Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6252992iob; Tue, 10 May 2022 14:03:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz06iGinunoLCErIluzIW5kMOtHZ0iaaG8eNAbjkBLZxtHkN4Gfcbit9MUHNlzD3n/WBm+1 X-Received: by 2002:a50:9511:0:b0:428:7acf:99b9 with SMTP id u17-20020a509511000000b004287acf99b9mr19540166eda.338.1652216596927; Tue, 10 May 2022 14:03:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652216596; cv=none; d=google.com; s=arc-20160816; b=Il036M+EaZ42jHVCQuv/aZjJABBqM9UBfIv3ZKrJmS3SQbeyh+vsAkfHzX9hWNZWoY tL4BLEb5fm7WAVBm24JtAIR/FXs32UA0jL+XmPU+sHqZfxZqShhQT4TeXd1UeEODegV6 R8WLvqGrrbzdNAQG9jvrSzcE2AZsOMny2SWQrh0AA0PfJ3/2DrTzSwLW6BFgExuG/Hh4 EEIfb5FJjCt3S3ajKyCoiUHXbEtn3/l3Chg6BBjdFH0HMY81/8ezE0noh6LcNz4ethJv CuEQjzoU822R6em+/pVG+QWcEOl5QqgDsr9HaUKLxt87OWS+bMIxFQ/l6bmiR/6wOSYC eC7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Nl4fUlScdaUZ1PTg23801B2HTu1gdRJCCUpFW9GKZf8=; b=Q8qXXdRCX5BM1ozEXk5eZ5KtMazyPnvWXnNEwAEHMZjCdJcDzCN7tSjIW5j8xtJgsz Y48hMDOtAB4nshcSsxcF+sw1PvzrCgvMC4zN8FcwkEL1mELfW/0S5gH7mu/hg9LtWluT ZPFwRvz/68Qc3BoSphLEmWoAQlRWcq+hHck1I+CEOjgfeHagXmgFPN6lqzithqEpEIzf cePchNUbZPQVO+Uq9AJjDlqusXPB6/Czp6WRk4ZwM303nIGdizYEpyf1bt8sLbUo3ZCq dvRaVdIp9VjWKh/XX+hTkLhDPqrdptwAUAZ5okUeFsNOJB5GWzVd14/m4hzr6uh4XauC rUYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=syghnmj5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gz12-20020a170906f2cc00b006efef30bd26si373560ejb.47.2022.05.10.14.02.53; Tue, 10 May 2022 14:03:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=syghnmj5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241288AbiEJL50 (ORCPT + 99 others); Tue, 10 May 2022 07:57:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230463AbiEJL5Y (ORCPT ); Tue, 10 May 2022 07:57:24 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 938E327F111; Tue, 10 May 2022 04:53:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 47908B81A0A; Tue, 10 May 2022 11:53:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3D9E7C385A6; Tue, 10 May 2022 11:53:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1652183604; bh=X1QVwFClp9JxInrjSYxI0mlCNQbr24dNo7/S+95efN8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=syghnmj5lzHfIY+E5v4jJE0hutUfRYSXUe1UD9qXPiNu62ZV8BYEt7Ia1EkeeLDCx pq7Uflq901Qrs9jnDOhQlWOjY3FAeP4SlQHwiWDs7D0gBnt35Xsmpl4WY8TZcLvOEf xZqguXt1m8t14Y94scKtgonMzmagKqsm0crte2di4LsGzos3h2SsRYZewWCrfIElYl NhUVaQDq6soEaHe40x80rNFogPlV4Se5aEFRSCPOP1NLvCeHXqJpMD4XkSKhttQpn7 AXOQyBkcQij/Kt/rbopkC+0AN5i36i6tMlDxCY7V6doaXUpNfZK8Rhz86L9ONXhfYu 9UqXGFdNjabzA== Date: Tue, 10 May 2022 13:53:16 +0200 From: Christian Brauner To: Miklos Szeredi Cc: linux-fsdevel@vger.kernel.org, Dave Chinner , Theodore Ts'o , Karel Zak , Greg KH , linux-kernel@vger.kernel.org, Linux API , linux-man , LSM , Ian Kent , David Howells , Linus Torvalds , Al Viro , Christian Brauner , Amir Goldstein , James Bottomley Subject: Re: [RFC PATCH] getting misc stats/attributes via xattr API Message-ID: <20220510115316.acr6gl5ayqszada6@wittgenstein> References: <20220509124815.vb7d2xj5idhb2wq6@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 10, 2022 at 05:49:04AM +0200, Miklos Szeredi wrote: > On Mon, 9 May 2022 at 14:48, Christian Brauner wrote: > > > One comment about this. We really need to have this interface support > > giving us mount options like "relatime" back in numeric form (I assume > > this will be possible.). It is royally annoying having to maintain a > > mapping table in userspace just to do: > > > > relatime -> MS_RELATIME/MOUNT_ATTR_RELATIME > > ro -> MS_RDONLY/MOUNT_ATTR_RDONLY > > > > A library shouldn't be required to use this interface. Conservative > > low-level software that keeps its shared library dependencies minimal > > will need to be able to use that interface without having to go to an > > external library that transforms text-based output to binary form (Which > > I'm very sure will need to happen if we go with a text-based > > interface.). > > Agreed. > > > This pattern of requesting the size first by passing empty arguments, > > then allocating the buffer and then passing down that buffer to > > retrieve that value is really annoying to use and error prone (I do > > of course understand why it exists.). > > > > For real xattrs it's not that bad because we can assume that these > > values don't change often and so the race window between > > getxattr(GET_SIZE) and getxattr(GET_VALUES) often doesn't matter. But > > fwiw, the post > pre check doesn't exist for no reason; we do indeed > > hit that race. > > That code is wrong. Changing xattr size is explicitly documented in When recursively changing the ownership of a filesystem tree for a container some xattrs will need to be updated as well. For example, if I have files with POSIX ACLs set which store {g,u}ids then the ACL needs to be updated to store the {g,u}id mapped to the container so the container can interpret them when started. That is a rather sensitive operation with loads of potentials for bugs. So if a POSIX ACL changes beneath the chowning daemon they must be conservative because it means that there's concurrent modfication or possibly an attack going on. In general, I feel it's a bit easy to judge the code is wrong without looking at the concrete scenario. I'm also unsure how the manpage implies it's not an error condition. Afaict, it only implies that the caller needs to handle the case where the xattr changes. Whether or not that's an error is up to the caller to decide. If the caller expects to be the sole user of a specific filesystems then a changing xattr in between should probably be an error condition. But I think we're starting to go on a detour. > the man page as a non-error condition: > > If size is specified as zero, these calls return the current size of > the named extended attribute (and leave value unchanged). This can be > used to determine the size of the buffer that should be supplied in a > subsequent call. (But, bear in mind that there is a possibility that > the attribute value may change between the two calls, so that it is > still necessary to check the return status from the second call.) > > > > > In addition, it is costly having to call getxattr() twice. Again, for > > retrieving xattrs it often doesn't matter because it's not a super > > common operation but for mount and other info it might matter. > > You don't *have* to retrieve the size, it's perfectly valid to e.g. > start with a fixed buffer size and double the size until the result > fits. Yes, I understand and accept that. I'm just not fond of such APIs. > > > * Would it be possible to support binary output with this interface? > > I really think users would love to have an interfact where they can > > get a struct with binary info back. > > I think that's bad taste. fsinfo(2) had the same issue. As well as > mount(2) which still interprets the last argument as a binary blob in > certain cases (nfs is one I know of). In the same vein I could argue it's bad taste that everything gets returned as a string. But I do agree that binary blobs through void pointers aren't elegant. I just worry that if we have an interface and there's a legitimate subset of users that would be well served by a simple struct for e.g., mount properties any attempt to get something like this in the form of a separate system call will be shut down with the argument that we already have an interface for this. So I'd compromise if we have your/any other interface return binary blobs. But of course I'd be equally happy if we'd at least expose basic mount information in the form of a separate system call. > > > Especially for some information at least. I'd really love to have a > > way go get a struct mount_info or whatever back that gives me all the > > details about a mount encompassed in a single struct. > > If we want that, then can do a new syscall with that specific struct > as an argument. Ok, that sounds good to me. > > > Callers like systemd will have to parse text and will end up > > converting everything from text into binary anyway; especially for > > mount information. So giving them an option for this out of the box > > would be quite good. > > What exactly are the attributes that systemd requires? We keep a repo with ideas for (kernel) extensions - we should probably publish that somewhere - but the list we used for a prototype roughly contains: * mount flags MOUNT_ATTR_RDONLY etc. * time flags MOUNT_ATTR_RELATIME etc. (could probably be combined with mount flags. We missed the opportunity to make them proper enums separate from other mount flags imho.) * propagation "flags" (MS_SHARED) * peer group * mnt_id of the mount * mnt_id of the mount's parent * owning userns There's a bit more advanced stuff systemd would really want but which I think is misplaced in a mountinfo system call including: * list of primary and auxiliary block device major/minor * diskseq value of those device nodes (This is a new block device feature we added that allows preventing device recycling issues when e.g. removing usb devices very quickly and is needed for udev.) * uuid/fsid * feature flags (O_TMPFILE, RENAME_EXCHANGE supported etc.) > > > Interfaces like statx aim to be as fast as possible because we exptect > > them to be called quite often. Retrieving mount info is quite costly > > and is done quite often as well. Maybe not for all software but for a > > lot of low-level software. Especially when starting services in > > systemd a lot of mount parsing happens similar when starting > > containers in runtimes. > > Was there ever a test patch for systemd using fsinfo(2)? I think not. > > Until systemd people start to reengineer the mount handing to allow > for retrieving a single mount instead of the complete mount table we > will never know where the performance bottleneck lies. I defer to Ian and Karel to answer that. Both did work to prove that point triggered by one of your objections to fsinfo() iirc. Karel's commits at least are here: https://github.com/util-linux/util-linux/tree/topic/fsinfo > > > > > * If we decide to go forward with this interface - and I think I > > mentioned this in the lsfmm session - could we please at least add a > > new system call? It really feels wrong to retrieve mount and other > > information through the xattr interfaces. They aren't really xattrs. > > I'd argue with that statement. These are most definitely attributes. > As for being extended, we'd just extended the xattr interface... I just have a really hard time understanding how this belongs into the (f)getxattr() system call family and why it would be a big deal to just make this a separate system call. I saw that Dave has a long mail on the history of all this so maybe that'll help me. I hope I get around to reading it in detail today. > > Naming aside... imagine that read(2) has always been used to retrieve > disk data, would you say that reading data from proc feels wrong? > And in hindsight, would a new syscall for the purpose make any sense? I think past interface decisions don't need to always inform future interface decisions. And fwiw, yes. Imho, there's stuff in proc that should indeed have been covered by a dedicated system call instead of a read-like interface.