idnits 2.17.1 draft-ietf-nfsv4-scsi-layout-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: PNFS_SCSI_INVALID_DATA means that se_storage_offset is valid, but points to invalid un-initialized data. This data MUST not be read from the disk until it has been initialized. A read request for a PNFS_SCSI_INVALID_DATA extent MUST fill the user buffer with zeros, unless the extent is covered by a PNFS_SCSI_READ_DATA extent of a copy-on-write file system. Write requests MUST write whole server-sized blocks to the disk; bytes not initialized by the user MUST be set to zero. Any write to storage in a PNFS_SCSI_INVALID_DATA extent changes the written portion of the extent to PNFS_SCSI_READ_WRITE_DATA; the pNFS client is responsible for reporting this change via LAYOUTCOMMIT. -- The document date (September 06, 2016) is 2782 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'LEGAL' ** Obsolete normative reference: RFC 5661 (Obsoleted by RFC 8881) -- Possible downref: Non-RFC (?) normative reference: ref. 'SAM-5' -- Possible downref: Non-RFC (?) normative reference: ref. 'SAS3' -- Possible downref: Non-RFC (?) normative reference: ref. 'SBC3' -- Possible downref: Non-RFC (?) normative reference: ref. 'SPC4' Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NFSv4 C. Hellwig 3 Internet-Draft 4 Intended status: Standards Track September 06, 2016 5 Expires: March 10, 2017 7 Parallel NFS (pNFS) SCSI Layout 8 draft-ietf-nfsv4-scsi-layout-09.txt 10 Abstract 12 The Parallel Network File System (pNFS) allows a separation between 13 the metadata (onto a metadata server) and data (onto a storage 14 device) for a file. The SCSI Layout Type is defined in this document 15 as an extension to pNFS to allow the use SCSI based block storage 16 devices. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on March 10, 2017. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Conventions Used in This Document . . . . . . . . . . . . 4 54 1.2. General Definitions . . . . . . . . . . . . . . . . . . . 4 55 1.3. Code Components Licensing Notice . . . . . . . . . . . . 4 56 1.4. XDR Description . . . . . . . . . . . . . . . . . . . . . 5 57 2. SCSI Layout Description . . . . . . . . . . . . . . . . . . . 6 58 2.1. Background and Architecture . . . . . . . . . . . . . . . 6 59 2.2. layouttype4 . . . . . . . . . . . . . . . . . . . . . . . 8 60 2.3. GETDEVICEINFO . . . . . . . . . . . . . . . . . . . . . . 8 61 2.3.1. Volume Identification . . . . . . . . . . . . . . . . 8 62 2.3.2. Volume Topology . . . . . . . . . . . . . . . . . . . 9 63 2.4. Data Structures: Extents and Extent Lists . . . . . . . . 12 64 2.4.1. Layout Requests and Extent Lists . . . . . . . . . . 14 65 2.4.2. Layout Commits . . . . . . . . . . . . . . . . . . . 15 66 2.4.3. Layout Returns . . . . . . . . . . . . . . . . . . . 16 67 2.4.4. Layout Revocation . . . . . . . . . . . . . . . . . . 16 68 2.4.5. Client Copy-on-Write Processing . . . . . . . . . . . 17 69 2.4.6. Extents are Permissions . . . . . . . . . . . . . . . 18 70 2.4.7. Partial-Block Updates . . . . . . . . . . . . . . . . 19 71 2.4.8. End-of-file Processing . . . . . . . . . . . . . . . 19 72 2.4.9. Layout Hints . . . . . . . . . . . . . . . . . . . . 20 73 2.4.10. Client Fencing . . . . . . . . . . . . . . . . . . . 20 74 2.5. Crash Recovery Issues . . . . . . . . . . . . . . . . . . 22 75 2.6. Recalling Resources: CB_RECALL_ANY . . . . . . . . . . . 22 76 2.7. Transient and Permanent Errors . . . . . . . . . . . . . 23 77 2.8. Volatile write caches . . . . . . . . . . . . . . . . . . 23 78 3. Enforcing NFSv4 Semantics . . . . . . . . . . . . . . . . . . 24 79 3.1. Use of Open Stateids . . . . . . . . . . . . . . . . . . 24 80 3.2. Enforcing Security Restrictions . . . . . . . . . . . . . 25 81 3.3. Enforcing Locking Restrictions . . . . . . . . . . . . . 25 82 4. Security Considerations . . . . . . . . . . . . . . . . . . . 26 83 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 84 6. Normative References . . . . . . . . . . . . . . . . . . . . 27 85 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 28 86 Appendix B. RFC Editor Notes . . . . . . . . . . . . . . . . . . 28 87 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 28 89 1. Introduction 91 Figure 1 shows the overall architecture of a Parallel NFS (pNFS) 92 system: 94 +-----------+ 95 |+-----------+ +-----------+ 96 ||+-----------+ | | 97 ||| | NFSv4.1 + pNFS | | 98 +|| Clients |<------------------------------>| Server | 99 +| | | | 100 +-----------+ | | 101 ||| +-----------+ 102 ||| | 103 ||| | 104 ||| Storage +-----------+ | 105 ||| Protocol |+-----------+ | 106 ||+----------------||+-----------+ Control | 107 |+-----------------||| | Protocol| 108 +------------------+|| Storage |------------+ 109 +| Systems | 110 +-----------+ 112 Figure 1 114 The overall approach is that pNFS-enhanced clients obtain sufficient 115 information from the server to enable them to access the underlying 116 storage (on the storage systems) directly. See the Section 12 of 117 [RFC5661] for more details. This document is concerned with access 118 from pNFS clients to storage devices over block storage protocols 119 based on the the SCSI Architecture Model ([SAM-5]), e.g., Fibre 120 Channel Protocol (FCP) for Fibre Channel, Internet SCSI (iSCSI) or 121 Serial Attached SCSI (SAS). pNFS SCSI layout requires block based 122 SCSI command sets, for example SCSI Block Commands ([SBC3]). While 123 SCSI command set for non-block based access exist these are not 124 supported by the SCSI layout type, and all future references to SCSI 125 storage devices will imply a block based SCSI command set. 127 The Server to Storage System protocol, called the "Control Protocol", 128 is not of concern for interoperability, although it will typically be 129 the same SCSI based storage protocol. 131 This document is based on [RFC5663] and makes changes to the block 132 layout type to provide a better pNFS layout protocol for SCSI based 133 storage devices. Despite these changes, [RFC5663] remains the 134 defining document for the existing block layout type. pNFS Block Disk 135 Protection [RFC6688] is unnecessary in the context of the SCSI layout 136 type because the new layout type provides mandatory disk access 137 protection as part of the layout type definition. In contrast to 138 [RFC5663], this document uses SCSI protocol features to provide 139 reliable fencing by using SCSI Persistent Reservations, and it can 140 provide reliable and efficient device discovery by using SCSI device 141 identifiers instead of having to rely on probing all devices 142 potentially attached to a client. This new layout type also 143 optimizes the I/O path by reducing the size of the LAYOUTCOMMIT 144 payload. 146 The above two paragraphs summarize the major functional differences 147 from [RFC5663]. There are other minor differences, e.g., the "base" 148 volume type in this specification is used instead of the "simple" 149 volume type in [RFC5663], but there are no significant differences in 150 the data structures that describe the volume topology above this 151 level Section 2.3.2 or in the data structures that describe extents 152 Section 2.4. 154 1.1. Conventions Used in This Document 156 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 157 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 158 document are to be interpreted as described in [RFC2119]. 160 1.2. General Definitions 162 The following definitions are provided for the purpose of providing 163 an appropriate context for the reader. 165 Byte This document defines a byte as an octet, i.e., a datum exactly 166 8 bits in length. 168 Client The "client" is the entity that accesses the NFS server's 169 resources. The client may be an application that contains the 170 logic to access the NFS server directly. The client may also be 171 the traditional operating system client that provides remote file 172 system services for a set of applications. 174 Server The "server" is the entity responsible for coordinating 175 client access to a set of file systems and is identified by a 176 server owner. 178 metadata server (MDS) The metadata server is a pNFS server which 179 provides metadata information for a file system object. It also 180 is responsible for generating layouts for file system objects. 181 Note that the MDS is also responsible for directory-based 182 operations. 184 1.3. Code Components Licensing Notice 186 The external data representation (XDR) description and scripts for 187 extracting the XDR description are Code Components as described in 188 Section 4 of "Legal Provisions Relating to IETF Documents" [LEGAL]. 190 These Code Components are licensed according to the terms of 191 Section 4 of "Legal Provisions Relating to IETF Documents". 193 1.4. XDR Description 195 This document contains the XDR [RFC4506] description of the NFSv4.1 196 SCSI layout protocol. The XDR description is embedded in this 197 document in a way that makes it simple for the reader to extract into 198 a ready-to-compile form. The reader can feed this document into the 199 following shell script to produce the machine readable XDR 200 description of the NFSv4.1 SCSI layout: 202 #!/bin/sh 203 grep '^ *///' $* | sed 's?^ */// ??' | sed 's?^ *///$??' 205 That is, if the above script is stored in a file called "extract.sh", 206 and this document is in a file called "spec.txt", then the reader can 207 do: 209 sh extract.sh < spec.txt > scsi_prot.x 211 The effect of the script is to remove leading white space from each 212 line, plus a sentinel sequence of "///". 214 The embedded XDR file header follows. Subsequent XDR descriptions, 215 with the sentinel sequence are embedded throughout the document. 217 Note that the XDR code contained in this document depends on types 218 from the NFSv4.1 nfs4_prot.x file [RFC5662]. This includes both nfs 219 types that end with a 4, such as offset4, length4, etc., as well as 220 more generic types such as uint32_t and uint64_t. 222 /// /* 223 /// * This code was derived from RFCTBD10 224 /// * Please reproduce this note if possible. 225 /// */ 226 /// /* 227 /// * Copyright (c) 2010,2015 IETF Trust and the persons 228 /// * identified as the document authors. All rights reserved. 229 /// * 230 /// * Redistribution and use in source and binary forms, with 231 /// * or without modification, are permitted provided that the 232 /// * following conditions are met: 233 /// * 234 /// * - Redistributions of source code must retain the above 235 /// * copyright notice, this list of conditions and the 236 /// * following disclaimer. 237 /// * 238 /// * - Redistributions in binary form must reproduce the above 239 /// * copyright notice, this list of conditions and the 240 /// * following disclaimer in the documentation and/or other 241 /// * materials provided with the distribution. 242 /// * 243 /// * - Neither the name of Internet Society, IETF or IETF 244 /// * Trust, nor the names of specific contributors, may be 245 /// * used to endorse or promote products derived from this 246 /// * software without specific prior written permission. 247 /// * 248 /// * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS 249 /// * AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 250 /// * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 251 /// * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 252 /// * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 253 /// * EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 254 /// * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 255 /// * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 256 /// * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 257 /// * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 258 /// * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 259 /// * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 260 /// * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 261 /// * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 262 /// * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 263 /// */ 264 /// 265 /// /* 266 /// * nfs4_scsi_layout_prot.x 267 /// */ 268 /// 269 /// %#include "nfsv41.h" 270 /// 272 2. SCSI Layout Description 274 2.1. Background and Architecture 276 The fundamental storage model supported by SCSI storage devices is a 277 Logical Unit (LU) consisting of a sequential series of fixed-size 278 blocks. Logical units used as devices for NFS SCSI layouts, and the 279 SCSI initiators used for the pNFS Metadata Server and clients MUST 280 support SCSI persistent reservations as defined in [SPC4]. 282 A pNFS layout for this SCSI class of storage is responsible for 283 mapping from an NFS file (or portion of a file) to the blocks of 284 storage volumes that contain the file. The blocks are expressed as 285 extents with 64-bit offsets and lengths using the existing NFSv4 286 offset4 and length4 types. Clients MUST be able to perform I/O to 287 the block extents without affecting additional areas of storage 288 (especially important for writes); therefore, extents MUST be aligned 289 to logical block size boundaries of the underlying logical units 290 (typically 512 or 4096 bytes). For complex volume topologies the 291 serves MUST ensure extents are aligned to the logical block size 292 boundaries of the larges logical block size in the volume topology. 294 The pNFS operation for requesting a layout (LAYOUTGET) includes the 295 "layoutiomode4 loga_iomode" argument, which indicates whether the 296 requested layout is for read-only use or read-write use. A read-only 297 layout may contain holes that are read as zero, whereas a read-write 298 layout will contain allocated, but un-initialized storage in those 299 holes (read as zero, can be written by client). This document also 300 supports client participation in copy-on-write (e.g., for file 301 systems with snapshots) by providing both read-only and un- 302 initialized storage for the same range in a layout. Reads are 303 initially performed on the read-only storage, with writes going to 304 the un-initialized storage. After the first write that initializes 305 the un-initialized storage, all reads are performed to that now- 306 initialized writable storage, and the corresponding read-only storage 307 is no longer used. 309 The SCSI layout solution expands the security responsibilities of the 310 pNFS clients, and there are a number of environments where the 311 mandatory to implement security properties for NFS cannot be 312 satisfied. The additional security responsibilities of the client 313 follow, and a full discussion is present in Section 4, "Security 314 Considerations". 316 o Typically, SCSI storage devices provide access control mechanisms 317 (e.g., Logical Unit Number (LUN) mapping and/or masking), which 318 operate at the granularity of individual hosts, not individual 319 blocks. For this reason, block-based protection must be provided 320 by the client software. 322 o Similarly, SCSI storage devices typically are not able to validate 323 NFS locks that apply to file regions. For instance, if a file is 324 covered by a mandatory read-only lock, the server can ensure that 325 only readable layouts for the file are granted to pNFS clients. 326 However, it is up to each pNFS client to ensure that the readable 327 layout is used only to service read requests, and not to allow 328 writes to the existing parts of the file. 330 Since SCSI storage devices are generally not capable of enforcing 331 such file-based security, in environments where pNFS clients cannot 332 be trusted to enforce such policies, pNFS SCSI layouts MUST NOT be 333 used. 335 2.2. layouttype4 337 The layout4 type defined in [RFC5662] is extended with a new value as 338 follows: 340 enum layouttype4 { 341 LAYOUT4_NFSV4_1_FILES = 1, 342 LAYOUT4_OSD2_OBJECTS = 2, 343 LAYOUT4_BLOCK_VOLUME = 3, 344 LAYOUT4_SCSI = 0x80000005 345 [[RFC Editor: please modify the LAYOUT4_SCSI 346 to be the layouttype assigned by IANA]] 347 }; 349 This document defines structure associated with the layouttype4 value 350 LAYOUT4_SCSI. [RFC5661] specifies the loc_body structure as an XDR 351 type "opaque". The opaque layout is uninterpreted by the generic 352 pNFS client layers, but obviously must be interpreted by the Layout 353 Type implementation. 355 2.3. GETDEVICEINFO 357 2.3.1. Volume Identification 359 SCSI targets implementing [SPC4] export unique LU names for each LU 360 through the Device Identification VPD page (page code 0x83), which 361 can be obtained using the INQUIRY command with the EVPD bit set to 362 one. This document uses a subset of this information to identify LUs 363 backing pNFS SCSI layouts. Device Identification VPD page 364 descriptors used to identify LUs for use with pNFS SCSI layouts must 365 adhere to the following restrictions: 367 1. The "ASSOCIATION" MUST be set to 0 (The DESIGNATOR field is 368 associated with the addressed logical unit). 370 2. The "DESIGNATOR TYPE" MUST be set to one of four values that are 371 required for the mandatory logical unit name in section 7.7.3 of 372 [SPC4], as explicitly listed in the "pnfs_scsi_designator_type" 373 enumeration: 375 PS_DESIGNATOR_T10 T10 vendor ID based 377 PS_DESIGNATOR_EUI64 EUI-64-based 379 PS_DESIGNATOR_NAA NAA 381 PS_DESIGNATOR_NAME SCSI name string 382 Any other association or designator type MUST NOT be used. Use 383 of T10 vendor IDs is discouraged when one of the other types can 384 be used. 386 The "CODE SET" VPD page field is stored in the "sbv_code_set" field 387 of the "pnfs_scsi_base_volume_info4" structure, the "DESIGNATOR TYPE" 388 is stored in "sbv_designator_type", and the DESIGNATOR is stored in 389 "sbv_designator". Due to the use of a XDR array the "DESIGNATOR 390 LENGTH" field does not need to be set separately. Only certain 391 combinations of "sbv_code_set" and "sbv_designator_type" are valid, 392 please refer to [SPC4] for details, and note that ASCII MAY be used 393 as the code set for UTF-8 text that contains only printable ASCII 394 characters. Note that a Device Identification VPD page MAY contain 395 multiple descriptors with the same association, code set and 396 designator type. NFS clients thus MUST check all the descriptors for 397 a possible match to "sbv_code_set", "sbv_designator_type" and 398 "sbv_designator". 400 Storage devices such as storage arrays can have multiple physical 401 network ports that need not be connected to a common network, 402 resulting in a pNFS client having simultaneous multipath access to 403 the same storage volumes via different ports on different networks. 404 Selection of one or multiple ports to access the storage device is 405 left up to the client. 407 Additionally the server returns a Persistent Reservation key in the 408 "sbv_pr_key" field. See Section 2.4.10 for more details on the use 409 of Persistent Reservations. 411 2.3.2. Volume Topology 413 The pNFS SCSI layout volume topology is expressed in terms of the 414 volume types described below. The individual components of the 415 topology are contained in an array and components MAY refer to other 416 components by using array indices. 418 /// enum pnfs_scsi_volume_type4 { 419 /// PNFS_SCSI_VOLUME_SLICE = 1, /* volume is a slice of 420 /// another volume */ 421 /// PNFS_SCSI_VOLUME_CONCAT = 2, /* volume is a 422 /// concatenation of 423 /// multiple volumes */ 424 /// PNFS_SCSI_VOLUME_STRIPE = 3 /* volume is striped across 425 /// multiple volumes */ 426 /// PNFS_SCSI_VOLUME_BASE = 4, /* volume maps to a single 427 /// LU */ 428 /// }; 429 /// 430 /// /* 431 /// * Code sets from SPC-4. 432 /// */ 433 /// enum pnfs_scsi_code_set { 434 /// PS_CODE_SET_BINARY = 1, 435 /// PS_CODE_SET_ASCII = 2, 436 /// PS_CODE_SET_UTF8 = 3 437 /// }; 438 /// 439 /// /* 440 /// * Designator types from taken from SPC-4. 441 /// * 442 /// * Other values are allocated in SPC-4, but not mandatory to 443 /// * implement or aren't Logical Unit names. 444 /// */ 445 /// enum pnfs_scsi_designator_type { 446 /// PS_DESIGNATOR_T10 = 1, 447 /// PS_DESIGNATOR_EUI64 = 2, 448 /// PS_DESIGNATOR_NAA = 3, 449 /// PS_DESIGNATOR_NAME = 8 450 /// }; 451 /// 452 /// /* 453 /// * Logical Unit name + reservation key. 454 /// */ 455 /// struct pnfs_scsi_base_volume_info4 { 456 /// pnfs_scsi_code_set sbv_code_set; 457 /// pnfs_scsi_designator_type sbv_designator_type; 458 /// opaque sbv_designator<>; 459 /// uint64_t sbv_pr_key; 460 /// }; 461 /// 463 /// struct pnfs_scsi_slice_volume_info4 { 464 /// offset4 ssv_start; /* offset of the start of 465 /// the slice in bytes */ 466 /// length4 ssv_length; /* length of slice in 467 /// bytes */ 468 /// uint32_t ssv_volume; /* array index of sliced 469 /// volume */ 470 /// }; 471 /// 473 /// 474 /// struct pnfs_scsi_concat_volume_info4 { 475 /// uint32_t scv_volumes<>; /* array indices of volumes 476 /// which are concatenated */ 477 /// }; 478 /// 479 /// struct pnfs_scsi_stripe_volume_info4 { 480 /// length4 ssv_stripe_unit; /* size of stripe in bytes */ 481 /// uint32_t ssv_volumes<>; /* array indices of 482 /// volumes which are striped 483 /// across -- MUST be same 484 /// size */ 485 /// }; 487 /// 488 /// union pnfs_scsi_volume4 switch (pnfs_scsi_volume_type4 type) { 489 /// case PNFS_SCSI_VOLUME_BASE: 490 /// pnfs_scsi_base_volume_info4 sv_simple_info; 491 /// case PNFS_SCSI_VOLUME_SLICE: 492 /// pnfs_scsi_slice_volume_info4 sv_slice_info; 493 /// case PNFS_SCSI_VOLUME_CONCAT: 494 /// pnfs_scsi_concat_volume_info4 sv_concat_info; 495 /// case PNFS_SCSI_VOLUME_STRIPE: 496 /// pnfs_scsi_stripe_volume_info4 sv_stripe_info; 497 /// }; 498 /// 500 /// /* SCSI layout-specific type for da_addr_body */ 501 /// struct pnfs_scsi_deviceaddr4 { 502 /// pnfs_scsi_volume4 sda_volumes<>; /* array of volumes */ 503 /// }; 504 /// 506 The "pnfs_scsi_deviceaddr4" data structure is a structure that allows 507 arbitrarily complex nested volume structures to be encoded. The 508 types of aggregations that are allowed are stripes, concatenations, 509 and slices. Note that the volume topology expressed in the 510 pnfs_scsi_deviceaddr4 data structure will always resolve to a set of 511 pnfs_scsi_volume_type4 PNFS_SCSI_VOLUME_BASE. The array of volumes 512 is ordered such that the root of the volume hierarchy is the last 513 element of the array. Concat, slice, and stripe volumes MUST refer 514 to volumes defined by lower indexed elements of the array. 516 The "pnfs_scsi_device_addr4" data structure is returned by the server 517 as the storage-protocol-specific opaque field da_addr_body in the 518 "device_addr4" structure by a successful GETDEVICEINFO operation 519 [RFC5661]. 521 As noted above, all device_addr4 structures eventually resolve to a 522 set of volumes of type PNFS_SCSI_VOLUME_BASE. Complicated volume 523 hierarchies MAY be composed of dozens of volumes each with several 524 components; thus, the device address MAY require several kilobytes. 525 The client SHOULD be prepared to allocate a large buffer to contain 526 the result. In the case of the server returning NFS4ERR_TOOSMALL, 527 the client SHOULD allocate a buffer of at least gdir_mincount_bytes 528 to contain the expected result and retry the GETDEVICEINFO request. 530 2.4. Data Structures: Extents and Extent Lists 532 A pNFS SCSI layout is a list of extents within a flat array of data 533 blocks in a volume. The details of the volume topology can be 534 determined by using the GETDEVICEINFO operation. The SCSI layout 535 describes the individual block extents on the volume that make up the 536 file. The offsets and length contained in an extent are specified in 537 units of bytes. 539 /// enum pnfs_scsi_extent_state4 { 540 /// PNFS_SCSI_READ_WRITE_DATA = 0, /* the data located by 541 /// this extent is valid 542 /// for reading and 543 /// writing. */ 544 /// PNFS_SCSI_READ_DATA = 1, /* the data located by this 545 /// extent is valid for 546 /// reading only; it may not 547 /// be written. */ 548 /// PNFS_SCSI_INVALID_DATA = 2, /* the location is valid; the 549 /// data is invalid. It is a 550 /// newly (pre-) allocated 551 /// extent. The client MUST 552 /// not read from this 553 /// space */ 554 /// PNFS_SCSI_NONE_DATA = 3 /* the location is invalid. 555 /// It is a hole in the file. 556 /// The client MUST NOT read 557 /// from or write to this 558 /// space */ 559 /// }; 560 /// 561 /// struct pnfs_scsi_extent4 { 562 /// deviceid4 se_vol_id; /* id of the volume on 563 /// which extent of file is 564 /// stored. */ 565 /// offset4 se_file_offset; /* starting byte offset 566 /// in the file */ 567 /// length4 se_length; /* size in bytes of the 568 /// extent */ 569 /// offset4 se_storage_offset; /* starting byte offset 570 /// in the volume */ 571 /// pnfs_scsi_extent_state4 se_state; 572 /// /* state of this extent */ 573 /// }; 574 /// 576 /// /* SCSI layout-specific type for loc_body */ 577 /// struct pnfs_scsi_layout4 { 578 /// pnfs_scsi_extent4 sl_extents<>; 579 /// /* extents which make up this 580 /// layout. */ 581 /// }; 582 /// 584 The SCSI layout consists of a list of extents that map the regions of 585 the file to locations on a volume. The "se_storage_offset" field 586 within each extent identifies a location on the volume specified by 587 the "se_vol_id" field in the extent. The se_vol_id itself is 588 shorthand for the whole topology of the volume on which the file is 589 stored. The client is responsible for translating this volume- 590 relative offset into an offset on the appropriate underlying SCSI LU. 592 Each extent maps a region of the file onto a portion of the specified 593 LU. The se_file_offset, se_length, and se_state fields for an extent 594 returned from the server are valid for all extents. In contrast, the 595 interpretation of the se_storage_offset field depends on the value of 596 se_state as follows (in increasing order): 598 PNFS_SCSI_READ_WRITE_DATA means that se_storage_offset is valid, and 599 points to valid/initialized data that can be read and written. 601 PNFS_SCSI_READ_DATA means that se_storage_offset is valid and points 602 to valid/initialized data that can only be read. Write operations 603 are prohibited; the client MAY need to request a read-write 604 layout. 606 PNFS_SCSI_INVALID_DATA means that se_storage_offset is valid, but 607 points to invalid un-initialized data. This data MUST not be read 608 from the disk until it has been initialized. A read request for a 609 PNFS_SCSI_INVALID_DATA extent MUST fill the user buffer with 610 zeros, unless the extent is covered by a PNFS_SCSI_READ_DATA 611 extent of a copy-on-write file system. Write requests MUST write 612 whole server-sized blocks to the disk; bytes not initialized by 613 the user MUST be set to zero. Any write to storage in a 614 PNFS_SCSI_INVALID_DATA extent changes the written portion of the 615 extent to PNFS_SCSI_READ_WRITE_DATA; the pNFS client is 616 responsible for reporting this change via LAYOUTCOMMIT. 618 PNFS_SCSI_NONE_DATA means that se_storage_offset is not valid, and 619 this extent MAY not be used to satisfy write requests. Read 620 requests MAY be satisfied by zero-filling as for 621 PNFS_SCSI_INVALID_DATA. PNFS_SCSI_NONE_DATA extents MAY be 622 returned by requests for readable extents; they are never returned 623 if the request was for a writable extent. 625 An extent list contains all relevant extents in increasing order of 626 the se_file_offset of each extent; any ties are broken by increasing 627 order of the extent state (se_state). 629 2.4.1. Layout Requests and Extent Lists 631 Each request for a layout specifies at least three parameters: file 632 offset, desired size, and minimum size. If the status of a request 633 indicates success, the extent list returned MUST meet the following 634 criteria: 636 o A request for a readable (but not writable) layout MUST return 637 either PNFS_SCSI_READ_DATA or PNFS_SCSI_NONE_DATA extents. It 638 SHALL NOT return PNFS_SCSI_INVALID_DATA or 639 PNFS_SCSI_READ_WRITE_DATA extents. 641 o A request for a writable layout MUST return 642 PNFS_SCSI_READ_WRITE_DATA or PNFS_SCSI_INVALID_DATA extents, and 643 it MAY return addition PNFS_SCSI_READ_DATA extents for ranges 644 covered by PNFS_SCSI_INVALID_DATA extents to allow client side 645 copy-on-write operations. A request for a writable layout SHALL 646 NOT return PNFS_SCSI_NONE_DATA extents. 648 o The first extent in the list MUST contain the requested starting 649 offset. 651 o The total size of extents within the requested range MUST cover at 652 least the minimum size. One exception is allowed: the total size 653 MAY be smaller if only readable extents were requested and EOF is 654 encountered. 656 o Extents in the extent list MUST be logically contiguous for a 657 read-only layout. For a read-write layout, the set of writable 658 extents (i.e., excluding PNFS_SCSI_READ_DATA extents) MUST be 659 logically contiguous. Every PNFS_SCSI_READ_DATA extent in a read- 660 write layout MUST be covered by one or more PNFS_SCSI_INVALID_DATA 661 extents. This overlap of PNFS_SCSI_READ_DATA and 662 PNFS_SCSI_INVALID_DATA extents is the only permitted extent 663 overlap. 665 o Extents MUST be ordered in the list by starting offset, with 666 PNFS_SCSI_READ_DATA extents preceding PNFS_SCSI_INVALID_DATA 667 extents in the case of equal se_file_offsets. 669 According to [RFC5661], if the minimum requested size, 670 loga_minlength, is zero, this is an indication to the metadata server 671 that the client desires any layout at offset loga_offset or less that 672 the metadata server has "readily available". Given the lack of a 673 clear definition of this phrase, in the context of the SCSI layout 674 type, when loga_minlength is zero, the metadata server SHOULD: 676 o when processing requests for readable layouts, return all such, 677 even if some extents are in the PNFS_SCSI_NONE_DATA state. 679 o when processing requests for writable layouts, return extents 680 which can be returned in the PNFS_SCSI_READ_WRITE_DATA state. 682 2.4.2. Layout Commits 684 /// 685 /// /* SCSI layout-specific type for lou_body */ 686 /// 687 /// struct pnfs_scsi_range4 { 688 /// offset4 sr_file_offset; /* starting byte offset 689 /// in the file */ 690 /// length4 sr_length; /* size in bytes */ 691 /// }; 692 /// 693 /// struct pnfs_scsi_layoutupdate4 { 694 /// pnfs_scsi_range4 slu_commit_list<>; 695 /// /* list of extents which 696 /// * now contain valid data. 697 /// */ 698 /// }; 700 The "pnfs_scsi_layoutupdate4" structure is used by the client as the 701 SCSI layout-specific argument in a LAYOUTCOMMIT operation. The 702 "slu_commit_list" field is a list covering regions of the file layout 703 that were previously in the PNFS_SCSI_INVALID_DATA state, but have 704 been written by the client and SHOULD now be considered in the 705 PNFS_SCSI_READ_WRITE_DATA state. The extents in the commit list MUST 706 be disjoint and MUST be sorted by sr_file_offset. Implementors 707 should be aware that a server MAY be unable to commit regions at a 708 granularity smaller than a file-system block (typically 4 KB or 8 709 KB). As noted above, the block-size that the server uses is 710 available as an NFSv4 attribute, and any extents included in the 711 "slu_commit_list" MUST be aligned to this granularity and have a size 712 that is a multiple of this granularity. Since the block in question 713 is in state PNFS_SCSI_INVALID_DATA, byte ranges not written SHOULD be 714 filled with zeros. This applies even if it appears that the area 715 being written is beyond what the client believes to be the end of 716 file. 718 2.4.3. Layout Returns 720 A LAYOUTRETURN operation represents an explicit release of resources 721 by the client. This MAY be done in response to a CB_LAYOUTRECALL or 722 before any recall, in order to avoid a future CB_LAYOUTRECALL. When 723 the LAYOUTRETURN operation specifies a LAYOUTRETURN4_FILE return 724 type, then the layoutreturn_file4 data structure specifies the region 725 of the file layout that is no longer needed by the client. 727 The LAYOUTRETURN operation is done without any SCSI layout specific 728 data. The opaque "lrf_body" field of the "layoutreturn_file4" data 729 structure MUST have length zero. 731 2.4.4. Layout Revocation 733 Layouts MAY be unilaterally revoked by the server, due to the 734 client's lease time expiring, or the client failing to return a 735 layout which has been recalled in a timely manner. For the SCSI 736 layout type this is accomplished by fencing off the client from 737 access to storage as described in Section 2.4.10. When this is done, 738 it is necessary that all I/Os issued by the fenced-off client be 739 rejected by the storage This includes any in-flight I/Os that the 740 client issued before the layout was revoked. 742 Note, that the granularity of this operation can only be at the host/ 743 LU level. Thus, if one of a client's layouts is unilaterally revoked 744 by the server, it will effectively render useless *all* of the 745 client's layouts for files located on the storage units comprising 746 the volume. This may render useless the client's layouts for files 747 in other file systems. See Section 2.4.10.5 for a discussion of 748 recovery from from fencing. 750 2.4.5. Client Copy-on-Write Processing 752 Copy-on-write is a mechanism used to support file and/or file system 753 snapshots. When writing to unaligned regions, or to regions smaller 754 than a file system block, the writer MUST copy the portions of the 755 original file data to a new location on disk. This behavior can 756 either be implemented on the client or the server. The paragraphs 757 below describe how a pNFS SCSI layout client implements access to a 758 file that requires copy-on-write semantics. 760 Distinguishing the PNFS_SCSI_READ_WRITE_DATA and PNFS_SCSI_READ_DATA 761 extent types in combination with the allowed overlap of 762 PNFS_SCSI_READ_DATA extents with PNFS_SCSI_INVALID_DATA extents 763 allows copy-on-write processing to be done by pNFS clients. In 764 classic NFS, this operation would be done by the server. Since pNFS 765 enables clients to do direct block access, it is useful for clients 766 to participate in copy-on-write operations. All SCSI pNFS clients 767 MUST support this copy-on-write processing. 769 When a client wishes to write data covered by a PNFS_SCSI_READ_DATA 770 extent, it MUST have requested a writable layout from the server; 771 that layout will contain PNFS_SCSI_INVALID_DATA extents to cover all 772 the data ranges of that layout's PNFS_SCSI_READ_DATA extents. More 773 precisely, for any se_file_offset range covered by one or more 774 PNFS_SCSI_READ_DATA extents in a writable layout, the server MUST 775 include one or more PNFS_SCSI_INVALID_DATA extents in the layout that 776 cover the same se_file_offset range. When performing a write to such 777 an area of a layout, the client MUST effectively copy the data from 778 the PNFS_SCSI_READ_DATA extent for any partial blocks of 779 se_file_offset and range, merge in the changes to be written, and 780 write the result to the PNFS_SCSI_INVALID_DATA extent for the blocks 781 for that se_file_offset and range. That is, if entire blocks of data 782 are to be overwritten by an operation, the corresponding 783 PNFS_SCSI_READ_DATA blocks need not be fetched, but any partial- 784 block writes MUST be merged with data fetched via PNFS_SCSI_READ_DATA 785 extents before storing the result via PNFS_SCSI_INVALID_DATA extents. 786 For the purposes of this discussion, "entire blocks" and "partial 787 blocks" refer to the server's file-system block size. Storing of 788 data in a PNFS_SCSI_INVALID_DATA extent converts the written portion 789 of the PNFS_SCSI_INVALID_DATA extent to a PNFS_SCSI_READ_WRITE_DATA 790 extent; all subsequent reads MUST be performed from this extent; the 791 corresponding portion of the PNFS_SCSI_READ_DATA extent MUST NOT be 792 used after storing data in a PNFS_SCSI_INVALID_DATA extent. If a 793 client writes only a portion of an extent, the extent MAY be split at 794 block aligned boundaries. 796 When a client wishes to write data to a PNFS_SCSI_INVALID_DATA extent 797 that is not covered by a PNFS_SCSI_READ_DATA extent, it MUST treat 798 this write identically to a write to a file not involved with copy- 799 on-write semantics. Thus, data MUST be written in at least block- 800 sized increments, aligned to multiples of block-sized offsets, and 801 unwritten portions of blocks MUST be zero filled. 803 2.4.6. Extents are Permissions 805 Layout extents returned to pNFS clients grant permission to read or 806 write; PNFS_SCSI_READ_DATA and PNFS_SCSI_NONE_DATA are read-only 807 (PNFS_SCSI_NONE_DATA reads as zeroes), PNFS_SCSI_READ_WRITE_DATA and 808 PNFS_SCSI_INVALID_DATA are read/write, (PNFS_SCSI_INVALID_DATA reads 809 as zeros, any write converts it to PNFS_SCSI_READ_WRITE_DATA). This 810 is the only means a client has of obtaining permission to perform 811 direct I/O to storage devices; a pNFS client MUST NOT perform direct 812 I/O operations that are not permitted by an extent held by the 813 client. Client adherence to this rule places the pNFS server in 814 control of potentially conflicting storage device operations, 815 enabling the server to determine what does conflict and how to avoid 816 conflicts by granting and recalling extents to/from clients. 818 If a client makes a layout request that conflicts with an existing 819 layout delegation, the request will be rejected with the error 820 NFS4ERR_LAYOUTTRYLATER. This client is then expected to retry the 821 request after a short interval. During this interval, the server 822 SHOULD recall the conflicting portion of the layout delegation from 823 the client that currently holds it. This reject-and-retry approach 824 does not prevent client starvation when there is contention for the 825 layout of a particular file. For this reason, a pNFS server SHOULD 826 implement a mechanism to prevent starvation. One possibility is that 827 the server can maintain a queue of rejected layout requests. Each 828 new layout request can be checked to see if it conflicts with a 829 previous rejected request, and if so, the newer request can be 830 rejected. Once the original requesting client retries its request, 831 its entry in the rejected request queue can be cleared, or the entry 832 in the rejected request queue can be removed when it reaches a 833 certain age. 835 NFSv4 supports mandatory locks and share reservations. These are 836 mechanisms that clients can use to restrict the set of I/O operations 837 that are permissible to other clients. Since all I/O operations 838 ultimately arrive at the NFSv4 server for processing, the server is 839 in a position to enforce these restrictions. However, with pNFS 840 layouts, I/Os will be issued from the clients that hold the layouts 841 directly to the storage devices that host the data. These devices 842 have no knowledge of files, mandatory locks, or share reservations, 843 and are not in a position to enforce such restrictions. For this 844 reason the NFSv4 server MUST NOT grant layouts that conflict with 845 mandatory locks or share reservations. Further, if a conflicting 846 mandatory lock request or a conflicting open request arrives at the 847 server, the server MUST recall the part of the layout in conflict 848 with the request before granting the request. 850 2.4.7. Partial-Block Updates 852 SCSI storage devices do not provide byte granularity access and can 853 only perform read and write operations atomically on a block 854 granularity. WRITES to SCSI storage devices thus require read- 855 modify-write cycles to write data smaller than the block size or 856 which is otherwise not block-aligned. Write operations from multiple 857 clients to the same block can thus lead to data corruption even if 858 the byte range written by the applications does not overlap. When 859 there are multiple clients who wish to access the same block, a pNFS 860 server MUST avoid these conflicts by implementing a concurrency 861 control policy of single writer XOR multiple readers for a given data 862 block. 864 2.4.8. End-of-file Processing 866 The end-of-file location can be changed in two ways: implicitly as 867 the result of a WRITE or LAYOUTCOMMIT beyond the current end-of-file, 868 or explicitly as the result of a SETATTR request. Typically, when a 869 file is truncated by an NFSv4 client via the SETATTR call, the server 870 frees any disk blocks belonging to the file that are beyond the new 871 end-of-file byte, and MUST write zeros to the portion of the new end- 872 of-file block beyond the new end-of-file byte. These actions render 873 any pNFS layouts that refer to the blocks that are freed or written 874 semantically invalid. Therefore, the server MUST recall from clients 875 the portions of any pNFS layouts that refer to blocks that will be 876 freed or written by the server before effecting the file truncation. 877 These recalls may take time to complete; as explained in [RFC5661], 878 if the server cannot respond to the client SETATTR request in a 879 reasonable amount of time, it SHOULD reply to the client with the 880 error NFS4ERR_DELAY. 882 Blocks in the PNFS_SCSI_INVALID_DATA state that lie beyond the new 883 end-of-file block present a special case. The server has reserved 884 these blocks for use by a pNFS client with a writable layout for the 885 file, but the client has yet to commit the blocks, and they are not 886 yet a part of the file mapping on disk. The server MAY free these 887 blocks while processing the SETATTR request. If so, the server MUST 888 recall any layouts from pNFS clients that refer to the blocks before 889 processing the truncate. If the server does not free the 890 PNFS_SCSI_INVALID_DATA blocks while processing the SETATTR request, 891 it need not recall layouts that refer only to the 892 PNFS_SCSI_INVALID_DATA blocks. 894 When a file is extended implicitly by a WRITE or LAYOUTCOMMIT beyond 895 the current end-of-file, or extended explicitly by a SETATTR request, 896 the server need not recall any portions of any pNFS layouts. 898 2.4.9. Layout Hints 900 The layout hint attribute specified in [RFC5661] is not supported by 901 the SCSI layout, and the pNFS server MUST reject setting a layout 902 hint attribute with a loh_type value of LAYOUT4_SCSI_VOLUME during 903 OPEN or SETATTR operations. On a file system only supporting the 904 SCSI layout a server MUST NOT report the layout_hint attribute in the 905 supported_attrs attribute. 907 2.4.10. Client Fencing 909 The pNFS SCSI protocol must handle situations in which a system 910 failure, typically a network connectivity issue, requires the server 911 to unilaterally revoke extents from a client after the client fails 912 to respond to a CB_LAYOUTRECALL request. This is implemented by 913 fencing off a non-responding client from access to the storage 914 device. 916 The pNFS SCSI protocol implements fencing using Persistent 917 Reservations (PRs), similar to the fencing method used by existing 918 shared disk file systems. By placing a PR of type "Exclusive Access 919 - Registrants Only" on each SCSI LU exported to pNFS clients the MDS 920 prevents access from any client that does not have an outstanding 921 device ID that gives the client a reservation key to access the LU, 922 and allows the MDS to revoke access to the logic unit at any time. 924 2.4.10.1. PRs - Key Generation 926 To allow fencing individual systems, each system MUST use a unique 927 Persistent Reservation key. [SPC4] does not specify a way to 928 generate keys. This document assigns the burden to generate unique 929 keys to the MDS, which MUST generate a key for itself before 930 exporting a volume, and a key for each client that accesses SCSI 931 layout volumes. Individuals keys for each volume that a client can 932 access are permitted but not required. 934 2.4.10.2. PRs - MDS Registration and Reservation 936 Before returning a PNFS_SCSI_VOLUME_BASE volume to the client, the 937 MDS needs to prepare the volume for fencing using PRs. This is done 938 by registering the reservation generated for the MDS with the device 939 using the "PERSISTENT RESERVE OUT" command with a service action of 940 "REGISTER", followed by a "PERSISTENT RESERVE OUT" command, with a 941 service action of "RESERVE" and the type field set to 8h (Exclusive 942 Access - Registrants Only). To make sure all I_T nexuses (see 943 section 3.1.45 of [SAM-5]) are registered, the MDS SHOULD set the 944 "All Target Ports" (ALL_TG_PT) bit when registering the key, or 945 otherwise ensure the registration is performed for each target port, 946 and MUST perform registration for each initiator port. 948 2.4.10.3. PRs - Client Registration 950 Before performing the first I/O to a device returned from a 951 GETDEVICEINFO operation the client will register the registration key 952 returned in sbv_pr_key with the storage device by issuing a 953 "PERSISTENT RESERVE OUT" command with a service action of REGISTER 954 with the "SERVICE ACTION RESERVATION KEY" set to the reservation key 955 returned in sbv_pr_key. To make sure all I_T nexuses are registered, 956 the client SHOULD set the "All Target Ports" (ALL_TG_PT) bit when 957 registering the key, or otherwise ensure the registration is 958 performed for each target port, and MUST perform registration for 959 each initiator port. 961 When a client stops using a device earlier returned by GETDEVICEINFO 962 it MUST unregister the earlier registered key by issuing a 963 "PERSISTENT RESERVE OUT" command with a service action of "REGISTER" 964 with the "RESERVATION KEY" set to the earlier registered reservation 965 key. 967 2.4.10.4. PRs - Fencing Action 969 In case of a non-responding client the MDS fences the client by 970 issuing a "PERSISTENT RESERVE OUT" command with the service action 971 set to "PREEMPT" or "PREEMPT AND ABORT", the reservation key field 972 set to the server's reservation key, the service action reservation 973 key field set to the reservation key associated with the non- 974 responding client, and the type field set to 8h (Exclusive Access - 975 Registrants Only). 977 After the MDS preempts a client, all client I/O to the LU fails. The 978 client SHOULD at this point return any layout that refers to the 979 device ID that points to the LU. Note that the client can 980 distinguish I/O errors due to fencing from other errors based on the 981 "RESERVATION CONFLICT" SCSI status. Refer to [SPC4] for details. 983 2.4.10.5. Client Recovery After a Fence Action 985 A client that detects a "RESERVATION CONFLICT" SCSI status (I/O 986 error) on the storage devices MUST commit all layouts that use the 987 storage device through the MDS, return all outstanding layouts for 988 the device, forget the device ID and unregister the reservation key. 989 Future GETDEVICEINFO calls MAY refer to the storage device again, in 990 which case the client will perform a new registration based on the 991 key provided (via sbv_pr_key) at that time. 993 2.5. Crash Recovery Issues 995 A critical requirement in crash recovery is that both the client and 996 the server know when the other has failed. Additionally, it is 997 required that a client sees a consistent view of data across server 998 restarts. These requirements and a full discussion of crash recovery 999 issues are covered in the "Crash Recovery" section of the NFSv41 1000 specification [RFC5661]. This document contains additional crash 1001 recovery material specific only to the SCSI layout. 1003 When the server crashes while the client holds a writable layout, and 1004 the client has written data to blocks covered by the layout, and the 1005 blocks are still in the PNFS_SCSI_INVALID_DATA state, the client has 1006 two options for recovery. If the data that has been written to these 1007 blocks is still cached by the client, the client can simply re-write 1008 the data via NFSv4, once the server has come back online. However, 1009 if the data is no longer in the client's cache, the client MUST NOT 1010 attempt to source the data from the data servers. Instead, it SHOULD 1011 attempt to commit the blocks in question to the server during the 1012 server's recovery grace period, by sending a LAYOUTCOMMIT with the 1013 "loca_reclaim" flag set to true. This process is described in detail 1014 in Section 18.42.4 of [RFC5661]. 1016 2.6. Recalling Resources: CB_RECALL_ANY 1018 The server MAY decide that it cannot hold all of the state for 1019 layouts without running out of resources. In such a case, it is free 1020 to recall individual layouts using CB_LAYOUTRECALL to reduce the 1021 load, or it MAY choose to request that the client return any layout. 1023 The NFSv4.1 spec [RFC5661] defines the following types: 1025 const RCA4_TYPE_MASK_BLK_LAYOUT = 4; 1027 struct CB_RECALL_ANY4args { 1028 uint32_t craa_objects_to_keep; 1029 bitmap4 craa_type_mask; 1030 }; 1032 When the server sends a CB_RECALL_ANY request to a client specifying 1033 the RCA4_TYPE_MASK_BLK_LAYOUT bit in craa_type_mask, the client 1034 SHOULD immediately respond with NFS4_OK, and then asynchronously 1035 return complete file layouts until the number of files with layouts 1036 cached on the client is less than craa_object_to_keep. 1038 2.7. Transient and Permanent Errors 1040 The server may respond to LAYOUTGET with a variety of error statuses. 1041 These errors can convey transient conditions or more permanent 1042 conditions that are unlikely to be resolved soon. 1044 The error NFS4ERR_RECALLCONFLICT indicates that the server has 1045 recently issued a CB_LAYOUTRECALL to the requesting client, making it 1046 necessary for the client to respond to the recall before processing 1047 the layout request. A client can wait for that recall to be receive 1048 and processe or it can retry as for NFS4ERR_TRYLATER, as described 1049 below. 1051 The error NFS4ERR_TRYLATER is used to indicate that the server cannot 1052 immediately grant the layout to the client. This MAY be due to 1053 constraints on writable sharing of blocks by multiple clients or to a 1054 conflict with a recallable lock (e.g. a delegation). In either case, 1055 a reasonable approach for the client is to wait several milliseconds 1056 and retry the request. The client SHOULD track the number of 1057 retries, and if forward progress is not made, the client SHOULD 1058 abandon the attempt to get a layout and perform READ and WRITE 1059 operations by sending them to the server 1061 The error NFS4ERR_LAYOUTUNAVAILABLE MAY be returned by the server if 1062 layouts are not supported for the requested file or its containing 1063 file system. The server MAY also return this error code if the 1064 server is the progress of migrating the file from secondary storage, 1065 there is a conflicting lock that would prevent the layout from being 1066 granted, or for any other reason that causes the server to be unable 1067 to supply the layout. As a result of receiving 1068 NFS4ERR_LAYOUTUNAVAILABLE, the client SHOULD abandon the attempt to 1069 get a layout and perform READ and WRITE operations by sending them to 1070 the MDS. It is expected that a client will not cache the file's 1071 layoutunavailable state forever. In particular, when the file is 1072 closed or opened by the client, issuing a new LAYOUTGET is 1073 appropriate. 1075 2.8. Volatile write caches 1077 Many storage devices implement volatile write caches that require an 1078 explicit flush to persist the data from write operations to stable 1079 storage. Storage devices implementing [SBC3] should indicate a 1080 volatile write cache by setting the WCE bit to 1 in the Caching mode 1081 page. When a volatile write cache is used, the pNFS server MUST 1082 ensure the volatile write cache has been committed to stable storage 1083 before the LAYOUTCOMMIT operation returns by using one of the 1084 SYNCHRONIZE CACHE commands. 1086 3. Enforcing NFSv4 Semantics 1088 The functionality provided by SCSI Persistent Reservations makes it 1089 possible for the MDS to control access by individual client machines 1090 to specific LUs. Individual client machines may be allowed to or 1091 prevented from reading or writing to certain block devices. Finer- 1092 grained access control methods are not generally available. 1094 For this reason, certain responsibilities for enforcing NFSv4 1095 semantics, including security and locking, are delegated to pNFS 1096 clients when SCSI layouts are being used. The metadata server's role 1097 is to only grant layouts appropriately and the pNFS clients have to 1098 be trusted to only perform accesses allowed by the layout extents 1099 they currently hold (e.g., and not access storage for files on which 1100 a layout extent is not held). In general, the server will not be 1101 able to prevent a client that holds a layout for a file from 1102 accessing parts of the physical disk not covered by the layout. 1103 Similarly, the server will not be able to prevent a client from 1104 accessing blocks covered by a layout that it has already returned. 1105 The pNFS client must respect the layout model for this mapping type 1106 to appropriately respect NFSv4 semantics. 1108 Furthermore, there is no way for the storage to determine the 1109 specific NFSv4 entity (principal, openowner, lockowner) on whose 1110 behalf the I/O operation is being done. This fact may limit the 1111 functionality to be supported and require the pNFS client to 1112 implement server policies other than those describable by layouts. 1113 In cases in which layouts previously granted become invalid, the 1114 server has the option of recalling them. In situations in which 1115 communication difficulties prevent this from happening, layouts may 1116 be revoked by the server. This revocation is accompanied by changes 1117 in persistent reservation which have the effect of preventing SCSI 1118 access to the LUs in question by the client. 1120 3.1. Use of Open Stateids 1122 The effective implementation of these NFSv4 semantic constraints is 1123 complicated by the different granularities of the actors for the 1124 different types of the functionality to be enforced: 1126 o To enforce security constraints for particular principals. 1128 o To enforce locking constraints for particular owners (openowners 1129 and lockowners) 1131 Fundamental to enforcing both of these sorts of constraints is the 1132 principle that a pNFS client must not issue a SCSI I/O operation 1133 unless it possesses both: 1135 o A valid open stateid for the file in question, performing the I/O 1136 that allows I/O of the type in question, which is associated with 1137 the openowner and principal on whose behalf the I/O is to be done. 1139 o A valid layout stateid for the file in question that covers the 1140 byte range on which the I/O is to be done and that allows I/O of 1141 that type to be done. 1143 As a result, if the equivalent of I/O with an anonymous or write- 1144 bypass stateid is to be done, it MUST NOT by done using the pNFS SCSI 1145 layout type. The client MAY attempt such I/O using READs and WRITEs 1146 that do not use pNFS and are directed to the MDS. 1148 When open stateids are revoked, due to lease expiration or any form 1149 of administrative revocation, the server MUST recall all layouts that 1150 allow I/O to be done on any of the files for which open revocation 1151 happens. When there is a failure to successfully return those 1152 layouts, the client MUST be fenced. 1154 3.2. Enforcing Security Restrictions 1156 The restriction noted above provides adequate enforcement of 1157 appropriate security restriction when the principal issuing the I/O 1158 is the same as that opening the file. The server is responsible for 1159 checking that the I/O mode requested by the open is allowed for the 1160 principal doing the OPEN. If the correct sort of I/O is done on 1161 behalf of the same principal, then the security restriction is 1162 thereby enforced. 1164 If I/O is done by a principal different from the one that opened the 1165 file, the client SHOULD send the I/O to be performed by the metadata 1166 server rather than doing it directly to the storage device. 1168 3.3. Enforcing Locking Restrictions 1170 Mandatory enforcement of whole-file locking by means of share 1171 reservations is provided when the pNFS client obeys the requirement 1172 set forth in Section 3.1 above. Since performing I/O requires a 1173 valid open stateid an I/O that violates an existing share reservation 1174 would only be possible when the server allows conflicting open 1175 stateids to exist. 1177 The nature of the SCSI layout type is such implementation/enforcement 1178 of mandatory byte-range locks is very difficult. Given that layouts 1179 are granted to clients rather than owners, the pNFS client is in no 1180 position to successfully arbitrate among multiple lockowners on the 1181 same client. Suppose lockowner A is doing a write and, while the I/O 1182 is pending, lockowner B requests a mandatory byte-range for a byte 1183 range potentially overlapping the pending I/O. In such a situation, 1184 the lock request cannot be granted while the I/O is pending. In a 1185 non-pNFS environment, the server would have to wait for pending I/O 1186 before granting the mandatory byte-range lock. In the pNFS 1187 environment the server does not issue the I/O and is thus in no 1188 position to wait for its completion. The server may recall such 1189 layouts but in doing so, it has no way of distinguishing those being 1190 used by lockowners A and B, making it difficult to allow B to perform 1191 I/O while forbidding A from doing so. Given this fact, the MDS need 1192 to successfully recall all layouts that overlap the range being 1193 locked before returning a successful response to the LOCK request. 1194 While the lock is in effect, the server SHOULD respond to requests 1195 for layouts which overlap a currently locked area with 1196 NFS4ERR_LAYOUTUNAVAILABLE. To simplify the required logic a server 1197 MAY do this for all layout requests on the file in question as long 1198 as there are any byte-range locks in effect. 1200 Given these difficulties it may be difficult for servers supporting 1201 mandatory byte-range locks to also support SCSI layouts. Servers can 1202 support advisory byte-range locks instead. The NFSv4 protocol 1203 currently has no way of determining whether byte-range lock support 1204 on a particular file system will be mandatory or advisory, except by 1205 trying operation which would conflict if mandatory locking is in 1206 effect. Therefore, to avoid confusion, servers SHOULD NOT switch 1207 between mandatory and advisory byte-range locking based on whether 1208 any SCSI layouts have been obtained or whether a client that has 1209 obtained a SCSI layout has requested a byte-range lock. 1211 4. Security Considerations 1213 Access to SCSI storage devices is logically at a lower layer of the 1214 I/O stack than NFSv4, and hence NFSv4 security is not directly 1215 applicable to protocols that access such storage directly. Depending 1216 on the protocol, some of the security mechanisms provided by NFSv4 1217 (e.g., encryption, cryptographic integrity) may not be available or 1218 may be provided via different means. At one extreme, pNFS with SCSI 1219 layouts can be used with storage access protocols (e.g., serial 1220 attached SCSI ([SAS3]) that provide essentially no security 1221 functionality. At the other extreme, pNFS may be used with storage 1222 protocols such as iSCSI ([RFC7143]) that can provide significant 1223 security functionality. It is the responsibility of those 1224 administering and deploying pNFS with a SCSI storage access protocol 1225 to ensure that appropriate protection is provided to that protocol 1226 (physical security is a common means for protocols not based on IP). 1227 In environments where the security requirements for the storage 1228 protocol cannot be met, pNFS SCSI layouts SHOULD NOT be used. 1230 When security is available for a storage protocol, it is generally at 1231 a different granularity and with a different notion of identity than 1232 NFSv4 (e.g., NFSv4 controls user access to files, iSCSI controls 1233 initiator access to volumes). The responsibility for enforcing 1234 appropriate correspondences between these security layers is placed 1235 upon the pNFS client. As with the issues in the first paragraph of 1236 this section, in environments where the security requirements are 1237 such that client-side protection from access to storage outside of 1238 the layout is not sufficient, pNFS SCSI layouts SHOULD NOT be used. 1240 5. IANA Considerations 1242 IANA is requested to assign a new pNFS layout type in the pNFS Layout 1243 Types Registry as follows (the value 5 is suggested): Layout Type 1244 Name: LAYOUT4_SCSI Value: 0x00000005 RFC: RFCTBD10 How: L (new layout 1245 type) Minor Versions: 1 1247 6. Normative References 1249 [LEGAL] IETF Trust, "Legal Provisions Relating to IETF Documents", 1250 November 2008, . 1253 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1254 Requirement Levels", March 1997. 1256 [RFC4506] Eisler, M., "XDR: External Data Representation Standard", 1257 STD 67, RFC 4506, May 2006. 1259 [RFC5661] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed., 1260 "Network File System (NFS) Version 4 Minor Version 1 1261 Protocol", RFC 5661, January 2010. 1263 [RFC5662] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed., 1264 "Network File System (NFS) Version 4 Minor Version 1 1265 External Data Representation Standard (XDR) Description", 1266 RFC 5662, January 2010. 1268 [RFC5663] Black, D., Ed., Fridella, S., Ed., and J. Glasgow, Ed., 1269 "Parallel NFS (pNFS) Block/Volume Layout", RFC 5663, 1270 January 2010. 1272 [RFC6688] Black, D., Ed., Glasgow, J., and S. Faibish, "Parallel NFS 1273 (pNFS) Block Disk Protection", RFC 6688, July 2012. 1275 [RFC7143] Chadalapaka, M., Meth, K., and D. Black, "Internet Small 1276 Computer System Interface (iSCSI) Protocol 1277 (Consolidated)", RFC RFC7143, April 2014. 1279 [SAM-5] INCITS Technical Committee T10, "SCSI Architecture Model - 1280 5 (SAM-5)", ANSI INCITS 515-XXXXX, 2016. 1282 [SAS3] INCITS Technical Committee T10, "Serial Attached Scsi-3", 1283 ANSI INCITS ANSI INCITS 519-2014, ISO/IEC 14776-154, 2014. 1285 [SBC3] INCITS Technical Committee T10, "SCSI Block Commands-3", 1286 ANSI INCITS INCITS 514-2014, ISO/IEC 14776-323, 2014. 1288 [SPC4] INCITS Technical Committee T10, "SCSI Primary Commands-4", 1289 ANSI INCITS 513-2015, 2015. 1291 Appendix A. Acknowledgments 1293 Large parts of this document were copied verbatim, and others were 1294 inspired by [RFC5663]. Thank to David Black, Stephen Fridella and 1295 Jason Glasgow for their work on the pNFS block/volume layout 1296 protocol. 1298 David Black, Robert Elliott and Tom Haynes provided a throughout 1299 review of drafts of this document, and their input led to the current 1300 form of the document. 1302 David Noveck provided ample feedback to various drafts of this 1303 document, wrote the section on enforcing NFSv4 semantics and rewrote 1304 various sections to better catch the intent. 1306 Appendix B. RFC Editor Notes 1308 [RFC Editor: please remove this section prior to publishing this 1309 document as an RFC] 1311 [RFC Editor: prior to publishing this document as an RFC, please 1312 replace all occurrences of RFCTBD10 with RFCxxxx where xxxx is the 1313 RFC number of this document] 1315 [RFC Editor: This draft has a normative dependence on SAM-5, whose 1316 publication as a standard is in progress. Publication of this draft 1317 as an RFC has to wait for publication of SAM-5 including availability 1318 of a reference to the published standard. The author will be able to 1319 advise the RFC Editor when SAM-5 is published and supply the 1320 necessary reference.] 1322 Author's Address 1324 Christoph Hellwig 1326 Email: hch@lst.de