on a bug.
> 
> (from man page)
>        btrfs send [-ve] [-p <parent>] [-c <clone-src>] [-f <outfile>]
> <subvol> [<subvol>...]
> 
> (simplifed)
> 
>        btrfs send [-p <parent>] [<subvol>...
> 
> 
> If <parent> has a UUID of 54321, I expect that <subvol> must have
> Parent UUID of 54321, or the send command should fail.
> 
> Setting aside the possibility for a bug, let's describe the proper
> workflow. Your subvolumes 1 and 2 are separate file trees, they're not
> related and shouldn't ever appear together in a send/receive. If you
> want to do incremental send, to send only changes that happen in 1 and
> 2 the workflow looks like this.
> 
> btrfs sub snap -r 1 1.20190120
> btrfs sub snap -r 2 2.20190120
> btrfs send 1.20190120 | btrfs receive /destination/
> btrfs send 2.20190120 | btrfs recieve /destination/
> 
> First the snapshots are from the outset read only. And these are the
> snapshots that you will send to the destination file systems, without
> p, to initially populate the destination. Second, you will make
> changes to original subvolumes 1 and 2, which are still rw subvolumes.
> And then and some later time you snapshot them again, thus:
> 
> btrfs sub snap -r 1 1.20190121
> btrfs sub snap -r 2 2.20190121
> 
> And then send the difference or increment with the command:
> 
> btrfs send -p 1.20190120 1.20190121 | btrfs receive /destination/
> btrfs send -p 2.20190120 2.20190121 | btrfs receive /destination/
> 
> And if the original volume dies and you need to restore these
> subvolumes to their most recent state:
> 
> btrfs send 1.20190121 | btrfs receive /newdestination/
> btrfs send 2.20190121 | btrfs receive /newdestination/
> btrfs sub snap 1.20190121 1
> btrfs sub snap 2.20190121 2
> 
> You do not need to do incremental restore, because the subvolume that
> appears as a result of an incremental send is *fully* populated, not
> merely with just the incremental data. And in this case I take a
> default rw snapshot.
> 
> I literally never use the 'property set' feature to set ro and unset
> ro because I think it's dangerous.

I think my previous e-mail did not go through.  Basically, if it is
assumed that a btrfs-receive operation will result in a subvolume which
matches the source file for file, then this assumption or expectation
won't be met if one deletes files from the subvolume at the receiving
end which is going to be referred to as the parent.

This can happen inadvertently, or even through filesystem corruption
(which I experienced).

> 
> 
>>
>> I understand that during send/receive, a snapshot is taken of the parent
>> subvolume, then it is modified.  The problem is that if that snapshot is
>> modified, then these modifications will affect the received subvolumes,
>> including, in this case, silent data loss.
> 
> 
> I think this is user error. And the bug is actually a feature request
> for better error handling to account for the user inadvertently trying
> to do an incremental send with a subvolume that does not have a
> matching parent UUID to the -p specified parent subvolume's UUID. I
> thought there was a check for this but I'm virtually certain I've run
> into this problem myself with no warning and yes it's an unworkable
> result at destination.
> 

I do note that btrfs-send man page states "You must not specify clone
sources unless you guarantee that these snapshots are exactly in the
same state on both sides—both for the sender and the receiver.".
Perhaps this could be changed to state "clone or parent", as it could be
interpreted as not being applicable if you specify a parent only.