chucklever
commented
7 months ago [NeilBrown 2022-06-21 04:20:21 UTC] Extra note: An alternate approach for squashing the three levels of identification that btrfs uses down to the two levels that POSIX and NFS use is to merge the subvol identifier into the filesystem identifier. Doing this would still risk false sharing (two different subvols of different filesystems could get the same fsid) but as we have 128 bits, that is substantially less likely.
One awkwardness with doing this is NFSv4 needs to report a mounted-on fileid for any mount point, and the root of a btrfs subvol would look like a mount point. But there is no mounted-on file in the btrfs filesystem to provide a mounted-on fileid. A reasonable solution is to provide a "fake" file-id which is otherwise unused by btrfs, such as 255. All mountpoints would have to same mounted-on fileid, but these are almost invisible in practice and I don't think it would actually matter.
A more significant problem is that the subvols would pollute the the mount table in the client. For a local btrfs filesystem, the subvols do NOT appear in the mount table (unless they are explicitly mounted). This is intentional and I received push-back when I suggested it. Partly this is because there can be a large number of subvols. Partly it was because path names to subvols may be private and placing them in the mount table makes them public. There might be other reasons.
subvols exported from btrfs would only appear in the mount table on the client while they are actually being accessed, and for a few minutes afterwards. This suggests that the large number of subvols might not end up being excessive on the client because most of them would not be active/visible. But there might be use-cases where lots of subvols could appear on the client. If a private subvol were accessed over NFS, the name would be publicly visible while it was being accessed. It is hard to know if this is actually a problem in practice, but it might be.
So the problems of exposing subvols to NFS as separate filesystems are different sorts of problems that than the problems associated with keeping all subvols in a single filesystem. There is much smaller risk of a correctness problem, but an unknowable risk for exposing private data or overwhelming the mount table.
This was bugzilla.linux-nfs.org 389
[NeilBrown 2022-06-18 01:56:42 UTC] In POSIX a inode is identified by identifying a filesystem, and then an inode within that filesystem using a 64bit inode number. These two pieces of information can be used to determine if two inodes are the same (though not for looking up an inode). The filesystem is identified by a major/minor number pair. This same pair can be used on Linux as an index into /proc/self/mountinfo and other places to find extra information about the filesystem.
btrfs subverts this. Possibly other filesystems such as bcachefs do too. btrfs uses three levels for identification: filesystem, subvolume, inode. This is useful for creating snapshots - only the subvolume number needs to be changed.
In order for POSIX applications to be able to see that files in different snapshots are different, btrfs allocates a new major/minor number for each active subvolume and reports this major/minor to stat() family syscalls. This pretense (that the file is in a different filesystem) is problematic in various ways. For example, the temporary major/minor cannot be found in /proc/self/mountinfo
This all affects NFS export because nfsd does not "see" the fake major/minor and so clients can see multiple different inodes in a filesystem having the same inode number. In particular the root of a subvolume always has inode 256. So if an exported btrfs filesystem has several subvolumes, all will report the same dev/ino to stat(). If one is a parent of another (likely) "find" will detect a loop and refuse to descend.
The only credible fix is to mix the subvolume identifier (64 bits) with the inode number (64 bits) to produce the inode number that nfsd presents to clients (64 bits). Obviously there is no perfect solution. btrfs never reuses inode numbers or subvolume numbers, so while there are likely to be fewer than 64 interesting bits in total, this becomes less likely as filesystems age. It does not appear to be possible to decide to use, for example, 40 bit for inode number, 24 bits for subvol number.
Probably the best solution is to use a strong hash to mix the 128 bits into 64. Collisions are clearly still possible, but extremely unlikely. That contrasts with the current situation where collisions can trivially be demonstrated in ways that have detrimental effects. Note that most collisions would go unnoticed. Comparing inode number is rare. A collision of a parent with a child is particularly problematic and easy to reproduce.
Simply changing nfsd to report a different inode number (a hash) could cause confusion for any client that already had the filesystem mounted. This would be best avoided. To avoid this we could encode in the filehandle (the 4th byte is unused) whether a mixed inode number should be used. Thus established filehandles would not see the inode number suddenly change.
To fix, we need: 1/ an agreement on how to mix the subvol+inode number into 64 bits 2/ a filehandle extension to decide when to use the raw inode number and when to use the mix one.
See also [https://lwn.net/Articles/866582/ and https://lwn.net/Articles/866709/](https://lwn.net/Articles/866582/ and https://lwn.net/Articles/866709/)