On Fri, 2019-02-08 at 13:20 +0200, Amir Goldstein wrote: > Hi Bruce, > > I have been following you discussion with Volker Lendecke > on the samba technical mailing list [1] and have had discussed > this issue with Volker myself as well. > > I decided to start this new thread to bring some kernel developers > in the loop and to propose an idea that takes a somewhat > different approach to the "interop" approaches I have seen > so far. "interop" in this context often means consistency of file > lock states between samba and nfs server, but I am referring > to the stronger sense of interop with local filesystem on the server. > > You pointed to Pavel Shilovsky's O_DENY* patches [2] as a possible > solution to interop of NFS Share Reservation and SMB Share Mode > with local filesystems. > Some of the complaints on this approach were (rightfully) concerned > about DoS and the prospect of plaguing Linux with Windows server > "files left open" issues. > > My idea comes from the observation that Windows server > administrators can release locked files that were left open by clients. > I suppose that an NFS server admin can do the same? The Linux kernel has no mechanism for this (aside from sending a SIGKILL to lockd, which makes it drop all locks). Solaris did have a tool for this at one point (and probably still does). It's a little less of a problem now than it used to be with NFS, given the move to NFSv4 (which has lease-based locking). If you have misbehaving clients, you just kick them out and their locks eventually go away. v3 locks can stick around in perpetuity however, so people have long wanted such a tool on Linux as well. > That realization makes "share access" locks (a.k.a. MAND_LOCK) > not so very different from oplocks (leases/delegations). > As long as samba and nfsd cooperate nicely with MAND_LOCK > semantics, we don't really have to force local filesystems > to obay MAND_LOCK semantics. If the file servers take leases > on local filesystems, they will not get exclusive write access for > files already open for write on local filesytem and same for read. > I think this last statement isn't correct (if I'm parsing it correctly). If a file is already open for write, then you just don't get a lease when you try to request one. Ditto for write leases if it's already open for read. > On local file access on the server that violates the share mode, > the file server acts as a grumpy washed out administrator that > automatically grants any lock revoke ticket after timeout. > Devil's advocate: Is this situation any better than just teaching the NFS/SMB servers to track these locks out of band? Both samba and most NFS servers respect share/deny mode locks, but only internally -- they aren't aware of the others'. We could (in principle) come up with a mechanism to track these that doesn't involve plumbing them into the kernel. That said, coherent locking is best done in the kernel, IMO... > This model may not fit use cases where "real" interop with > local filesystem is needed, but compared to the existing > solution (no interop at all) it is quite an improvement. > > Furthermore, short of SMB DENY_DELETE, we may not even > need to change any kernel APIs. > The addition of O_DENY* open flags can make programming > easier, but taking a lease on an open file is still safe enough > to implement share reservation (no?). > > Satisfying DENY_DELETE could be more tricky, but perhaps > the existing SILLYRENAME interface of==between knfsd and vfs > could be somehow utilized for this purpose? > > I though of bringing this up as a TOPIC for LSF/MM, but wanted > to consult with you first. I am sure that you or Jeff can do a better > job than me in enumerating the "interop" file lock issues that > could be discussed in filesystems track forum. > > Thoughts? Explanation why this idea is idiotic? I think it's not a single idea. There are really two different aspects to this given that we're really talking about two different types of locks in SMB. I think you have to consider solving these problems separately: 1) the ability to set a (typically whole-file) share/deny lock atomically when you open a file. This is necessary for coherent share/deny lock semantics. Note that these are only enforced open() time. 2) mandatory locking (forbidding reads and writes on a byte range when there is a conflicting lock set). The first could (probably) be solved with something like what Pavel proposed a few years ago...or maybe we just wire up O_EXLOCK and O_SHLOCK: https://www.gnu.org/software/libc/manual/html_node/Open_002dtime-Flags.html This seems like a fine idea (in principle) but it needs someone to drive the work forward. You'll also likely be consuming a couple of O_* flags, which could be tough sell (unless you come up with another way to do it). The second problem is much more difficult to fix correctly, and involves interjecting locking checks into (hot) file read/write codepaths. This is non-trivial and could have performance impacts even when no lock is set on a file. -- Jeff Layton <jlayton@xxxxxxxxxx>