From: Valerie Aurora <vaurora@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-fsdevel@vger.kernel.org,
Trond Myklebust <Trond.Myklebust@netapp.com>,
"J. Bruce Fields" <bfields@fieldses.org>
Subject: Re: NFS hard read-only mount option - again
Date: Wed, 28 Apr 2010 16:07:46 -0400 [thread overview]
Message-ID: <20100428200746.GB16691@shell> (raw)
In-Reply-To: <20100427075159.0fd267e4@tlielax.poochiereds.net>
On Tue, Apr 27, 2010 at 07:51:59AM -0400, Jeff Layton wrote:
> On Mon, 26 Apr 2010 19:58:33 -0400
> Valerie Aurora <vaurora@redhat.com> wrote:
>
> > I want to restart the discussion we had last July (!) about an NFS
> > hard read-only mount option. A common use case of union mounts is a
> > cluster with NFS mounted read-only root file systems, with a local fs
> > union mounted on top. Here's the last discussion we had:
> >
> > http://kerneltrap.org/mailarchive/linux-fsdevel/2009/7/16/6211043/thread
> >
> > We can assume a local mechanism that lets the server enforce the
> > read-only-ness of the file system on the local machine (the server can
> > increment sb->s_hard_readonly_users on the local fs and the VFS will
> > take care of the rest).
> >
> > The main question is what to do on the client side when the server
> > changes its mind and wants to write to that file system. On the
> > server side, there's a clear synchronization point:
> > sb->s_hard_readonly_users needs to be decremented, and so we don't
> > have to worry about a hard readonly exported file system going
> > read-write willy-nilly.
> >
> > But the client has to cope with the sudden withdrawal of the read-only
> > guarantee. A lowest common denominator starting point is to treat it
> > as though the mount went away entirely, and force the client to
> > remount and/or reboot. I also have vague ideas about doing something
> > smart with stale file handles and generation numbers to avoid a
> > remount. This looks a little bit like the forced umount patches too,
> > where we could EIO any open file descriptors on the old file system.
> >
> > How long would it take to implement the dumb "NFS server not
> > responding" version?
> >
> > -VAL
>
> Ok, so the problem is this:
>
> You have a client with the aforementioned union mount (r/o NFS layer
> with a local r/w layer on top). "Something" changes on the server and
> you need a way to cope with the change?
>
> What happens if you do nothing here and just expect the client to deal
> with it? Obviously you have the potential for inconsistent data on the
> clients until they remount along with problems like -ESTALE errors, etc.
>
> For the use case you describe however, an admin would have to be insane
> to think that they could safely change the filesystem while it was
> online and serving out data to clients. If I had a cluster like you
> describe, my upgrade plan would look like this:
>
> 1) update a copy of the master r/o filesytem offline
> 2) test it, test it, test it
> 3) shut down the clients
> 4) unexport the old filesystem, export the new one
> 5) bring the clients back up
>
> ...anything else would be playing with fire.
Yes, you are totally correct, that's the only scenario that would
actually work. This feature is just detecting when someone tries to
do this without step 3).
> Unfortunately I haven't been keeping up with your patchset as well as I
> probably should. What happens to the r/w layer when the r/o layer
> changes? Does it become completely invalid and you have to rebuild it?
> Or can it cope with a situation where the r/o filesystem is changed
> while the r/w layer isn't mounted on top of it?
The short version is that we can't cope with the r/o file system being
changed while it's mounted as the bottom layer of a union mount on a
client. This assumption is what makes a non-panicking union mount
implementation possible.
What I need can be summarized in the distinction between the following
scenarios:
Scenario A: The NFS server reboots while a client has the file system
mounted as the r/o layer of a union mount. The server does not change
the exported file system at all and re-exports it as hard read-only.
This should work.
Scenario B: The NFS server reboots as in the above scenario, but
performs "touch /exports/client_root/a_file" before re-exporting the
file system as hard read-only. This is _not_ okay and in some form
will cause a panic on the client if the client doesn't detect it and
stop accessing the mount.
How to tell the difference between scenarios A and B?
Thanks,
-VAL
next prev parent reply other threads:[~2010-04-28 20:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-26 23:58 NFS hard read-only mount option - again Valerie Aurora
2010-04-27 11:51 ` Jeff Layton
2010-04-28 20:07 ` Valerie Aurora [this message]
2010-04-28 20:34 ` Jeff Layton
2010-04-28 20:56 ` J. Bruce Fields
2010-05-04 22:51 ` Valerie Aurora
2010-05-05 7:22 ` Jeff Layton
2010-05-06 15:01 ` Valerie Aurora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100428200746.GB16691@shell \
--to=vaurora@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).