Lai

Could you please look into this?

Thanks

Peter

We have had some trouble in this area before. When we do something like this on Lustre:

$ mkdir x
$ cp -rp x y

you wind up with the following xattr set:

$ getfattr -d -m. y
# file: y
system.posix_acl_default=0sAgAAAA==

Now, if we create a file under that directory with our Lustre 2.4.0-28chaos and older version of ZFS, the newly created file has...nothing unusual.

But if we create a file in that directory under Lustre 2.4.0-28chaos with the latest ZFS, we see that it winds up with this acl:

system.posix_acl_access = \002\000\000\000

We needed to use ZDB to get that through the posix mount of the MDT, because both 2.4.0 and 2.4.2 clients crash when trying to access that xattr.

In mdc_unpack_acl(), we have this code:

        acl = posix_acl_from_xattr(buf, body->aclsize);
        if (IS_ERR(acl)) {
                rc = PTR_ERR(acl);
                CERROR("convert xattr to acl: %d\n", rc);
                RETURN(rc);
        }

        rc = posix_acl_valid(acl);
        if (rc) {
                CERROR("validate acl: %d\n", rc);
                posix_acl_release(acl);
                RETURN(rc);
        }

My belief is that bufsize is nonzero, but posix_acl_from_xattr() is returning NULL. We don't check for NULL, only if the returned pointer has an error code set. We then pass the NULL pointer to posix_acl_valid(), which in turn crashes.

I have a patch to handle a NULL pointer that I am about to test, and will push to gerrit if it fixes the client.

However, this still leaves the question of what has changed to allow that almost-empty xattr to be created in the first place, and what we should do about it.

Also, upgrading our clients is going to be tough, and this particular problem isn't easy to fix with systemtap on the clients. Is there an easy way to filter out this xattr on the MDS side when the value is bad, so that the client never sees it? A server side patch would get us up an working again quickly.

Yes, the client side fix works:

http://review.whamcloud.com/10620

Note that in the patch I added an extra check for NULL rather than just changing IS_ERR to IS_ERR_OR_NULL because I don't want to see those CERROR messages constantly in the NULL case.

This is not to say that the ticket is done. We still would love to have a server fix ASAP. Even a server-side workaround to hide the problem xattr would be good until we decide on the longer term server fix.

Hi Chris,

Under the urgent case, there are two temporary solutions may be helpful for your system:

1) I am not sure how much your system depends on the ACL for permission. If it is not too much, you can mount the MDT device with "-o noacl", then as expected, all ACL related code should be disabled automatically.

2) If option 1) is not suitable for you, and if we cannot figure out why the bad ACL is generated in a short time, then we can filter out the bad ACL on the MDS before it returned to the client via checking the ACL size and the ACL entries count (0 case will also cause client side to interpret it as NULL ACL). There are only two entries for such checking: mdt_finish_open() and mdt_getattr_internal(), or we can add the filter inside the mdd_xattr_get(). Anyway, it is relative easy to make the patch.

I'll ask if they are OK with disabling acl, and test if that works.

Option 2 is probably our more preferable one. What do you mean about the "0 case"?

"0" case means that there is only ACL header, then the ACL size is not zero, but the ACL entries count in the header in zero. Such case should be an invalid ACL.

Mounting the MDT device with "-o noacl" does not seem to help. Clients still crash.

Would you please to check what the connect_flags (/proc/fs/lustre/mdc/xxx/connect_flags) are on the crashed client? Most of users will enable "cal" by default, so I want to make sure whether the switch "-o acl/noacl" really works or not. Thanks!

BTW, the new mounted client also will crash after the MDT mounted with "-o noacl" ?

Oh, I didn't newly mount the client. That is not a useful approach if that is needed.

Most of users will enable "cal" by default, so I want to make sure whether the switch "-o acl/noacl" really works or not.

"acl" is in the list of mdc connect_flags, yes.

BTW, the new mounted client also will crash after the MDT mounted with "-o noacl" ?

If we have to remount the client, we might as well just install my client fix. That isn't going to be useful.

I do not want you to remount all the old clients, I just want to make sure whether the "-o noacl" options takes effect or not. As expected, after the MDS remount with "-o noacl", the old client should reconnect and should detect that the MDS claims "noacl", then the MDC connect_flags should NOT show "acl" again. But according to your feedback, the "acl" is still there, that means either the old client is not aware of the "noacl" or the MDS does not handle "noacl" correctly which can be verified via new mounted client.

If it is the former case, we need to consider the option 2); if it is the later case, we can fix the MDS to make the "noacl" works as expected.

But according to your feedback

I wouldn't read anything into my feedback except that setting "-o noacl" on the MDT mount line did not fix the problem. I didn't check the mdc flags while it was in that reconnected state, I had already moved on and set the filesystem back to normal mode.

The details there aren't important. It didn't work. Time for option 2.

But actually, we are about ready to call it a night. The sysadmin decided he would selectively reboot some clients that are talking to a filesystem (lets call it A) that we know has problem xattrs now set. Those clients with get the patch that I shared.

Another filesystem (call it B) never finished the upgrade process, partly because they were waiting to see what happened with A. We don't need to reboot B's clients.

So I think we're in a state to make it through the night. We are going to head home.

It would be nice to have "option 2" to install some time tomorrow.

Since Lai is on vacation, I will work on the patch temporary. Here it is: http://review.whamcloud.com/10623

Thanks! That patch should be a good work-around for us. I'll give it a try.

As I mentioned, the the xattr posix_acl_access has the contents

system.posix_acl_access = \002\000\000\000

which is, in octal, just the little-endian form of:

 #define POSIX_ACL_XATTR_VERSION	0x0002

The version is the first, and only, contents of the acl xattr's header. So we know that this is a case of a xattr being written out for an empty acl list.

Why did the Lustre server start doing that? If at all possible, we don't want to to happen because it is going to have negative performance implications.

I have the feeling (though nothing to support it yet) that the presence of posix_acl_access on all of the files may be a side-effect of how the clients or user tools are behaving. I recall seeing elsewhere that "cp" will set the ACL for every file, even if there is no ACL on the source file, and even if the ACL is exactly the same as the UGO mode bits.

I don't know if that is because the kernel is providing a synthetic xattr with just the UGO mode bits when asked for one by userspace, or if userspace is always setting one even when one does not exist. Running an strace cp -a /etc/hosts /myth/tmp/hosts on my somewhat older test system (FC12 userspace and 2.6.32-175.fc12 kernel) I see:

stat("/myth/tmp/hosts", {st_mode=S_IFREG|0644, st_size=2940, ...}) = 0
lstat("/etc/hosts", {st_mode=S_IFREG|0644, st_size=2940, ...}) = 0
stat("/myth/tmp/hosts", {st_mode=S_IFREG|0644, st_size=2940, ...}) = 0
open("/etc/hosts", O_RDONLY|O_NOFOLLOW) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2940, ...}) = 0
open("/myth/tmp/hosts", O_WRONLY|O_TRUNC) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4202496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe5b58c8000
read(3, "##\n# Host Database\n#\n# Do not re"..., 4194304) = 2940
write(4, "##\n# Host Database\n#\n# Do not re"..., 2940) = 2940
read(3, "", 4194304)                    = 0
utimensat(4, NULL, {{1393396068, 346810283}, {1393396068, 347809548}}, 0) = 0
flistxattr(3, (nil), 0)                 = 0
flistxattr(3, 0x7fffb3618eb0, 0)        = 0
fsetxattr(4, "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x00\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 28, 0) = 0
fchown(4, 0, 0)                         = -1 EPERM (Operation not permitted)
fchown(4, 4294967295, 0)                = -1 EPERM (Operation not permitted)
fgetxattr(3, "system.posix_acl_access", 0x7fffb3618da0, 132) = -1 ENODATA (No data available)
fstat(3, {st_mode=S_IFREG|0644, st_size=2940, ...}) = 0
fsetxattr(4, "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x04\x00\xff\xff\xff\xff \x00\x04\x00\xff\xff\xff\xff", 28, 0) = 0

So it is definitely setting an ACL on the target file even though none exists on the source file. However, checking with getfattr -d -m.* /myth/tmp/hosts shows no ACL was actually created in this case, though I'm not sure where that xattr is filtered out. It might be different on newer kernels.

The "empty" posix_acl_access above "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x04\x00\xff\xff\xff\xff \x00\x04\x00\xff\xff\xff\xff" (note space in there is hex 0x20) decodes to be:

typedef struct {                
        __le16                  e_tag;
        __le16                  e_perm;
        __le32                  e_id;
} posix_acl_xattr_entry; 

typedef struct {
        __le32                  a_version;
        posix_acl_xattr_entry   a_entries[3];
} posix_acl_xattr_header = {
        .a_version = 0x00000002 = POSIX_ACL_XATTR_VERSION;
        .a_entries[0] = { .e_tag = 0x0001 = ACL_USER_OBJ, .e_perm = 0x0006 = 06, .e_id = 0xffffffff = -1 },
        .a_entries[1] = { .e_tag = 0x0004 = ACL_GROUP_OBJ, .e_perm = 0x0004 = 04, .e_id = 0xffffffff = -1 },
        .a_entries[2] = { .e_tag = 0x0020 = ACL_OTHER, .e_perm = 0x0004 = 04, .e_id = 0xffffffff = -1 }
}

so it seems this is kind of a no-op ACL with the e_id = -1?

I also straced getfacl /myth/tmp/hosts on a file that does have an ACL, and it appears that getfacl is also using getxattr("system.posix_acl_access") internally:

getxattr("/myth/tmp/foo2", "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x02\x00\x06\x00\xe8\x03\x00\x00\x04\x00\x04\x00\xff\xff\xff\xff\x10\x00\x06\x00\xff\xff\xff\xff \x00\x04\x00\xff\xff\xff\xff", 132) = 44
open("/usr/share/locale/locale.alias", O_RDONLY) = 3

to fetch the ACL from the file, instead of some ACL-specific syscall, so it isn't just a case of cp blindly copying xattrs around that it shouldn't be.

I have the feeling (though nothing to support it yet) that the presence of posix_acl_access on all of the files may be a side-effect of how the clients or user tools are behaving.

Note quite correct in this case. I gave the example of how this is happening now.

You are correct that "cp -a" or "cp -pr" is going to make empty ACL xattrs under some situations. We have found (due to other Lustre bugs in the past) that when you do such a copy of a directory from a filesystem that is ACL-enabled, but has no acls set on the file, the newly created directory will have the xattr named "posix_acl_default" set.

That happened with us in the past, and we probably have directories with posix_acl_default set sprinkled all over our filesystems.

Now, any newly created file in one of those directories will automatically get a posix_acl_access xattr. It will be just a header, and contain no actual ACLs.

Granted, the "cp -a" may also result in the same situation, but that is not the creation path at the moment.

We rather suspect that they are getting suppressed elsewhere at the ext4/ldiskfs layer. These posix acl xattrs have no special meaning to ZFS. The POSIX ZFS ACL support is done through ZFS System Attributes instead. So ZFS is just happily storing and recalling whatever Lustre gives it.

I am having the same problem with LUSTRE 2.5.1+ZFS servers. When asking the user how the affected directory was produced, he remembered copying files from remote filesistem back to LUSTRE. I tried also 2.6 clients and they crash too. Crash debug gives the same output as initially reported by LLNL.

2.5.1 client crash debug output

crash /boot/vmlinux-2.6.32.431.17.1.el6_lustre.2.5.1.el6.bz2 /var/crash /127.0.0.1-2014-05-31-18:49:50/vmcore
crash>  gdb list *(posix_acl_valid+9)
0xffffffff811e8ea9 is in posix_acl_valid (fs/posix_acl.c:88).
83              const struct posix_acl_entry *pa, *pe;
84              int state = ACL_USER_OBJ;
85              unsigned int id = 0;  /* keep gcc happy */
86              int needs_mask = 0;
87
88              FOREACH_ACL_ENTRY(pa, acl, pe) {
89                      if (pa->e_perm & ~(ACL_READ|ACL_WRITE|ACL_EXECUTE))
90                              return -EINVAL;
91                      switch (pa->e_tag) {
92                              case ACL_USER_OBJ:

Temporary patch http://review.whamcloud.com/#/c/10623/ resolved my issue on 2.5.1

A related issue exists in LU-4680.

There is patch http://review.whamcloud.com/#/c/10850/ for LU-4680, which should handle this issue with mounting MDS with "noacl".

I'll continue looking into the empty default acl created in `cp`.

The 10850 should be for LU-3660.

`man acl_get_file` shows:

If type is ACL_TYPE_DEFAULT and no default ACL is associated with the directory path_p, then an ACL containing zero ACL entries is returned.

so `cp -rp ...` will set this empty ACL on target, and ldiskfs_xattr_set_acl() will verify this ACL with posix_acl_from_xattr(), which will convert this empty ACL to NULL, and finally ->setxattr(name, NULL) will try to remove the specified ACL if existed. I'll commit a patch for osd-zfs to follow this semantic too.

Lai

How does http://review.whamcloud.com/#/c/10895/ relate to this ticket?

Peter

Yes, Peter, that's the fix for this issue.

Chris,

Now, if we create a file under that directory with our Lustre 2.4.0-28chaos and older version of ZFS, the newly created file has...nothing unusual.
But if we create a file in that directory under Lustre 2.4.0-28chaos with the latest ZFS, we see that it winds up with this acl:

Are you sure it was the "2.4.0-28chaos", but not "2.4.2-11chaos", that wound up with the problematic access ACL? Also, majority (if not all) of the problematic files were created after the server upgrade, weren't they?

I think the crashes started to happen only after the 2.4.2 upgrade is because of b181565, which landed in 2.4.1. Without the patch, when creating a file in a directory with an empty default ACL, mdd would skip setting the access ACL for the file, because the ACL would not provide any additional information then the mode bits. See "reset_acl" in mdd_create(). With the patch, the access ACL is set unconditionally in this case. This explains why 2.4.0 did not wind up with the empty system.posix_acl_access while 2.4.2 did. The patch also adds an assertion in mdd_acl_init() on the default size that essentially comes from the disk.

I've experienced the same bug on 2.4.2 and 2.5.2 (null pointer client crash in posix_acl_valid). It only happens with zfs backfstype, while I haven't seen it with ldisk. I found it by moving an empty dir from an outside fs. I.e.:

mkdir /tmp/foo
mv /tmp/foo /lustrefs
touch /lustrefs/foo/bar

Are you sure it was the "2.4.0-28chaos", but not "2.4.2-11chaos", that wound up with the problematic access ACL? Also, majority (if not all) of the problematic files were created after the server upgrade, weren't they?

You are correct, sorry for the confusion.

Patch http://review.whamcloud.com/11158 landed for 2.7.0

Here is the back-ported patch for Lustre b2_5 branch: http://review.whamcloud.com/11989

This issue is a duplicate of LU-4787. Strange that I added a patch for that, nobody noticed the issue and then a duplicate was created here. Don't you think, it's worthwhile to know about such null pointer occurences and hence use the patch of LU-4787?
In the situations I saw, where the bug occurred, it pointed to data corruption, so I think it's worthwhile to see this in the logs.

Roland

I'm sorry that your patch was missed but patches have to be submitted via gerrit. Details are in https://wiki.hpdd.intel.com/display/PUB/Submitting+Changes

Peter

Thanks, will follow that next time. Anyway, what do you think about my question? At least on the installations
we manage, we want to know when this happens. In a case that just happened yesterday, the logs were related to an application problem a guy had on the cluster. While I didn't have time to really dig into it deeper, it helped to know
that something strange must have had happened with the directory he was working on.

well, the LU-5150 patch has landed on both master and b2_5. If you have concerns about this work then I think that the clearest thing is to open a new ticket outlining your concerns.

Well LU-4787 is still open. Doesn't it make sense to work from there?

It is just easier for our triage process to notice new incoming tickets than new comments added to older open comments.

OK will add new one.