lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200803050129.43172.phillips@phunq.net>
Date:	Wed, 5 Mar 2008 01:29:42 -0800
From:	Daniel Phillips <phillips@...nq.net>
To:	linux-kernel@...r.kernel.org
Cc:	dm-devel@...hat.com
Subject: [RFC] An alternative interface to device mapper

Q: If you have an axe with a rusty head and a rotten handle, how do you 
repair it?

A: It is a two step process.  First you replace the handle, then you 
replace the head.

At one time, volume management on Linux was new and shiny.  Today it has 
fallen well behind Sun, FreeBSD, NetApp and even Microsoft.  In order 
to avoid losing even more of the storage "market" than we have already 
lost, we must make a concerted effort to catch up with the state of the 
art, or ideally take the lead as has proved possible with so many other 
aspects of Linux.

This RFC is about replacing the handle of our not-so-shiny LVM axe.  
Design goals for this alternative "ddsetup" interface are:

  * Convenient to embed in a C program
  * Make it simple enough that a library is unnecessary
  * Support for creating detailed, accurate error messages
  * Error messages delivered to caller rather than logged
  * Naturally extensible as new requirements emerge
  * 32 bit ABI works on 64 bit kernel without translation
  * Avoid bad API practices identified by [ARND 07]
  * Do not break the existing ioctl interface

The patch below includes a new kernel interface generator called ddlink.  
The ddsetup device mapper interface is an instance of a ddlink 
interface, instantiated by supplying domain-specific methods for read, 
write, ioctl and poll.

In more detail: ddlink is a generic pipe-like interface for controlling 
device drivers.  It was inspired by Trond's venerable and successful 
rpc-pipefs, which he invented to control various aspects of NFS server 
and client operation.  ddlink takes the form of a virtual filesystem 
with no namespace.  It provides application programs with fd objects 
that can be read, written, ioctled and polled, suitable for efficient 
binary communication with kernel components.  Read, write and poll 
operations act similarly to a pipe.  Unlike a pipe, there is no write 
buffering.  Each write to a ddlink directly triggers some kernel 
handler.  Reads are buffered via an output queue of ddlink "items", each 
of which is an unrestricted blob.  Ioctls on ddlinks are unrestricted 
and the ioctl command space is unpolluted.

There are no partial reads on ddlinks.  A read call either provides 
enough space to hold the next outbound kernel item or EIO is triggered, 
meaning "make your buffer bigger and try again".  In practice this 
arrangement takes the onus off the userspace program to buffer partial 
reads in order to reassemble input that would otherwise be brutally 
dismembered.  As a bonus, the kernel code for ddlink is considerably 
simplified versus Trond's rpc-pipefs precursor.

Unlike a pipe, there is no waiting for input on a ddlink: if there is 
nothing to read then the read returns immediately with zero length.  If 
some other behavior is desired it can be obtained using poll.

There is a simple framework to provide for generalized allocation and 
destruction of dditems, the internal transaction unit for a ddlink.  
Finally, there is a small library of helper funcations that are useful 
for creating domain-specific ddlink interfaces.  The core code for 
ddlink is about 150 lines of lindented C, plus 100 lines of library 
functions and a header file that has already ballooned to the 
intimidating size of 50 lines.  In other words, ddlink is about as 
light and tight as an interface gets.  It is also highly efficient, 
flexible and extensible, and requires very little boilerplate code.

I do not know whether the lack of a ddlink namespace is a bug or a 
feature.  In current usage, a ddlink fd is delivered to an application 
program by some out of band means.  For example, to get a ddsetup ddlink 
to control device mapper, you ioctl /dev/mapper/control.  Makes sense? 
One can imagine many other methods of obtaining a ddlink, for example, 
by reading a fd number in ascii from a sysfs file (gah).  In practice, 
lacking a namespace feels more like a feature than a bug.

A quick tour of the ddlink library:

int ddlink(struct file_operations *fops,
	void *(*create)(struct ddinode *dd, void *info), void *info)

   Create a new ddlink fd that will use the supplied file operations.
   An optional create method may be supplied and arbitrary state 
   information supplied via "info".  (I am not sure why I set up the
   create as a callback, but I do recall that when I tried to do it
   otherwise, conciseness of usage was degraded.  I might revisit this
   detail.)

void ddlink_queue(struct ddinode *dd, struct dditem *item)

   Queue an output data item onto the tail of the output queue.

void ddlink_push(struct ddinode *dd, struct dditem *item)

   Push an output data item onto the head of the output queue.  Useful
   for error messages or transaction-type calls that can return data
   without disturbing any preexisting queue contents

struct dditem *ddlink_pop(struct ddinode *dd)

   Remove a data item from the front of the queue

struct dditem *dditem_new(struct ddinode *dd, size_t size)

   Create a new dditem with the indicated data size, whose char data
   area is available as item->data

void ddlink_clear(struct ddinode *dd)

   Destroy all queued data items

int ddlink_ready(struct ddinode *dd)

   Returns true if the ddlink queue is nonempty

unsigned ddlink_poll(struct file *file, poll_table *table)

   A simple poll method that only supports polling for input,
   nearly always just what is needed

int ddlink_error(struct ddinode *dd, int err, const char *fmt, ...)

   Format and push an error item onto the queue so that the error
   text will be retrieved by the next read from the ddlink

So that is ddlink, short and sweet.  Only a couple of trivial glue 
functions were omitted.  The remainder of this note is about ddsetup, 
which is the single extant example of a ddlink interface.

Device Mapper is actually a lot more capable than most people know.  
Each device mapper device consists of two layers: the virtual device 
exposed to applications, and an underlying table of "target devices", 
each of which is effectively a virtual block device in itself.

The "map" part of device mapper is about translating each bio directed 
at the virtual device into one or more bio transfers to some contiguous 
subset of the underlying device table.  In addition, device mapper 
implements stacking, whereby additional layers of virtual devices can 
be inserted into an existing top level virtual device while that device 
remains open and in use.  Details of how this is accomplished are 
surprisingly simple, but outside the scope of today's note.  The 
important thing here is to get a sense of just how rich the device 
mapper interface needs to be in order to expose the full range of 
device mapper capabilities to application programs.

Device mapper is currently exposed to userland via a stupifyingly 
complex interface, in which 16 different device mapper subfunctions are 
multiplexed via ioctls through one grand unified parameter structure.  
This interface has proved so unwieldy that exactly one userspace program 
uses it, namely libdevmapper.  Unfortunately, libdevmapper brings its 
own oddly structured interface to the party, in which a series of ioctl 
calls is recast as a "task", a thoroughly unsuccessful abstraction.  As 
far as I know, the libdevmapper interface is only used by three 
userspace programs: dmsetup, lvm2 and cryptsetup.  There may be others, 
but the point is, if this interface were well suited to its task then 
there would be lots of programs using it by now.  Instead nearly all 
device mapper usage continues to be scripted via dmsetup or (less 
commonly) lvm2 commands, or carried out manually using the lvm2 
interactive interface.

This many years into the effort we ought to be slicing and dicing 
volumes as second nature, changing configuration on the fly, 
transparently expanding, shrinking and migrating filesystems, and many 
other things that ZFS and GEOM are already doing and we are not.  It is 
not so much that device mapper is incapable of such fancy tricks, but 
that we have taken a very powerful kernel subsystem and hobbled it with 
a nearly unusable application interface.  Think about a jet turbine 
racecar with a two inch air intake.

So here I have attempted to create a granular interface to expose the 
same functionality as the existing device mapper ioctl interface does, 
but in a transparent and easy enough way that no library is required, 
and concise enough that when you need to, you can realistically embed
your lvm operations inline in a C program.

The ddsetup design does not abandon ioctls entirely.  Though ddlink is 
perfectly capable of implementing the entire interface via rpc-like 
write and read calls with function codes included in-line, this style 
does not map well onto the expressive capabilities of C.  A mix of 
writes and ioctls ended up looking better on the page and is easier to 
write.

In general, ddsetup uses write calls for variable length data and ioctls 
for fixed length structures.  One could also say: writes for data and 
ioctl commands for, ahem, commands.

There is a little state machine inside a ddsetup fd that keeps track of 
where you are in midst of a complex call sequence, particularly the 
device create sequence.  Using ddsetup, you push strings onto a stack 
with write calls and turn the strings into more complex objects using 
ioctls.  If you make a mistake and get a -1 error return from any
of the calls, you can then read from the ddlink to get a text 
description of what went wrong, complete with message formatting 
courtesy of the ddlink_error convenience function.

For example, given a ddsetup fd named dd:

   ioctl(dd, DMTABLE, &(struct ddtable){ .targets = 1 });
   write(dd, "linear", 6);
   write(dd, "/dev/hda5", 9);
   write(dd, "1234", 4);
   ioctl(dd, DMTARGET, &(struct ddtarget){ .sectors = 10000 });
   write(dd, "foo", 3);
   ioctl(dd, DMCREATE);
   read(dd, &result, sizeof(result));

Leaving out error handling for clarity, this creates a 10,000 sector 
virtual device named "foo" which is a linear mapping of hda5 starting 
at sector offset 1234, equivalent to the shell command:

   echo 0 10000 linear /dev/ubdb 1234 | dmsetup create foo

Except that we did not use the shell, or a library, just a header file 
to name the ioctl commands and provide some simple interface structs.
(Actually, the example above is more complex than necessary. I do not 
think the .targets field serves any useful purpose, and I will make it 
go away soon.)

Reflecting device mapper's table structured arrangement, the sequence 
from the "linear" write to the DMTARGET ioctl may be repeated 
arbitrarily many times to build up a complex mapping.  In fact, this is 
how device mapper maps extents from an lvm partition to your 
lvm "partitions".  Easy, no?  Well it is when written as above.

Such mappings are not restricted to linear targets.  Some fancy mappings 
have linear targets at each end and a temporary mirror of two devices 
in the middle.  This is how lvm2 implements pvmove, its clever ability 
to relocate physical targets of a virtual device while the device is 
running.  Powerful, and practically unknown to most Linux users.  
According to me, that is because it is hard to write programs to drive 
such functionality.  As a result, when Linux users do it, they do it by 
hand.  Solaris users are having a party with this kind of thing, and 
laughing at us.  Really.

There is not a lot more to say about ddsetup, which is actually the 
point.  It is pretty obvious how to use it, and how it is implemented.  
I did have to do some pretty serious spelunking in dm-ioctl.c to ferret 
out the bits of device mapper that do the actual work, in some cases 
having to go pretty deep to work past dependencies on the monolithic 
ioctl interface struct.  Some header files needed to be rearranged, 
arguably into the form they should have taken in the first place.  
There are some needlessly strange object lifetime rules to deal with 
internally, but otherwise this was a pretty straightforward romp.

An early version of this code was shown to Eric Biederman and Alasdair 
Kergon at OLS last year.  After taking all the C99 bits out, I managed 
to convince Eric and others to actually read the examples.  Let us now 
see if the (positive) reaction I observed at that time survives wider 
scrutiny.

A diffstat for ddlink and ddsetup together:

 Documentation/ioctl-number.txt |    1
 block/ll_rw_blk.c              |    2
 drivers/Makefile               |    1
 drivers/ddlink.c               |  294 ++++++++++++++++++++
 drivers/md/Makefile            |    1
 drivers/md/dm-ioctl.c          |  593 ++++++++++++++++++++++++++++++++++++++---
 drivers/md/dm-table.c          |   52 ---
 drivers/md/dm.c                |   53 ---
 drivers/md/dm.h                |   78 +++++
 include/linux/ddlink.h         |   41 ++
 include/linux/ddsetup.h        |   36 ++
 include/linux/device-mapper.h  |   37 ++
 12 files changed, 1056 insertions(+), 133 deletions(-)

Currently, this implements a majority of the device mapper interface 
calls, but not all of them, so expect another hundred or two lines 
before completion.  This is still significantly less code than the 
original ioctl interface (which is still in there) and much clearer.

I have written two example programs, ddsetup.c and ddcreate.c.  The 
former aims to be a drop-in replacement for dmsetup.c and the latter 
implements a (useful) demonstration command that creates a virtual 
device consisting of a single device mapper target, with all target 
parameters supplied on the command line.

For example:

   ddcreate foo 10000 linear /dev/ubdb 1234

ddcreate is 71 lines long including plenty of whitespace, while being 
quite general.  My message is about the 71 lines.

So who uses this ddsetup today?  Answer: nobody.  Better answer: the 
ddsnap cluster snapshot driver has a usability problem because of its 
reliance on PF_LOCAL sockets to glue components together.  Filesystem 
based sockets were adopted for the component glue because it is hard to 
do anything more elegant working with the command line device mapper 
setup utility.  We looked at hacking the device mapper ioctl interface 
to do what we needed, but then if we were willing to go that far then 
why not just drop the other shoe and improve the userspace interface to 
the point where it is actually pleasant to use, and maintainable too?  
This is how ddsetup was born.

The next thing we need to do with this interface is demonstrate a solid 
use case by adopting it on an experimental branch of zumastor.  I 
expect both ddsnap and zumastor systems to shrink as a result, 
including significantly shrinking the documentation.  This has not yet 
been done yet, and until it is, this effort deserves to be firmly 
relegated to the "nice but so what" category.  So, profound thanks to 
you, dear reader, for having had the stamina to read all the way to 
here, and we will see you here again after having eaten this delicious 
new dogfood ourselves.

http://code.google.com/p/zumastor/source/browse/www/ddsetup/ddsetup-2.6.23.12
http://code.google.com/p/zumastor/source/browse/www/ddsetup/ddsetup.c
http://code.google.com/p/zumastor/source/browse/www/ddsetup/ddcreate.c

[ARND 07] How to not invent kernel interfaces, Arnd Bergmann, 
   arnd@...db.de, July 31, 2007
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ