Changes since v5: In cachefiles_daemon_poll(), replace xa_for_each_marked with xas_for_each_marked. [Background] ============ In the on-demand read mode, if user daemon unexpectedly closes an on-demand fd (for example, due to daemon crashing), subsequent read operations and inflight requests relying on these fd will result in a return value of -EIO, indicating an I/O error. While this situation might be tolerable for individual personal users, it becomes a significant concern when it occurs in a real public cloud service production environment (like us). Such I/O errors will be propagated to cloud service users, potentially impacting the execution of their jobs and compromising the overall stability of the cloud service. Besides, we have no way to recover this. [Design] ======== The main concept behind daemon failover is to reopen the inflight request-related objects so that the newly started daemon can process the requests as usual. To achieve this, certain requirements need to be met: 1. Storing inflight requests during a daemon crash: It is necessary to have a mechanism in place to store the inflight requests while the daemon is offline or during a crash. This ensures that the requests are not lost and can be processed once the daemon is up and running again. 2. Holding the handle of /dev/cachefiles: The handle of /dev/cachefiles should be retained, either by the container snapshotter or systemd, to facilitate the failover process. This allows the newly started daemon to access the necessary resources and continue processing the requests seamlessly. It's important to note that if the user chooses not to keep the /dev/cachefiles fd, the failover feature will not be enabled. In this case, inflight requests will return error, which will be passed on to the container, maintaining the same behavior as the current setup. By implementing these mechanisms, the failover system ensures that inflight requests are not lost during a daemon crash and that the newly started daemon can resume its operations smoothly, providing a more robust and reliable service for users. [Flow Path] =========== This patchset introduce three states for ondemand object: CLOSE: This state represents an object that has either just been allocated or closed by the user daemon. OPEN: This state indicates that the object is open and ready for processing. It signifies that the related OPEN request has been successfully handled and the object is available for read operations or other interactions. REOPENING: This state is assigned to an object that has been previously closed but is now being driven to reopen due to a read request. The REOPENING state indicates that the object is in the process of being reopened, preparing for subsequent read operations. 1. The daemon utilizes Unix Domain Sockets (UDS) to send and receive fd in order to maintain and pass the reference to "/dev/cachefiles". 2. In the event of a user daemon crash, the daemon is restarted and the reference to the file descriptor for "/dev/cachefiles" is recovered. 3. The user daemon writes "restore" to the device, triggering the following actions: 3.1. The object's state is reset from CLOSE to REOPENING, indicating that it is in the process of reopening. 3.2. A work unit is initialized, which reinitializes the object and adds it to the work queue. This allows the daemon to handle the open request, transitioning from kernel space to user space. 4. As a result of these recovery mechanisms, the user of the upper filesystem remains unaware of the daemon crash. The inflight I/O operations are restored and correctly handled, ensuring that the system operates seamlessly without any noticeable disruptions. By implementing these steps, the system achieves fault tolerance by recovering and restoring the necessary references and states, ensuring the smooth functioning of the user daemon and providing a seamless experience to the users of the upper filesystem. [GitWeb] ======== https://github.com/userzj/linux/tree/fscache-failover-v6 RFC: https://lore.kernel.org/all/20220818135204.49878-1-zhujia.zj@xxxxxxxxxxxxx/ V1: https://lore.kernel.org/all/20221011131552.23833-1-zhujia.zj@xxxxxxxxxxxxx/ V2: https://lore.kernel.org/all/20221014030745.25748-1-zhujia.zj@xxxxxxxxxxxxx/ V3: https://lore.kernel.org/all/20221014080559.42108-1-zhujia.zj@xxxxxxxxxxxxx/ V4: https://lore.kernel.org/all/20230111052515.53941-1-zhujia.zj@xxxxxxxxxxxxx/ V5: https://lore.kernel.org/all/20230329140155.53272-1-zhujia.zj@xxxxxxxxxxxxx/ [Test] ====== There are testcases for above mentioned scenario. A user process read the file by fscache on-demand reading. At the same time, we kill the daemon constantly. The expected result is that the file read by user is consistent with original, and the user doesn't notice that daemon has ever been killed. https://github.com/userzj/demand-read-cachefilesd/commits/failover-test In addition, this patchset has also been merged in our downstream kernel for almost one year as out-of-tree patches for real production use. Therefore, we hope it could be landed upstream too. Jia Zhu (5): cachefiles: introduce object ondemand state cachefiles: extract ondemand info field from cachefiles_object cachefiles: resend an open request if the read request's object is closed cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode cachefiles: add restore command to recover inflight ondemand read requests fs/cachefiles/daemon.c | 15 +++- fs/cachefiles/interface.c | 7 +- fs/cachefiles/internal.h | 59 +++++++++++++- fs/cachefiles/ondemand.c | 166 ++++++++++++++++++++++++++++---------- 4 files changed, 201 insertions(+), 46 deletions(-) -- 2.20.1 -- You received this message because you are subscribed to the Google Groups "linux-cachefs@xxxxxxxxxx" group. To unsubscribe from this group and stop receiving emails from it, send an email to linux-cachefs+unsubscribe@xxxxxxxxxx.