Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-18844

mark Lustre volatile files with I_LINKABLE to allow linkat()

Details

    • Improvement
    • Resolution: Unresolved
    • Minor
    • None
    • Lustre 2.14.0, Lustre 2.16.1

    Description

      Tools doing data migration/restore often create a temporary "dot file" (with a leading ".", the "actual filename", and 6 or 10 random trailing alphanumeric characters for uniqueness) as a holding space while writing the file, then change file ownership, permissions, and timestamps before renaming it to the final "actual filename". The leading "dot" by convention partially hides the filename from tools like "ls" (without the -a option), but does not actually prevent it from being seen or accessed by users and applications. In addition to being visible and accessible, the "dot file" is a proper file in the filesystem may be left behind if the process that created it crashes.

      A newer kernel API open(O_TMPFILE) allows creating an "invisible" file that is only accessible by the returned "open-unliked" file descriptor, and allows the file to be created and modified while actually hidden from the world. One of the important features of O_TMPFILE is that it still allows hard-linking file descriptor into the filesystem namespace by using linkat(fd, "actual filename") so the file can spring fully-formed into the namespace.

      The vfs_tmpfile() function that open(O_TMPFILE) uses internally will mark these open-unlinked inodes with inode->i_state |= I_LINKABLE. A security restriction in the Linux VFS is that linkat()->vfs_link()->inc_count() prevents hard linking to an open-unlinked file (inode->i_nlink == 0) unless its inode is marked with inode->i_state & I_LINKABLE. This prevents malicious users from "reviving" a file that was deleted by the owner, but is held open by another process (possibly via file descriptor passing to another security domain).

      It would be very useful if the Lustre Volatile File creation mechanism (llapi_create_volatile*() would also mark inodes with I_LINKABLE when they are created, so that they can also be linked into the namespace via linkat(). This would allow the flexibility of the volatile file creation together with the "normal/new" linkat() behavior for use by applications. This can be done independently of the Lustre O_TMPFILE implementation (LU-9512).

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. LU-9512 Implement O_TMPFILE for Lustre

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-17776 parallel VFS directory operation locking on client

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. LU-18843 allow parallel rename inside a single directory

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              wc-triage WC Triage
              adilger Andreas Dilger
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: