Re: Incremental receive completes succesfully despite missing files

[Andrei Borzenkov <arvidjaar@gmail.com>]

20.01.2019 13:25, Dennis K пишет:
> Apologies in advance, if the issue I put forward is actually the
> intended behavior of BTRFS.
> 
> I have noted while playing with sub-volumes, and trying to determine
> what exactly are the requirements for a subvolume to act as a legitimate
> parent during a receive operation, that modification of one subvolume,
> can affect children subvolumes that are received.
> 
> It's possible I have noted this before when directories which I though
> should have existed in the destination volume, where not present,
> despite being present in the snapshot at the sending end.  (ie, a
> subvolume is sent incrementally, but the received subvolume is missing
> files that exist on the sent side).
> 
> I can replicate this as follows
> 
> Create the subvolumes and put some files in them.
> # btrfs sub create 1
> # btrfs sub create 2
> # cd 1
> # dd if=/dev/urandom bs=1M count=10 of=test
> # cd ..
> # btrfs sub snap 1 2

Apparently some command is missing here.

> # dd if=/dev/urandom bs=1M count=1 of=test2

This creates test2 outside of subvolumes 1 or 2.

> # cd ..
> 

And this goes one level up so that next commands are invalid (they
assume you are still in direct parent of 1 and 2).

Also I do not see what purpose your "btrfs sub snap" serves. It creates
snapshot 2/1, but it snapshot is not part of replication anyway.

> Now set as read-only to send.  Subvolume 1 has the file "test, and
> subvolume 2 has the files "test" and "test2".
> # btrfs prop set 1 ro true
> # btrfs prop set 2 ro true
> 
> Send, snapshot 2 is an incremental send.  The files created are the
> expected sizes.
> # btrfs send 1 -f /tmp/1
> # btrfs send -p 1 2 -f /tmp 2
> 

That must be a typo, from the following text /tmp/2 is implied. Never
manually type in commands; always copy and paste them (or record using
script or similar and attach exact recording). Otherwise nothing in your
report can be trusted.

> Now we make subvolume one read-write
> # btrfs prop set 1 ro false

At this point all bets are off.

> # rm 1/test
> 

Now subvolume 1 no more matches state that was used to generate
incremental stream.

> Delete subvolume 2 and then recreate it be receiving it.
> # btrfs sub del 2
> # btrfs receive -f /tmp/2 .
> 
> What happens, is that subvolume 2 is created, but it is missing the file
> 'test' which was present in subvolume 1 at the time it was created as a
> snapshot and sent.  It now only contains the file "test2", which is NOT
> the state that it was sent.
> 

That is correct. /tmp/2 contains just the *incremental* replication
stream, which contains instructions to apply changes in subvolume 2
against base subvolume 1. It does *not* contain full content of (replica
of) subvolume 2 because on receiving side btrfs would first have cloned
replica of subvolume 1 and then applied changes in replication stream.

> 
> Note the same results are obtained, if you also delete subvolume 1 and
> then recreate it with btrfs-receive.
> 
> This may explain why previously I found a send operation resulted in the
> receiving end missing files previously.
> 
> I understand that during send/receive, a snapshot is taken of the parent
> subvolume, then it is modified.  The problem is that if that snapshot is
> modified, then these modifications will affect the received subvolumes,
> including, in this case, silent data loss.
> 

Not sure I parse this part correctly, but in your case you intentionally
modified base subvolume and made btrfs apply changes to wrong initial
state. This is classical case of "doctor, it hurts when I stab myself in
the eye".

> 
> It would be better for the receive operation to fail, or at least put
> out a warning if the parent subvolume it is using has changed or is
> different from the reference subvolume used during send. 

I was honestly surprised that btrfs receive did not refuse to apply
changes to read-write subvolume. Otherwise replication stream normally
is applied in receiving side which simply does not have enough
information to check that *source* was not changed. Destination only
knows UUID of parent snapshot and assumes it was not changed.

Personally I consider ability to flip read-only bit major usability
issue which leads to problems you observed.

> I'm not sure
> whether BTRFS can check this via generation number or some other data,
> orbut at the moment, there is no such check and this appears to be a bug.
> 
> Is this correct behaviour?  Does BTRFS rely on the user, and user-space
> tools, never changing any subvolume in order to avoid silent data loss?
> 

Yes.