#390 new defect

'readonly_storage' and 'reserved_space' not honored for mutable-slot write requests

Reported by: warner Owned by:
Priority: major Milestone: eventually
Component: code-storage Version: 1.0.0
Keywords: reliability mutable backend availability anti-censorship Cc:
Launchpad Bug:

Description

The remote_allocate_buckets call correctly says "no" when the readonly_storage config flag is on, but the corresponding remote_slot_testv_and_readv_and_writev (for mutable files) does not. This means that a storage server which has been kicked into readonly mode (say, if the drive is starting to fail and it has been left online just to get the shares off of that drive and on to a new one) will continue to accumulate new mutable shares.

Change History (25)

comment:1 Changed at 2008-05-30T04:14:07Z by zooko

Practically speaking, shouldn't read-only storage normally be implemented by remounting the storage partition read-only?

This implies that one should normally not keep anything else (like Tahoe log files) on the partition where one keeps Tahoe storage.

comment:2 Changed at 2008-05-30T04:16:02Z by zooko

Oh, but now I realize that making it read-only at that level might not propagate back to the client when the client calls remote_allocate_buckets or remote_slot_tesv_and_readv_and_writev. Or, actually, it might! Because...

comment:3 Changed at 2008-05-30T04:19:53Z by zooko

... because {{{remote_allocate_buckets()}}} and {remote_slot_testv_and_readv_and_writev()} both try to write to the filesystem before they return, so if that filesystem is read-only, then a nice foolscap exception will be sent back to the client.

comment:5 Changed at 2008-05-30T04:24:20Z by zooko

  • Summary changed from 'readonly_storage' not honored for mutable-slot write requests to 'readonly_storage' not honored for mutable-slot write requests (or shall we stop offering read-only storage as a Tahoe configuration option)

So, I would like us to consider removing the "read only storage" feature from the Tahoe source code. People who can't make their whole whole partition read-only can use simple filesystem permissions to make the storage directory unwriteable to the account that runs the Tahoe node. This technique would be less buggy that the implementation of read-only in the Tahoe source code, and it would require less of our developer time to maintain.

comment:6 Changed at 2008-06-01T21:08:19Z by warner

  • Milestone changed from eventually to undecided

comment:7 Changed at 2008-06-02T20:44:58Z by zooko

Brian and I had a big conversation on the phone about this and came up with a good design -- efficient, robust, and not too complicated. Brian wrote it up:

http://allmydata.org/pipermail/tahoe-dev/2008-May/000630.html

comment:8 Changed at 2008-06-06T23:31:53Z by zooko

  • Milestone changed from undecided to 1.2.0
  • Summary changed from 'readonly_storage' not honored for mutable-slot write requests (or shall we stop offering read-only storage as a Tahoe configuration option) to 'readonly_storage' not honored for mutable-slot write requests

Hm... why did you put this one in "undecided"? How about v1.2.0...

comment:9 Changed at 2008-06-07T01:20:41Z by warner

because I figured that we'd replace it with something other than "readonly_storage", and that the accounting / dict-introducer changes might significantly change what we do with this. It's an issue that we really ought to address for 1.2.0, but I don't know how exactly we're going to do that.

1.2.0 sounds fine.

comment:10 Changed at 2009-06-30T12:39:50Z by zooko

  • Milestone changed from 1.5.0 to eventually

comment:11 Changed at 2010-01-15T20:21:43Z by davidsarah

  • Keywords reliability added

As long as we have the reserved_space setting, that should also be honoured for writes to mutable slots, so an explicit space check is needed just as in remote_allocate_buckets.

comment:12 Changed at 2010-01-16T00:47:35Z by davidsarah

  • Summary changed from 'readonly_storage' not honored for mutable-slot write requests to 'readonly_storage' and 'reserved_space' not honored for mutable-slot write requests

comment:13 Changed at 2010-01-16T00:48:49Z by davidsarah

Required for #871 (handle out-of-disk-space condition).

comment:14 Changed at 2010-02-01T20:01:38Z by davidsarah

  • Milestone changed from eventually to 1.7.0

comment:15 Changed at 2010-02-11T04:24:47Z by davidsarah

  • Keywords mutable added

comment:16 Changed at 2010-02-15T19:53:30Z by davidsarah

  • Milestone changed from 1.7.0 to 1.6.1

comment:17 follow-ups: Changed at 2010-02-16T05:15:44Z by zooko

  • Milestone changed from 1.6.1 to eventually

The problem is that if you run out of space in your storage server, and you refuse to overwrite a mutable share with a new version, then you are going to continue to serve the older version, which could cause inefficiency, confusion, and perhaps even "rollback" events. Kicking this one out of v1.6.1 on the grounds that it is Feb. 15 and I don't understand what we should do, so it is too late to do something about it for the planned Feb. 20 release of v1.6.1. (Also we have lots of other clearer issues in the v1.6.1 Milestone already.)

comment:18 Changed at 2010-03-31T16:41:54Z by davidsarah

  • Keywords backend added

comment:19 in reply to: ↑ 17 ; follow-up: Changed at 2010-12-30T22:28:07Z by davidsarah

Replying to zooko:

The problem is that if you run out of space in your storage server, and you refuse to overwrite a mutable share with a new version, then you are going to continue to serve the older version, which could cause inefficiency, confusion, and perhaps even "rollback" events.

OTOH, you can't in general avoid these bad things by not honouring reserved_space, because they will happen anyway if the filesystem runs out of space. Perhaps there is a case for starting to refuse storage of immutable shares at a higher reserved-space threshold than for mutable shares, though.

comment:20 Changed at 2010-12-30T22:28:17Z by davidsarah

  • Keywords availability anti-censorship added

comment:21 in reply to: ↑ 19 Changed at 2010-12-30T22:31:06Z by davidsarah

Replying to davidsarah:

OTOH, you can't in general avoid these bad things by not honouring reserved_space, because they will happen anyway if the filesystem runs out of space.

... which, as #871 points out, is currently not handled gracefully.

comment:22 in reply to: ↑ 17 Changed at 2010-12-31T14:51:24Z by gdt

Replying to zooko:

The problem is that if you run out of space in your storage server, and you refuse to overwrite a mutable share with a new version, then you are going to continue to serve the older version, which could cause inefficiency, confusion, and perhaps even "rollback" events. Kicking this one out of v1.6.1 on the grounds that it is Feb. 15 and I don't understand what we should do, so it is too late to do something about it for the planned Feb. 20 release of v1.6.1. (Also we have lots of other clearer issues in the v1.6.1 Milestone already.)

Probably I am failing to understand, but on the off chance that's useful: If the notion of taking a server read only and having shares migrate off it (which sounds useful) is going to work, then replacing a mutable file with a new version is going to have to find servers to store the new shares and place them and remove the old shares. So a server failing to accept the new share shouldn't have any direct bearing on the new upload succeeding and the old shares being removed. I would also expect (again, without knowing) that there would be a process of placing the new shares and then only when successful removing the old ones.

comment:23 Changed at 2011-10-22T03:42:24Z by davidsarah

See also #1568, for the S3 backend.

comment:24 Changed at 2011-10-24T15:28:32Z by zooko

From comment:5:ticket:1568:

For what it is worth, I increasingly think read-only storage should be deprecated for all backends, and people will have to learn how to use their operating system if they want readonliness of storage. When we invented the read-only storage option, I think partly we were thinking of users who could read our docs but didn't want to learn how to use their operating system to set policy. Nowadays I'm less interested in the idea of such users being server operators.

Also, the fact that we've never really finished implementing read-only storage (to include mutables), so that there are weird failure modes that could hit people who rely on it is evidence that we should not spend our precious engineering time on things that the operating system could do for us and do better.

comment:25 Changed at 2011-10-24T17:55:46Z by gdt

Duplicated from http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1568#comment:6

I don't really follow this. It seems reasonable for a server operator to decide to not accept new shares, and for this to be separate than whether the server process is able to write the filesystem where the shares are kept. For example, it might be reasonable to allow lease renewal, or for other metadata to be updated. It might be that not accepting shares should be similar to zero space available, so increasing the size of a mutable share also might not be allowed. And, if the purpose really is decommissioning, then presumably the mechanism used for repair should somehow signal that the share is present but should be migrated, so that a deep-check --repair can put those shares on some other server.

There's a difference between people that don't understand enough to sysadmin a server, and the server having uniform configuation for server-level behavior. When tahoe is ported to ITS, it should still be possible to tell it to stop taking shares.

Note: See TracTickets for help on using tickets.