From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH v3 proxmox-backup 4/9] fix #5982: garbage collection: check atime updates are honored
Date: Tue, 4 Mar 2025 19:35:41 +0100 [thread overview]
Message-ID: <20250304183546.461918-5-c.ebner@proxmox.com> (raw)
In-Reply-To: <20250304183546.461918-1-c.ebner@proxmox.com>
Check if the filesystem backing the chunk store actually updates the
atime to avoid potential data loss in phase 2 of garbage collection,
in case the atime update is not honored.
Perform the check before phase 1 of garbage collection, as well as
on datastore creation. The latter to early detect and disallow
datastore creation on filesystem configurations which otherwise most
likely would lead to data losses.
Enable the atime update check by default, but allow to opt-out by
setting a datastore tuning parameter flag for backwards compatibility.
This is honored by both, garbage collection and datastore creation.
The check uses a 4 MiB fixed sized, unencypted and compressed chunk
as test marker, inserted if not present. This all zero-chunk is very
likely anyways for unencrypted backup contents with large all-zero
regions using fixed size chunking (e.g. VMs).
To avoid cases were the timestamp will not be updated because of the
Linux kernels timestamp granularity, sleep in-between stating and
utimensat for 1 second.
Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=5982
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
changes since version 2:
- Take Linux timestamp granularity into account by sleeping 1 second
in-between operations instead of setting timestamp to the past.
- Check relatime behavior if atime behaviour not honored.
- adapt datastore tuning variables to new names
pbs-datastore/src/chunk_store.rs | 128 +++++++++++++++++++++++++++++--
pbs-datastore/src/datastore.rs | 10 +++
src/api2/config/datastore.rs | 1 +
3 files changed, 134 insertions(+), 5 deletions(-)
diff --git a/pbs-datastore/src/chunk_store.rs b/pbs-datastore/src/chunk_store.rs
index 5e02909a1..e529dcc9c 100644
--- a/pbs-datastore/src/chunk_store.rs
+++ b/pbs-datastore/src/chunk_store.rs
@@ -1,6 +1,8 @@
+use std::cmp::Ordering;
use std::os::unix::io::AsRawFd;
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex};
+use std::time::Duration;
use anyhow::{bail, format_err, Error};
use tracing::info;
@@ -13,6 +15,7 @@ use proxmox_sys::process_locker::{
};
use proxmox_worker_task::WorkerTaskContext;
+use crate::data_blob::DataChunkBuilder;
use crate::file_formats::{
COMPRESSED_BLOB_MAGIC_1_0, ENCRYPTED_BLOB_MAGIC_1_0, UNCOMPRESSED_BLOB_MAGIC_1_0,
};
@@ -93,6 +96,7 @@ impl ChunkStore {
uid: nix::unistd::Uid,
gid: nix::unistd::Gid,
sync_level: DatastoreFSyncLevel,
+ atime_safety_check: bool,
) -> Result<Self, Error>
where
P: Into<PathBuf>,
@@ -147,7 +151,20 @@ impl ChunkStore {
}
}
- Self::open(name, base, sync_level)
+ let chunk_store = Self::open(name, base, sync_level)?;
+ if atime_safety_check {
+ chunk_store
+ .atime_safety_check()
+ .map(|atime_updated| if atime_updated {
+ info!("atime safety check successful.")
+ } else {
+ info!("atime safety check successful with relatime behaviour.")
+ })?;
+ } else {
+ info!("atime safety check skipped.");
+ }
+
+ Ok(chunk_store)
}
fn lockfile_path<P: Into<PathBuf>>(base: P) -> PathBuf {
@@ -442,6 +459,94 @@ impl ChunkStore {
Ok(())
}
+ /// Check if atime updates are honored by the filesystem backing the chunk store.
+ ///
+ /// Checks if the atime is either update immediately by utimensat or in a relatime manner by
+ /// first setting atime and mtime to now, followed by trying to update the atime.
+ /// If the atime update is honored, return with true, if the relatime update has been honored,
+ /// return with false. Return with error otherwise.
+ /// Uses a 4 MiB fixed size, compressed but unencrypted chunk to test. The chunk is inserted in
+ /// the chunk store if not yet present.
+ pub fn atime_safety_check(&self) -> Result<bool, Error> {
+ let (zero_chunk, digest) = DataChunkBuilder::build_zero_chunk(None, 4096 * 1024, true)?;
+ self.insert_chunk(&zero_chunk, &digest)?;
+ let (path, _digest) = self.chunk_path(&digest);
+
+ let metadata_before = std::fs::metadata(&path).map_err(Error::from)?;
+ let atime_before = metadata_before.accessed()?;
+
+ // Take into account timestamp update granularity in the kernel
+ std::thread::sleep(Duration::from_secs(1));
+ self.cond_touch_path(&path, true)?;
+
+ let metadata_now = std::fs::metadata(&path).map_err(Error::from)?;
+ let atime_now = metadata_now.accessed()?;
+
+ match atime_before.cmp(&atime_now) {
+ Ordering::Less => Ok(true),
+ Ordering::Equal => {
+ // Use the previous mtime here, as that is the one the atime
+ // before update check will been compared to
+ let mtime_before = metadata_before.modified()?;
+ if atime_now < mtime_before {
+ Err(format_err!(
+ "atime safety check failed, is atime support enabled on datastore backing \
+ filesystem?"
+ ))
+ } else {
+ self.relatime_safety_check(&path)?;
+ Ok(false)
+ }
+ }
+ Ordering::Greater => Err(format_err!(
+ "atime safety check failed, unexpected time shift"
+ )),
+ }
+ }
+
+ fn relatime_safety_check(&self, path: &Path) -> Result<(), Error> {
+ // unwrap: only `None` in unit tests
+ assert!(self.locker.is_some());
+
+ // Update atime and mtime to now
+ let times: [libc::timespec; 2] = [
+ libc::timespec {
+ tv_sec: 0,
+ tv_nsec: libc::UTIME_NOW,
+ },
+ libc::timespec {
+ tv_sec: 0,
+ tv_nsec: libc::UTIME_NOW,
+ },
+ ];
+
+ use nix::NixPath;
+ if let Err(err) = path.with_nix_path(|cstr| unsafe {
+ let tmp = libc::utimensat(-1, cstr.as_ptr(), ×[0], libc::AT_SYMLINK_NOFOLLOW);
+ nix::errno::Errno::result(tmp)
+ })? {
+ bail!("update atime failed for chunk/file {path:?} - {err}");
+ }
+
+ // Take into account timestamp update granularity in the kernel
+ std::thread::sleep(Duration::from_secs(1));
+ // Try updating the chunks atime, which should be performed for filesystems
+ // mounted with relatime since mtime is equal
+ self.cond_touch_path(&path, true)?;
+
+ let metadata_now = std::fs::metadata(&path).map_err(Error::from)?;
+ let atime_now = metadata_now.accessed()?;
+ let mtime_now = metadata_now.modified()?;
+ if atime_now <= mtime_now {
+ bail!(
+ "atime safety check failed and relatime update failed, is atime support enabled on \
+ datastore backing filesystem?"
+ )
+ }
+
+ Ok(())
+ }
+
pub fn insert_chunk(&self, chunk: &DataBlob, digest: &[u8; 32]) -> Result<(bool, u64), Error> {
// unwrap: only `None` in unit tests
assert!(self.locker.is_some());
@@ -628,8 +733,15 @@ fn test_chunk_store1() {
let user = nix::unistd::User::from_uid(nix::unistd::Uid::current())
.unwrap()
.unwrap();
- let chunk_store =
- ChunkStore::create("test", &path, user.uid, user.gid, DatastoreFSyncLevel::None).unwrap();
+ let chunk_store = ChunkStore::create(
+ "test",
+ &path,
+ user.uid,
+ user.gid,
+ DatastoreFSyncLevel::None,
+ true,
+ )
+ .unwrap();
let (chunk, digest) = crate::data_blob::DataChunkBuilder::new(&[0u8, 1u8])
.build()
@@ -641,8 +753,14 @@ fn test_chunk_store1() {
let (exists, _) = chunk_store.insert_chunk(&chunk, &digest).unwrap();
assert!(exists);
- let chunk_store =
- ChunkStore::create("test", &path, user.uid, user.gid, DatastoreFSyncLevel::None);
+ let chunk_store = ChunkStore::create(
+ "test",
+ &path,
+ user.uid,
+ user.gid,
+ DatastoreFSyncLevel::None,
+ true,
+ );
assert!(chunk_store.is_err());
if let Err(_e) = std::fs::remove_dir_all(".testdir") { /* ignore */ }
diff --git a/pbs-datastore/src/datastore.rs b/pbs-datastore/src/datastore.rs
index 75c0c16ab..ef932b47b 100644
--- a/pbs-datastore/src/datastore.rs
+++ b/pbs-datastore/src/datastore.rs
@@ -1170,6 +1170,16 @@ impl DataStore {
upid: Some(upid.to_string()),
..Default::default()
};
+ let tuning: DatastoreTuning = serde_json::from_value(
+ DatastoreTuning::API_SCHEMA
+ .parse_property_string(gc_store_config.tuning.as_deref().unwrap_or(""))?,
+ )?;
+ if tuning.gc_atime_safety_check.unwrap_or(true) {
+ self.inner.chunk_store.atime_safety_check()?;
+ info!("Filesystem atime safety check successful.");
+ } else {
+ info!("Filesystem atime safety check disabled by datastore tuning options.");
+ }
info!("Start GC phase1 (mark used chunks)");
diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs
index fe3260f6d..35847fc45 100644
--- a/src/api2/config/datastore.rs
+++ b/src/api2/config/datastore.rs
@@ -119,6 +119,7 @@ pub(crate) fn do_create_datastore(
backup_user.uid,
backup_user.gid,
tuning.sync_level.unwrap_or_default(),
+ tuning.gc_atime_safety_check.unwrap_or(true),
)
.map(|_| ())
} else {
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-03-04 18:36 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 18:35 [pbs-devel] [PATCH v3 proxmox-backup 0/9] fix #5982: check atime update is honored Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox 1/2] pbs api types: add garbage collection atime safety check flag Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox 2/2] pbs api types: add option to set GC chunk cleanup atime cutoff Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 3/9] datastore: use libc's timespec constants instead of redefinition Christian Ebner
2025-03-05 9:41 ` [pbs-devel] applied: " Fabian Grünbichler
2025-03-04 18:35 ` Christian Ebner [this message]
2025-03-05 9:41 ` [pbs-devel] [PATCH v3 proxmox-backup 4/9] fix #5982: garbage collection: check atime updates are honored Fabian Grünbichler
2025-03-05 10:31 ` Christian Ebner
2025-03-05 9:41 ` Fabian Grünbichler
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 5/9] ui: expose GC atime safety check flag in datastore tuning options Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 6/9] docs: mention GC atime update check for " Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 7/9] datastore: conditionally use custom GC atime cutoff if set Christian Ebner
2025-03-05 9:41 ` Fabian Grünbichler
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 8/9] ui: expose GC atime cutoff in datastore tuning option Christian Ebner
2025-03-04 18:35 ` [pbs-devel] [PATCH v3 proxmox-backup 9/9] docs: mention gc-atime-cutoff as " Christian Ebner
2025-03-05 9:41 ` [pbs-devel] [PATCH v3 proxmox-backup 0/9] fix #5982: check atime update is honored Fabian Grünbichler
2025-03-05 15:17 ` Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250304183546.461918-5-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.