Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.
1 2 Miscellaneous Device control operations for the autofs4 kernel module 3 ==================================================================== 4 5 The problem 6 =========== 7 8 There is a problem with active restarts in autofs (that is to say 9 restarting autofs when there are busy mounts). 10 11 During normal operation autofs uses a file descriptor opened on the 12 directory that is being managed in order to be able to issue control 13 operations. Using a file descriptor gives ioctl operations access to 14 autofs specific information stored in the super block. The operations 15 are things such as setting an autofs mount catatonic, setting the 16 expire timeout and requesting expire checks. As is explained below, 17 certain types of autofs triggered mounts can end up covering an autofs 18 mount itself which prevents us being able to use open(2) to obtain a 19 file descriptor for these operations if we don't already have one open. 20 21 Currently autofs uses "umount -l" (lazy umount) to clear active mounts 22 at restart. While using lazy umount works for most cases, anything that 23 needs to walk back up the mount tree to construct a path, such as 24 getcwd(2) and the proc file system /proc/<pid>/cwd, no longer works 25 because the point from which the path is constructed has been detached 26 from the mount tree. 27 28 The actual problem with autofs is that it can't reconnect to existing 29 mounts. Immediately one thinks of just adding the ability to remount 30 autofs file systems would solve it, but alas, that can't work. This is 31 because autofs direct mounts and the implementation of "on demand mount 32 and expire" of nested mount trees have the file system mounted directly 33 on top of the mount trigger directory dentry. 34 35 For example, there are two types of automount maps, direct (in the kernel 36 module source you will see a third type called an offset, which is just 37 a direct mount in disguise) and indirect. 38 39 Here is a master map with direct and indirect map entries: 40 41 /- /etc/auto.direct 42 /test /etc/auto.indirect 43 44 and the corresponding map files: 45 46 /etc/auto.direct: 47 48 /automount/dparse/g6 budgie:/autofs/export1 49 /automount/dparse/g1 shark:/autofs/export1 50 and so on. 51 52 /etc/auto.indirect: 53 54 g1 shark:/autofs/export1 55 g6 budgie:/autofs/export1 56 and so on. 57 58 For the above indirect map an autofs file system is mounted on /test and 59 mounts are triggered for each sub-directory key by the inode lookup 60 operation. So we see a mount of shark:/autofs/export1 on /test/g1, for 61 example. 62 63 The way that direct mounts are handled is by making an autofs mount on 64 each full path, such as /automount/dparse/g1, and using it as a mount 65 trigger. So when we walk on the path we mount shark:/autofs/export1 "on 66 top of this mount point". Since these are always directories we can 67 use the follow_link inode operation to trigger the mount. 68 69 But, each entry in direct and indirect maps can have offsets (making 70 them multi-mount map entries). 71 72 For example, an indirect mount map entry could also be: 73 74 g1 \ 75 / shark:/autofs/export5/testing/test \ 76 /s1 shark:/autofs/export/testing/test/s1 \ 77 /s2 shark:/autofs/export5/testing/test/s2 \ 78 /s1/ss1 shark:/autofs/export1 \ 79 /s2/ss2 shark:/autofs/export2 80 81 and a similarly a direct mount map entry could also be: 82 83 /automount/dparse/g1 \ 84 / shark:/autofs/export5/testing/test \ 85 /s1 shark:/autofs/export/testing/test/s1 \ 86 /s2 shark:/autofs/export5/testing/test/s2 \ 87 /s1/ss1 shark:/autofs/export2 \ 88 /s2/ss2 shark:/autofs/export2 89 90 One of the issues with version 4 of autofs was that, when mounting an 91 entry with a large number of offsets, possibly with nesting, we needed 92 to mount and umount all of the offsets as a single unit. Not really a 93 problem, except for people with a large number of offsets in map entries. 94 This mechanism is used for the well known "hosts" map and we have seen 95 cases (in 2.4) where the available number of mounts are exhausted or 96 where the number of privileged ports available is exhausted. 97 98 In version 5 we mount only as we go down the tree of offsets and 99 similarly for expiring them which resolves the above problem. There is 100 somewhat more detail to the implementation but it isn't needed for the 101 sake of the problem explanation. The one important detail is that these 102 offsets are implemented using the same mechanism as the direct mounts 103 above and so the mount points can be covered by a mount. 104 105 The current autofs implementation uses an ioctl file descriptor opened 106 on the mount point for control operations. The references held by the 107 descriptor are accounted for in checks made to determine if a mount is 108 in use and is also used to access autofs file system information held 109 in the mount super block. So the use of a file handle needs to be 110 retained. 111 112 113 The Solution 114 ============ 115 116 To be able to restart autofs leaving existing direct, indirect and 117 offset mounts in place we need to be able to obtain a file handle 118 for these potentially covered autofs mount points. Rather than just 119 implement an isolated operation it was decided to re-implement the 120 existing ioctl interface and add new operations to provide this 121 functionality. 122 123 In addition, to be able to reconstruct a mount tree that has busy mounts, 124 the uid and gid of the last user that triggered the mount needs to be 125 available because these can be used as macro substitution variables in 126 autofs maps. They are recorded at mount request time and an operation 127 has been added to retrieve them. 128 129 Since we're re-implementing the control interface, a couple of other 130 problems with the existing interface have been addressed. First, when 131 a mount or expire operation completes a status is returned to the 132 kernel by either a "send ready" or a "send fail" operation. The 133 "send fail" operation of the ioctl interface could only ever send 134 ENOENT so the re-implementation allows user space to send an actual 135 status. Another expensive operation in user space, for those using 136 very large maps, is discovering if a mount is present. Usually this 137 involves scanning /proc/mounts and since it needs to be done quite 138 often it can introduce significant overhead when there are many entries 139 in the mount table. An operation to lookup the mount status of a mount 140 point dentry (covered or not) has also been added. 141 142 Current kernel development policy recommends avoiding the use of the 143 ioctl mechanism in favor of systems such as Netlink. An implementation 144 using this system was attempted to evaluate its suitability and it was 145 found to be inadequate, in this case. The Generic Netlink system was 146 used for this as raw Netlink would lead to a significant increase in 147 complexity. There's no question that the Generic Netlink system is an 148 elegant solution for common case ioctl functions but it's not a complete 149 replacement probably because its primary purpose in life is to be a 150 message bus implementation rather than specifically an ioctl replacement. 151 While it would be possible to work around this there is one concern 152 that lead to the decision to not use it. This is that the autofs 153 expire in the daemon has become far to complex because umount 154 candidates are enumerated, almost for no other reason than to "count" 155 the number of times to call the expire ioctl. This involves scanning 156 the mount table which has proved to be a big overhead for users with 157 large maps. The best way to improve this is try and get back to the 158 way the expire was done long ago. That is, when an expire request is 159 issued for a mount (file handle) we should continually call back to 160 the daemon until we can't umount any more mounts, then return the 161 appropriate status to the daemon. At the moment we just expire one 162 mount at a time. A Generic Netlink implementation would exclude this 163 possibility for future development due to the requirements of the 164 message bus architecture. 165 166 167 autofs4 Miscellaneous Device mount control interface 168 ==================================================== 169 170 The control interface is opening a device node, typically /dev/autofs. 171 172 All the ioctls use a common structure to pass the needed parameter 173 information and return operation results: 174 175 struct autofs_dev_ioctl { 176 __u32 ver_major; 177 __u32 ver_minor; 178 __u32 size; /* total size of data passed in 179 * including this struct */ 180 __s32 ioctlfd; /* automount command fd */ 181 182 /* Command parameters */ 183 union { 184 struct args_protover protover; 185 struct args_protosubver protosubver; 186 struct args_openmount openmount; 187 struct args_ready ready; 188 struct args_fail fail; 189 struct args_setpipefd setpipefd; 190 struct args_timeout timeout; 191 struct args_requester requester; 192 struct args_expire expire; 193 struct args_askumount askumount; 194 struct args_ismountpoint ismountpoint; 195 }; 196 197 char path[0]; 198 }; 199 200 The ioctlfd field is a mount point file descriptor of an autofs mount 201 point. It is returned by the open call and is used by all calls except 202 the check for whether a given path is a mount point, where it may 203 optionally be used to check a specific mount corresponding to a given 204 mount point file descriptor, and when requesting the uid and gid of the 205 last successful mount on a directory within the autofs file system. 206 207 The union is used to communicate parameters and results of calls made 208 as described below. 209 210 The path field is used to pass a path where it is needed and the size field 211 is used account for the increased structure length when translating the 212 structure sent from user space. 213 214 This structure can be initialized before setting specific fields by using 215 the void function call init_autofs_dev_ioctl(struct autofs_dev_ioctl *). 216 217 All of the ioctls perform a copy of this structure from user space to 218 kernel space and return -EINVAL if the size parameter is smaller than 219 the structure size itself, -ENOMEM if the kernel memory allocation fails 220 or -EFAULT if the copy itself fails. Other checks include a version check 221 of the compiled in user space version against the module version and a 222 mismatch results in a -EINVAL return. If the size field is greater than 223 the structure size then a path is assumed to be present and is checked to 224 ensure it begins with a "/" and is NULL terminated, otherwise -EINVAL is 225 returned. Following these checks, for all ioctl commands except 226 AUTOFS_DEV_IOCTL_VERSION_CMD, AUTOFS_DEV_IOCTL_OPENMOUNT_CMD and 227 AUTOFS_DEV_IOCTL_CLOSEMOUNT_CMD the ioctlfd is validated and if it is 228 not a valid descriptor or doesn't correspond to an autofs mount point 229 an error of -EBADF, -ENOTTY or -EINVAL (not an autofs descriptor) is 230 returned. 231 232 233 The ioctls 234 ========== 235 236 An example of an implementation which uses this interface can be seen 237 in autofs version 5.0.4 and later in file lib/dev-ioctl-lib.c of the 238 distribution tar available for download from kernel.org in directory 239 /pub/linux/daemons/autofs/v5. 240 241 The device node ioctl operations implemented by this interface are: 242 243 244 AUTOFS_DEV_IOCTL_VERSION 245 ------------------------ 246 247 Get the major and minor version of the autofs4 device ioctl kernel module 248 implementation. It requires an initialized struct autofs_dev_ioctl as an 249 input parameter and sets the version information in the passed in structure. 250 It returns 0 on success or the error -EINVAL if a version mismatch is 251 detected. 252 253 254 AUTOFS_DEV_IOCTL_PROTOVER_CMD and AUTOFS_DEV_IOCTL_PROTOSUBVER_CMD 255 ------------------------------------------------------------------ 256 257 Get the major and minor version of the autofs4 protocol version understood 258 by loaded module. This call requires an initialized struct autofs_dev_ioctl 259 with the ioctlfd field set to a valid autofs mount point descriptor 260 and sets the requested version number in version field of struct args_protover 261 or sub_version field of struct args_protosubver. These commands return 262 0 on success or one of the negative error codes if validation fails. 263 264 265 AUTOFS_DEV_IOCTL_OPENMOUNT and AUTOFS_DEV_IOCTL_CLOSEMOUNT 266 ---------------------------------------------------------- 267 268 Obtain and release a file descriptor for an autofs managed mount point 269 path. The open call requires an initialized struct autofs_dev_ioctl with 270 the path field set and the size field adjusted appropriately as well 271 as the devid field of struct args_openmount set to the device number of 272 the autofs mount. The device number can be obtained from the mount options 273 shown in /proc/mounts. The close call requires an initialized struct 274 autofs_dev_ioct with the ioctlfd field set to the descriptor obtained 275 from the open call. The release of the file descriptor can also be done 276 with close(2) so any open descriptors will also be closed at process exit. 277 The close call is included in the implemented operations largely for 278 completeness and to provide for a consistent user space implementation. 279 280 281 AUTOFS_DEV_IOCTL_READY_CMD and AUTOFS_DEV_IOCTL_FAIL_CMD 282 -------------------------------------------------------- 283 284 Return mount and expire result status from user space to the kernel. 285 Both of these calls require an initialized struct autofs_dev_ioctl 286 with the ioctlfd field set to the descriptor obtained from the open 287 call and the token field of struct args_ready or struct args_fail set 288 to the wait queue token number, received by user space in the foregoing 289 mount or expire request. The status field of struct args_fail is set to 290 the errno of the operation. It is set to 0 on success. 291 292 293 AUTOFS_DEV_IOCTL_SETPIPEFD_CMD 294 ------------------------------ 295 296 Set the pipe file descriptor used for kernel communication to the daemon. 297 Normally this is set at mount time using an option but when reconnecting 298 to a existing mount we need to use this to tell the autofs mount about 299 the new kernel pipe descriptor. In order to protect mounts against 300 incorrectly setting the pipe descriptor we also require that the autofs 301 mount be catatonic (see next call). 302 303 The call requires an initialized struct autofs_dev_ioctl with the 304 ioctlfd field set to the descriptor obtained from the open call and 305 the pipefd field of struct args_setpipefd set to descriptor of the pipe. 306 On success the call also sets the process group id used to identify the 307 controlling process (eg. the owning automount(8) daemon) to the process 308 group of the caller. 309 310 311 AUTOFS_DEV_IOCTL_CATATONIC_CMD 312 ------------------------------ 313 314 Make the autofs mount point catatonic. The autofs mount will no longer 315 issue mount requests, the kernel communication pipe descriptor is released 316 and any remaining waits in the queue released. 317 318 The call requires an initialized struct autofs_dev_ioctl with the 319 ioctlfd field set to the descriptor obtained from the open call. 320 321 322 AUTOFS_DEV_IOCTL_TIMEOUT_CMD 323 ---------------------------- 324 325 Set the expire timeout for mounts within an autofs mount point. 326 327 The call requires an initialized struct autofs_dev_ioctl with the 328 ioctlfd field set to the descriptor obtained from the open call. 329 330 331 AUTOFS_DEV_IOCTL_REQUESTER_CMD 332 ------------------------------ 333 334 Return the uid and gid of the last process to successfully trigger a the 335 mount on the given path dentry. 336 337 The call requires an initialized struct autofs_dev_ioctl with the path 338 field set to the mount point in question and the size field adjusted 339 appropriately. Upon return the uid field of struct args_requester contains 340 the uid and gid field the gid. 341 342 When reconstructing an autofs mount tree with active mounts we need to 343 re-connect to mounts that may have used the original process uid and 344 gid (or string variations of them) for mount lookups within the map entry. 345 This call provides the ability to obtain this uid and gid so they may be 346 used by user space for the mount map lookups. 347 348 349 AUTOFS_DEV_IOCTL_EXPIRE_CMD 350 --------------------------- 351 352 Issue an expire request to the kernel for an autofs mount. Typically 353 this ioctl is called until no further expire candidates are found. 354 355 The call requires an initialized struct autofs_dev_ioctl with the 356 ioctlfd field set to the descriptor obtained from the open call. In 357 addition an immediate expire, independent of the mount timeout, can be 358 requested by setting the how field of struct args_expire to 1. If no 359 expire candidates can be found the ioctl returns -1 with errno set to 360 EAGAIN. 361 362 This call causes the kernel module to check the mount corresponding 363 to the given ioctlfd for mounts that can be expired, issues an expire 364 request back to the daemon and waits for completion. 365 366 AUTOFS_DEV_IOCTL_ASKUMOUNT_CMD 367 ------------------------------ 368 369 Checks if an autofs mount point is in use. 370 371 The call requires an initialized struct autofs_dev_ioctl with the 372 ioctlfd field set to the descriptor obtained from the open call and 373 it returns the result in the may_umount field of struct args_askumount, 374 1 for busy and 0 otherwise. 375 376 377 AUTOFS_DEV_IOCTL_ISMOUNTPOINT_CMD 378 --------------------------------- 379 380 Check if the given path is a mountpoint. 381 382 The call requires an initialized struct autofs_dev_ioctl. There are two 383 possible variations. Both use the path field set to the path of the mount 384 point to check and the size field adjusted appropriately. One uses the 385 ioctlfd field to identify a specific mount point to check while the other 386 variation uses the path and optionally in.type field of struct args_ismountpoint 387 set to an autofs mount type. The call returns 1 if this is a mount point 388 and sets out.devid field to the device number of the mount and out.magic 389 field to the relevant super block magic number (described below) or 0 if 390 it isn't a mountpoint. In both cases the the device number (as returned 391 by new_encode_dev()) is returned in out.devid field. 392 393 If supplied with a file descriptor we're looking for a specific mount, 394 not necessarily at the top of the mounted stack. In this case the path 395 the descriptor corresponds to is considered a mountpoint if it is itself 396 a mountpoint or contains a mount, such as a multi-mount without a root 397 mount. In this case we return 1 if the descriptor corresponds to a mount 398 point and and also returns the super magic of the covering mount if there 399 is one or 0 if it isn't a mountpoint. 400 401 If a path is supplied (and the ioctlfd field is set to -1) then the path 402 is looked up and is checked to see if it is the root of a mount. If a 403 type is also given we are looking for a particular autofs mount and if 404 a match isn't found a fail is returned. If the the located path is the 405 root of a mount 1 is returned along with the super magic of the mount 406 or 0 otherwise.