From patchwork Thu Jun 1 17:01:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Goldstein X-Patchwork-Id: 9760551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B92ED60363 for ; Thu, 1 Jun 2017 17:01:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 929F9284C3 for ; Thu, 1 Jun 2017 17:01:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 877D6284F5; Thu, 1 Jun 2017 17:01:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1EEE3284DA for ; Thu, 1 Jun 2017 17:01:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751842AbdFARBx (ORCPT ); Thu, 1 Jun 2017 13:01:53 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:35128 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751770AbdFARBs (ORCPT ); Thu, 1 Jun 2017 13:01:48 -0400 Received: by mail-wm0-f66.google.com with SMTP id g15so12826028wmc.2; Thu, 01 Jun 2017 10:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=GMw9PWOapdCxutXzQDf6R8kYIrRJyz5BrpkTD+hEbCs=; b=mshfb7dqrF/cZL7RzTY/pcNlrFdlngBg27sEMjcabxL5nCU5m6VqvIx/zzbGocCY/n Os5KL5J8Cfnvc+k51GOcwNeoZOEkzTGKBIKb/smHtePKdw0KPR/m8EY725f7HGjAknD+ d/zjKqH2kpp/h3sRe6prOhYG2FOrE+ZNQisEcARw60pLqP3WOFYUI2F+6UbMlkqvdRlm +DGKq+E4NZjYNg7kqiYc+ad8KpjAHwq5wzuVcKtx/uvoPKZPZUSJUtUDQ62c8oo96uH+ FMW20HbqVN/OkmFGD2QTy6RuY+by5bPaOzsSLkkzDRkIwzJSTNG0dvlKQ1ovpPvIELz9 sj+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=GMw9PWOapdCxutXzQDf6R8kYIrRJyz5BrpkTD+hEbCs=; b=LcllS4kSjStGKN22gQpgxLsKh3SY1RPyIx8k+uudrrlbVZiawFFy4nhok0C89kDWsX mBWMlH9kf6XWxbgIR6e/jsqSdoMKXk/7HtrWRHo/PI4XLFeZ4yxAh3KhezgCbXud9tRB rfUQ4Zk+DAPv93zQo5wG7qP6vDwRRyNGhBB6/IHKM4Kc2o5A1BeU+LQpAQGgLVQf71Cx 1wUgkNU4894fGbXPQlEUwkEcbBZM91RoKHKV8f6WUpVTBn0vZTRuSkmly8IocJHUGqHm vmUxpT4L+ORGNmLDUVdA4VuMGI7BxGT3iJ+mdc6hDG6oP78VJjjRBzfmahZy1+TdKszw h5JA== X-Gm-Message-State: AODbwcBq+1kMbg8C7fxb1SRNNCRDW6EJDJjQ+a67Pbtm4YT4c6s2/kux qAs9knSfjMzsGwlf X-Received: by 10.223.160.219 with SMTP id n27mr2417859wrn.198.1496336505728; Thu, 01 Jun 2017 10:01:45 -0700 (PDT) Received: from amir-VirtualBox.ctera.local (bzq-166-168-31-246.red.bezeqint.net. [31.168.166.246]) by smtp.gmail.com with ESMTPSA id v45sm25964354wrb.68.2017.06.01.10.01.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 01 Jun 2017 10:01:45 -0700 (PDT) From: Amir Goldstein To: Miklos Szeredi Cc: Al Viro , linux-unionfs@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH v2 5/5] ovl: document the 'verify_lower' feature Date: Thu, 1 Jun 2017 20:01:54 +0300 Message-Id: <1496336514-11000-6-git-send-email-amir73il@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1496336514-11000-1-git-send-email-amir73il@gmail.com> References: <1496336514-11000-1-git-send-email-amir73il@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The 'verify_lower' feature provides the following: 1. Verify on mount that upper root origin matches lower root 2. Verify on lookup that upper dir origin matches lower dir The feature is needed for upcoming overlayfs features: - Prevent breaking hardlinks on copy up - NFS export support - Overlayfs snapshots Signed-off-by: Amir Goldstein --- Documentation/filesystems/overlayfs.txt | 48 +++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt index c9e884b52698..e82c4fb4871d 100644 --- a/Documentation/filesystems/overlayfs.txt +++ b/Documentation/filesystems/overlayfs.txt @@ -201,6 +201,40 @@ rightmost one and going left. In the above example lower1 will be the top, lower2 the middle and lower3 the bottom layer. +Sharing and copying layers +-------------------------- + +Lower layers may be shared among several overlay mounts and that is indeed +a very common practice. An overlay mounts may use the same lower layer +path as another overlay mount and it may use a lower layer path that is +beneath or above the path of another overlay lower layer path. + +Using an upper layer path and/or a workdir path that are already used by +another overlay mount is not allowed and will fail with EBUSY. Using +partially overlapping paths is not allowed but will not fail with EBUSY. + +Mounting an overlay using an upper layer path, where the upper layer path +was previously used by another mounted overlay in combination with a +different lower layer path, is allowed, unless the "verify_lower" mount +option is used. + +With the "verify_lower" feature, on the first time mount, an NFS file +handle of the lower layer root directory, along with the UUID of the lower +filesystem, are encoded and stored in the "trusted.overlay.origin" extended +attribute on the upper layer root directory. On subsequent mount attempts, +the lower root directory file handle and lower filesystem UUID are compared +to the stored origin in upper root directory. On failure to verify the +lower root origin, mount will fail with ESTALE. A "verify_lower" mount +will fail with EOPNOTSUPP if the lower filesystem does not support NFS +export, lower filesystem does not have a valid UUID or if the upper +filesystem does not support extended attributes. + +It is quite a common practice to copy overlay layers to a different +directory tree on the same or different underlying filesystem, and even +to a different machine. With the "verify_lower" feature, trying to mount +the copied layers will fail the verification of the lower root file handle. + + Non-standard behavior --------------------- @@ -228,6 +262,20 @@ filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock. +When the lower filesystem supports NFS export, overlay mount can be made +more resilient to offline and online changes of the underlying lower layer. +On every copy_up, an NFS file handle of the lower inode, along with the +UUID of the lower filesystem, are encoded and stored in an extended +attribute "trusted.overlay.origin" on the upper inode. + +With the "verify_lower" feature, a lookup of a merged directory, that found +a lower directory at the lookup path or at the path pointed to by the +"trusted.overlay.redirect" extended attribute, will verify that the found +lower directory file handle and lower filesystem UUID match the origin +that was stored at copy_up time. If a found lower directory does not match +the stored origin, that directory will be not be merged with the upper +directory. + Testsuite ---------