2008-11-20 20:01:55 +00:00
|
|
|
/*
|
|
|
|
* CDDL HEADER START
|
|
|
|
*
|
|
|
|
* The contents of this file are subject to the terms of the
|
|
|
|
* Common Development and Distribution License (the "License").
|
|
|
|
* You may not use this file except in compliance with the License.
|
|
|
|
*
|
|
|
|
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
|
|
* or http://www.opensolaris.org/os/licensing.
|
|
|
|
* See the License for the specific language governing permissions
|
|
|
|
* and limitations under the License.
|
|
|
|
*
|
|
|
|
* When distributing Covered Code, include this CDDL HEADER in each
|
|
|
|
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
|
|
* If applicable, add the following below this CDDL HEADER, with the
|
|
|
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
|
|
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
|
|
*
|
|
|
|
* CDDL HEADER END
|
|
|
|
*/
|
|
|
|
/*
|
2010-05-28 20:45:14 +00:00
|
|
|
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
|
2016-12-16 22:11:29 +00:00
|
|
|
* Copyright (c) 2012, 2017 by Delphix. All rights reserved.
|
2015-04-01 13:07:48 +00:00
|
|
|
* Copyright (c) 2014, Joyent, Inc. All rights reserved.
|
2015-04-02 03:44:32 +00:00
|
|
|
* Copyright (c) 2014 Spectra Logic Corporation, All rights reserved.
|
2008-11-20 20:01:55 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SYS_DSL_DIR_H
|
|
|
|
#define _SYS_DSL_DIR_H
|
|
|
|
|
|
|
|
#include <sys/dmu.h>
|
|
|
|
#include <sys/dsl_pool.h>
|
|
|
|
#include <sys/dsl_synctask.h>
|
|
|
|
#include <sys/refcount.h>
|
|
|
|
#include <sys/zfs_context.h>
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#include <sys/dsl_crypt.h>
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
struct dsl_dataset;
|
|
|
|
|
2015-04-01 13:07:48 +00:00
|
|
|
/*
|
|
|
|
* DD_FIELD_* are strings that are used in the "extensified" dsl_dir zap object.
|
|
|
|
* They should be of the format <reverse-dns>:<field>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define DD_FIELD_FILESYSTEM_COUNT "com.joyent:filesystem_count"
|
|
|
|
#define DD_FIELD_SNAPSHOT_COUNT "com.joyent:snapshot_count"
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
#define DD_FIELD_CRYPTO_KEY_OBJ "com.datto:crypto_key_obj"
|
2015-04-01 13:07:48 +00:00
|
|
|
|
2008-12-03 20:09:06 +00:00
|
|
|
typedef enum dd_used {
|
|
|
|
DD_USED_HEAD,
|
|
|
|
DD_USED_SNAP,
|
|
|
|
DD_USED_CHILD,
|
|
|
|
DD_USED_CHILD_RSRV,
|
|
|
|
DD_USED_REFRSRV,
|
|
|
|
DD_USED_NUM
|
|
|
|
} dd_used_t;
|
|
|
|
|
|
|
|
#define DD_FLAG_USED_BREAKDOWN (1<<0)
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
typedef struct dsl_dir_phys {
|
|
|
|
uint64_t dd_creation_time; /* not actually used */
|
|
|
|
uint64_t dd_head_dataset_obj;
|
|
|
|
uint64_t dd_parent_obj;
|
|
|
|
uint64_t dd_origin_obj;
|
|
|
|
uint64_t dd_child_dir_zapobj;
|
|
|
|
/*
|
|
|
|
* how much space our children are accounting for; for leaf
|
|
|
|
* datasets, == physical space used by fs + snaps
|
|
|
|
*/
|
|
|
|
uint64_t dd_used_bytes;
|
|
|
|
uint64_t dd_compressed_bytes;
|
|
|
|
uint64_t dd_uncompressed_bytes;
|
|
|
|
/* Administrative quota setting */
|
|
|
|
uint64_t dd_quota;
|
|
|
|
/* Administrative reservation setting */
|
|
|
|
uint64_t dd_reserved;
|
|
|
|
uint64_t dd_props_zapobj;
|
|
|
|
uint64_t dd_deleg_zapobj; /* dataset delegation permissions */
|
2008-12-03 20:09:06 +00:00
|
|
|
uint64_t dd_flags;
|
|
|
|
uint64_t dd_used_breakdown[DD_USED_NUM];
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t dd_clones; /* dsl_dir objects */
|
|
|
|
uint64_t dd_pad[13]; /* pad out to 256 bytes for good measure */
|
2008-11-20 20:01:55 +00:00
|
|
|
} dsl_dir_phys_t;
|
|
|
|
|
|
|
|
struct dsl_dir {
|
2015-04-02 03:44:32 +00:00
|
|
|
dmu_buf_user_t dd_dbu;
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
/* These are immutable; no lock needed: */
|
|
|
|
uint64_t dd_object;
|
Native Encryption for ZFS on Linux
This change incorporates three major pieces:
The first change is a keystore that manages wrapping
and encryption keys for encrypted datasets. These
commands mostly involve manipulating the new
DSL Crypto Key ZAP Objects that live in the MOS. Each
encrypted dataset has its own DSL Crypto Key that is
protected with a user's key. This level of indirection
allows users to change their keys without re-encrypting
their entire datasets. The change implements the new
subcommands "zfs load-key", "zfs unload-key" and
"zfs change-key" which allow the user to manage their
encryption keys and settings. In addition, several new
flags and properties have been added to allow dataset
creation and to make mounting and unmounting more
convenient.
The second piece of this patch provides the ability to
encrypt, decyrpt, and authenticate protected datasets.
Each object set maintains a Merkel tree of Message
Authentication Codes that protect the lower layers,
similarly to how checksums are maintained. This part
impacts the zio layer, which handles the actual
encryption and generation of MACs, as well as the ARC
and DMU, which need to be able to handle encrypted
buffers and protected data.
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
compromised.
Reviewed by: Matthew Ahrens <mahrens@delphix.com>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Jorgen Lundman <lundman@lundman.net>
Signed-off-by: Tom Caputi <tcaputi@datto.com>
Closes #494
Closes #5769
2017-08-14 17:36:48 +00:00
|
|
|
uint64_t dd_crypto_obj;
|
2008-11-20 20:01:55 +00:00
|
|
|
dsl_pool_t *dd_pool;
|
|
|
|
|
2015-04-01 15:14:34 +00:00
|
|
|
/* Stable until user eviction; no lock needed: */
|
|
|
|
dmu_buf_t *dd_dbuf;
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
/* protected by lock on pool's dp_dirty_dirs list */
|
|
|
|
txg_node_t dd_dirty_link;
|
|
|
|
|
|
|
|
/* protected by dp_config_rwlock */
|
|
|
|
dsl_dir_t *dd_parent;
|
|
|
|
|
|
|
|
/* Protected by dd_lock */
|
|
|
|
kmutex_t dd_lock;
|
2015-11-04 23:00:58 +00:00
|
|
|
list_t dd_props; /* list of dsl_prop_record_t's */
|
2018-06-20 04:51:18 +00:00
|
|
|
inode_timespec_t dd_snap_cmtime; /* last snapshot namespace change */
|
2010-05-28 20:45:14 +00:00
|
|
|
uint64_t dd_origin_txg;
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
/* gross estimate of space used by in-flight tx's */
|
|
|
|
uint64_t dd_tempreserved[TXG_SIZE];
|
|
|
|
/* amount of space we expect to write; == amount of dirty data */
|
|
|
|
int64_t dd_space_towrite[TXG_SIZE];
|
|
|
|
|
|
|
|
/* protected by dd_lock; keep at end of struct for better locality */
|
2016-06-15 21:28:36 +00:00
|
|
|
char dd_myname[ZFS_MAX_DATASET_NAME_LEN];
|
2008-11-20 20:01:55 +00:00
|
|
|
};
|
|
|
|
|
2015-04-01 15:14:34 +00:00
|
|
|
static inline dsl_dir_phys_t *
|
|
|
|
dsl_dir_phys(dsl_dir_t *dd)
|
|
|
|
{
|
|
|
|
return (dd->dd_dbuf->db_data);
|
|
|
|
}
|
|
|
|
|
2013-09-04 12:00:57 +00:00
|
|
|
void dsl_dir_rele(dsl_dir_t *dd, void *tag);
|
2015-04-02 03:44:32 +00:00
|
|
|
void dsl_dir_async_rele(dsl_dir_t *dd, void *tag);
|
2013-09-04 12:00:57 +00:00
|
|
|
int dsl_dir_hold(dsl_pool_t *dp, const char *name, void *tag,
|
|
|
|
dsl_dir_t **, const char **tail);
|
|
|
|
int dsl_dir_hold_obj(dsl_pool_t *dp, uint64_t ddobj,
|
2008-11-20 20:01:55 +00:00
|
|
|
const char *tail, void *tag, dsl_dir_t **);
|
|
|
|
void dsl_dir_name(dsl_dir_t *dd, char *buf);
|
|
|
|
int dsl_dir_namelen(dsl_dir_t *dd);
|
2008-12-03 20:09:06 +00:00
|
|
|
uint64_t dsl_dir_create_sync(dsl_pool_t *dp, dsl_dir_t *pds,
|
|
|
|
const char *name, dmu_tx_t *tx);
|
2018-02-08 16:16:23 +00:00
|
|
|
|
|
|
|
uint64_t dsl_dir_get_used(dsl_dir_t *dd);
|
2016-12-16 22:11:29 +00:00
|
|
|
uint64_t dsl_dir_get_compressed(dsl_dir_t *dd);
|
2018-02-08 16:16:23 +00:00
|
|
|
uint64_t dsl_dir_get_quota(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_reservation(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_compressratio(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_logicalused(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_usedsnap(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_usedds(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_usedrefreserv(dsl_dir_t *dd);
|
|
|
|
uint64_t dsl_dir_get_usedchild(dsl_dir_t *dd);
|
|
|
|
void dsl_dir_get_origin(dsl_dir_t *dd, char *buf);
|
|
|
|
int dsl_dir_get_filesystem_count(dsl_dir_t *dd, uint64_t *count);
|
|
|
|
int dsl_dir_get_snapshot_count(dsl_dir_t *dd, uint64_t *count);
|
|
|
|
|
2008-11-20 20:01:55 +00:00
|
|
|
void dsl_dir_stats(dsl_dir_t *dd, nvlist_t *nv);
|
|
|
|
uint64_t dsl_dir_space_available(dsl_dir_t *dd,
|
|
|
|
dsl_dir_t *ancestor, int64_t delta, int ondiskonly);
|
|
|
|
void dsl_dir_dirty(dsl_dir_t *dd, dmu_tx_t *tx);
|
|
|
|
void dsl_dir_sync(dsl_dir_t *dd, dmu_tx_t *tx);
|
|
|
|
int dsl_dir_tempreserve_space(dsl_dir_t *dd, uint64_t mem,
|
OpenZFS 7793 - ztest fails assertion in dmu_tx_willuse_space
Reviewed by: Steve Gonczi <steve.gonczi@delphix.com>
Reviewed by: George Wilson <george.wilson@delphix.com>
Reviewed by: Pavel Zakharov <pavel.zakharov@delphix.com>
Ported-by: Brian Behlendorf <behlendorf1@llnl.gov>
Background information: This assertion about tx_space_* verifies that we
are not dirtying more stuff than we thought we would. We “need” to know
how much we will dirty so that we can check if we should fail this
transaction with ENOSPC/EDQUOT, in dmu_tx_assign(). While the
transaction is open (i.e. between dmu_tx_assign() and dmu_tx_commit() —
typically less than a millisecond), we call dbuf_dirty() on the exact
blocks that will be modified. Once this happens, the temporary
accounting in tx_space_* is unnecessary, because we know exactly what
blocks are newly dirtied; we call dnode_willuse_space() to track this
more exact accounting.
The fundamental problem causing this bug is that dmu_tx_hold_*() relies
on the current state in the DMU (e.g. dn_nlevels) to predict how much
will be dirtied by this transaction, but this state can change before we
actually perform the transaction (i.e. call dbuf_dirty()).
This bug will be fixed by removing the assertion that the tx_space_*
accounting is perfectly accurate (i.e. we never dirty more than was
predicted by dmu_tx_hold_*()). By removing the requirement that this
accounting be perfectly accurate, we can also vastly simplify it, e.g.
removing most of the logic in dmu_tx_count_*().
The new tx space accounting will be very approximate, and may be more or
less than what is actually dirtied. It will still be used to determine
if this transaction will put us over quota. Transactions that are marked
by dmu_tx_mark_netfree() will be excepted from this check. We won’t make
an attempt to determine how much space will be freed by the transaction
— this was rarely accurate enough to determine if a transaction should
be permitted when we are over quota, which is why dmu_tx_mark_netfree()
was introduced in 2014.
We also won’t attempt to give “credit” when overwriting existing blocks,
if those blocks may be freed. This allows us to remove the
do_free_accounting logic in dbuf_dirty(), and associated routines. This
logic attempted to predict what will be on disk when this txg syncs, to
know if the overwritten block will be freed (i.e. exists, and has no
snapshots).
OpenZFS-issue: https://www.illumos.org/issues/7793
OpenZFS-commit: https://github.com/openzfs/openzfs/commit/3704e0a
Upstream bugs: DLPX-32883a
Closes #5804
Porting notes:
- DNODE_SIZE replaced with DNODE_MIN_SIZE in dmu_tx_count_dnode(),
Using the default dnode size would be slightly better.
- DEBUG_DMU_TX wrappers and configure option removed.
- Resolved _by_dnode() conflicts these changes have not yet been
applied to OpenZFS.
2017-03-07 17:51:59 +00:00
|
|
|
uint64_t asize, boolean_t netfree, void **tr_cookiep, dmu_tx_t *tx);
|
2008-11-20 20:01:55 +00:00
|
|
|
void dsl_dir_tempreserve_clear(void *tr_cookie, dmu_tx_t *tx);
|
|
|
|
void dsl_dir_willuse_space(dsl_dir_t *dd, int64_t space, dmu_tx_t *tx);
|
2008-12-03 20:09:06 +00:00
|
|
|
void dsl_dir_diduse_space(dsl_dir_t *dd, dd_used_t type,
|
2008-11-20 20:01:55 +00:00
|
|
|
int64_t used, int64_t compressed, int64_t uncompressed, dmu_tx_t *tx);
|
2008-12-03 20:09:06 +00:00
|
|
|
void dsl_dir_transfer_space(dsl_dir_t *dd, int64_t delta,
|
|
|
|
dd_used_t oldtype, dd_used_t newtype, dmu_tx_t *tx);
|
2010-05-28 20:45:14 +00:00
|
|
|
int dsl_dir_set_quota(const char *ddname, zprop_source_t source,
|
|
|
|
uint64_t quota);
|
|
|
|
int dsl_dir_set_reservation(const char *ddname, zprop_source_t source,
|
|
|
|
uint64_t reservation);
|
2015-04-01 13:07:48 +00:00
|
|
|
int dsl_dir_activate_fs_ss_limit(const char *);
|
|
|
|
int dsl_fs_ss_limit_check(dsl_dir_t *, uint64_t, zfs_prop_t, dsl_dir_t *,
|
|
|
|
cred_t *);
|
|
|
|
void dsl_fs_ss_count_adjust(dsl_dir_t *, int64_t, const char *, dmu_tx_t *);
|
2013-09-04 12:00:57 +00:00
|
|
|
int dsl_dir_rename(const char *oldname, const char *newname);
|
2015-04-01 13:07:48 +00:00
|
|
|
int dsl_dir_transfer_possible(dsl_dir_t *sdd, dsl_dir_t *tdd,
|
|
|
|
uint64_t fs_cnt, uint64_t ss_cnt, uint64_t space, cred_t *);
|
2008-12-03 20:09:06 +00:00
|
|
|
boolean_t dsl_dir_is_clone(dsl_dir_t *dd);
|
|
|
|
void dsl_dir_new_refreservation(dsl_dir_t *dd, struct dsl_dataset *ds,
|
|
|
|
uint64_t reservation, cred_t *cr, dmu_tx_t *tx);
|
2010-05-28 20:45:14 +00:00
|
|
|
void dsl_dir_snap_cmtime_update(dsl_dir_t *dd);
|
2018-06-20 04:51:18 +00:00
|
|
|
inode_timespec_t dsl_dir_snap_cmtime(dsl_dir_t *dd);
|
2013-09-04 12:00:57 +00:00
|
|
|
void dsl_dir_set_reservation_sync_impl(dsl_dir_t *dd, uint64_t value,
|
|
|
|
dmu_tx_t *tx);
|
2015-04-01 13:07:48 +00:00
|
|
|
void dsl_dir_zapify(dsl_dir_t *dd, dmu_tx_t *tx);
|
|
|
|
boolean_t dsl_dir_is_zapified(dsl_dir_t *dd);
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
/* internal reserved dir name */
|
|
|
|
#define MOS_DIR_NAME "$MOS"
|
2008-12-03 20:09:06 +00:00
|
|
|
#define ORIGIN_DIR_NAME "$ORIGIN"
|
2010-05-28 20:45:14 +00:00
|
|
|
#define FREE_DIR_NAME "$FREE"
|
2014-06-05 21:20:08 +00:00
|
|
|
#define LEAK_DIR_NAME "$LEAK"
|
2008-11-20 20:01:55 +00:00
|
|
|
|
|
|
|
#ifdef ZFS_DEBUG
|
|
|
|
#define dprintf_dd(dd, fmt, ...) do { \
|
|
|
|
if (zfs_flags & ZFS_DEBUG_DPRINTF) { \
|
2016-06-15 21:28:36 +00:00
|
|
|
char *__ds_name = kmem_alloc(ZFS_MAX_DATASET_NAME_LEN, KM_SLEEP); \
|
2008-11-20 20:01:55 +00:00
|
|
|
dsl_dir_name(dd, __ds_name); \
|
|
|
|
dprintf("dd=%s " fmt, __ds_name, __VA_ARGS__); \
|
2016-06-15 21:28:36 +00:00
|
|
|
kmem_free(__ds_name, ZFS_MAX_DATASET_NAME_LEN); \
|
2008-11-20 20:01:55 +00:00
|
|
|
} \
|
|
|
|
_NOTE(CONSTCOND) } while (0)
|
|
|
|
#else
|
|
|
|
#define dprintf_dd(dd, fmt, ...)
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#endif /* _SYS_DSL_DIR_H */
|