reflink.py 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458
  1. #
  2. # The Qubes OS Project, https://www.qubes-os.org/
  3. #
  4. # Copyright (C) 2018 Rusty Bird <rustybird@net-c.com>
  5. #
  6. # This library is free software; you can redistribute it and/or
  7. # modify it under the terms of the GNU Lesser General Public
  8. # License as published by the Free Software Foundation; either
  9. # version 2.1 of the License, or (at your option) any later version.
  10. #
  11. # This library is distributed in the hope that it will be useful,
  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  14. # Lesser General Public License for more details.
  15. #
  16. # You should have received a copy of the GNU Lesser General Public
  17. # License along with this library; if not, see <https://www.gnu.org/licenses/>.
  18. #
  19. ''' Driver for handling VM images as files, without any device-mapper
  20. involvement. A reflink-capable filesystem is strongly recommended,
  21. but not required.
  22. '''
  23. import asyncio
  24. import collections
  25. import errno
  26. import fcntl
  27. import functools
  28. import glob
  29. import logging
  30. import os
  31. import platform
  32. import subprocess
  33. import tempfile
  34. from contextlib import suppress
  35. import qubes.storage
  36. import qubes.utils
  37. LOGGER = logging.getLogger('qubes.storage.reflink')
  38. # defined in <linux/loop.h>
  39. LOOP_SET_CAPACITY = 0x4C07
  40. # defined in <linux/fs.h>
  41. FICLONE = {
  42. 'x86_64': 0x40049409,
  43. 'ppc64le': 0x80049409,
  44. }[platform.machine()]
  45. def _coroutinized(function):
  46. ''' Wrap a synchronous function in a coroutine that runs the
  47. function via the event loop's ThreadPool-based default
  48. executor.
  49. '''
  50. @asyncio.coroutine
  51. @functools.wraps(function)
  52. def wrapper(*args, **kwargs):
  53. return (yield from asyncio.get_event_loop().run_in_executor(
  54. None, functools.partial(function, *args, **kwargs)))
  55. return wrapper
  56. class ReflinkPool(qubes.storage.Pool):
  57. driver = 'file-reflink'
  58. _known_dir_path_prefixes = ['appvms', 'vm-templates']
  59. def __init__(self, *, name, revisions_to_keep=1,
  60. dir_path, setup_check=True):
  61. super().__init__(name=name, revisions_to_keep=revisions_to_keep)
  62. self._setup_check = qubes.property.bool(None, None, setup_check)
  63. self._volumes = {}
  64. self.dir_path = os.path.abspath(dir_path)
  65. @_coroutinized
  66. def setup(self):
  67. created = _make_dir(self.dir_path)
  68. if self._setup_check and not is_supported(self.dir_path):
  69. if created:
  70. _remove_empty_dir(self.dir_path)
  71. raise qubes.storage.StoragePoolException(
  72. 'The filesystem for {!r} does not support reflinks. If you'
  73. ' can live with VM startup delays and wasted disk space, pass'
  74. ' the "setup_check=False" option.'.format(self.dir_path))
  75. for dir_path_prefix in self._known_dir_path_prefixes:
  76. _make_dir(os.path.join(self.dir_path, dir_path_prefix))
  77. return self
  78. def init_volume(self, vm, volume_config):
  79. # Fail closed on any strange VM dir_path_prefix, just in case
  80. # /etc/udev/rules.d/00-qubes-ignore-devices.rules needs update
  81. assert vm.dir_path_prefix in self._known_dir_path_prefixes, \
  82. 'Unknown dir_path_prefix {!r}'.format(vm.dir_path_prefix)
  83. volume_config['pool'] = self
  84. if 'revisions_to_keep' not in volume_config:
  85. volume_config['revisions_to_keep'] = self.revisions_to_keep
  86. if 'vid' not in volume_config:
  87. volume_config['vid'] = os.path.join(vm.dir_path_prefix, vm.name,
  88. volume_config['name'])
  89. volume = ReflinkVolume(**volume_config)
  90. self._volumes[volume_config['vid']] = volume
  91. return volume
  92. def list_volumes(self):
  93. return list(self._volumes.values())
  94. def get_volume(self, vid):
  95. return self._volumes[vid]
  96. def destroy(self):
  97. pass
  98. @property
  99. def config(self):
  100. return {
  101. 'name': self.name,
  102. 'dir_path': self.dir_path,
  103. 'driver': ReflinkPool.driver,
  104. 'revisions_to_keep': self.revisions_to_keep
  105. }
  106. @property
  107. def size(self):
  108. statvfs = os.statvfs(self.dir_path)
  109. return statvfs.f_frsize * statvfs.f_blocks
  110. @property
  111. def usage(self):
  112. statvfs = os.statvfs(self.dir_path)
  113. return statvfs.f_frsize * (statvfs.f_blocks - statvfs.f_bfree)
  114. def included_in(self, app):
  115. ''' Check if there is pool containing this one - either as a
  116. filesystem or its LVM volume'''
  117. return qubes.storage.search_pool_containing_dir(
  118. [pool for pool in app.pools.values() if pool is not self],
  119. self.dir_path)
  120. class ReflinkVolume(qubes.storage.Volume):
  121. def __init__(self, *args, **kwargs):
  122. super().__init__(*args, **kwargs)
  123. self._path_vid = os.path.join(self.pool.dir_path, self.vid)
  124. self._path_clean = self._path_vid + '.img'
  125. self._path_dirty = self._path_vid + '-dirty.img'
  126. self._path_import = self._path_vid + '-import.img'
  127. self.path = self._path_dirty
  128. @qubes.storage.Volume.locked
  129. @_coroutinized
  130. def create(self):
  131. self._remove_all_images()
  132. if self.save_on_stop and not self.snap_on_start:
  133. _create_sparse_file(self._path_clean, self._size)
  134. return self
  135. @_coroutinized
  136. def verify(self):
  137. if self.snap_on_start:
  138. img = self.source._path_clean # pylint: disable=protected-access
  139. elif self.save_on_stop:
  140. img = self._path_clean
  141. else:
  142. img = None
  143. if img is None or os.path.exists(img):
  144. return True
  145. raise qubes.storage.StoragePoolException(
  146. 'Missing image file {!r} for volume {}'.format(img, self.vid))
  147. @qubes.storage.Volume.locked
  148. @_coroutinized
  149. def remove(self):
  150. self.pool._volumes.pop(self, None) # pylint: disable=protected-access
  151. self._remove_all_images()
  152. _remove_empty_dir(os.path.dirname(self._path_vid))
  153. return self
  154. def _remove_all_images(self):
  155. self._remove_incomplete_images()
  156. self._prune_revisions(keep=0)
  157. _remove_file(self._path_clean)
  158. _remove_file(self._path_dirty)
  159. def _remove_incomplete_images(self):
  160. for tmp in glob.iglob(glob.escape(self._path_vid) + '*.img*~*'):
  161. _remove_file(tmp)
  162. _remove_file(self._path_import)
  163. def is_outdated(self):
  164. if self.snap_on_start:
  165. with suppress(FileNotFoundError):
  166. # pylint: disable=protected-access
  167. return (os.path.getmtime(self.source._path_clean) >
  168. os.path.getmtime(self._path_clean))
  169. return False
  170. def is_dirty(self):
  171. return self.save_on_stop and os.path.exists(self._path_dirty)
  172. @qubes.storage.Volume.locked
  173. @_coroutinized
  174. def start(self):
  175. self._remove_incomplete_images()
  176. if not self.is_dirty():
  177. if self.snap_on_start:
  178. # pylint: disable=protected-access
  179. _copy_file(self.source._path_clean, self._path_clean)
  180. if self.snap_on_start or self.save_on_stop:
  181. _copy_file(self._path_clean, self._path_dirty)
  182. else:
  183. # Preferably use the size of a leftover image, in case
  184. # the volume was previously resized - but then a crash
  185. # prevented qubes.xml serialization of the new size.
  186. _create_sparse_file(self._path_dirty, self.size)
  187. return self
  188. @qubes.storage.Volume.locked
  189. @_coroutinized
  190. def stop(self):
  191. if self.save_on_stop:
  192. self._commit(self._path_dirty)
  193. else:
  194. if not self.snap_on_start:
  195. self._size = self.size # preserve manual resize of image
  196. _remove_file(self._path_dirty)
  197. _remove_file(self._path_clean)
  198. return self
  199. def _commit(self, path_from):
  200. self._add_revision()
  201. self._prune_revisions()
  202. qubes.utils.fsync_path(path_from)
  203. _rename_file(path_from, self._path_clean)
  204. def _add_revision(self):
  205. if self.revisions_to_keep == 0:
  206. return
  207. ctime = os.path.getctime(self._path_clean)
  208. timestamp = qubes.storage.isodate(int(ctime))
  209. _copy_file(self._path_clean,
  210. self._path_revision(self._next_revision_number, timestamp))
  211. def _prune_revisions(self, keep=None):
  212. if keep is None:
  213. keep = self.revisions_to_keep
  214. # pylint: disable=invalid-unary-operand-type
  215. for number, timestamp in list(self.revisions.items())[:-keep or None]:
  216. _remove_file(self._path_revision(number, timestamp))
  217. @qubes.storage.Volume.locked
  218. @_coroutinized
  219. def revert(self, revision=None):
  220. if self.is_dirty():
  221. raise qubes.storage.StoragePoolException(
  222. 'Cannot revert: {} is not cleanly stopped'.format(self.vid))
  223. if revision is None:
  224. number, timestamp = list(self.revisions.items())[-1]
  225. else:
  226. number, timestamp = revision, None
  227. path_revision = self._path_revision(number, timestamp)
  228. self._add_revision()
  229. _rename_file(path_revision, self._path_clean)
  230. return self
  231. @qubes.storage.Volume.locked
  232. @_coroutinized
  233. def resize(self, size):
  234. ''' Resize a read-write volume; notify any corresponding loop
  235. devices of the size change.
  236. '''
  237. if not self.rw:
  238. raise qubes.storage.StoragePoolException(
  239. 'Cannot resize: {} is read-only'.format(self.vid))
  240. for path in (self._path_dirty, self._path_clean):
  241. with suppress(FileNotFoundError):
  242. _resize_file(path, size)
  243. break
  244. self._size = size
  245. if path == self._path_dirty:
  246. _update_loopdev_sizes(self._path_dirty)
  247. return self
  248. def export(self):
  249. if not self.save_on_stop:
  250. raise NotImplementedError(
  251. 'Cannot export: {} is not save_on_stop'.format(self.vid))
  252. return self._path_clean
  253. @qubes.storage.Volume.locked
  254. @_coroutinized
  255. def import_data(self, size):
  256. if not self.save_on_stop:
  257. raise NotImplementedError(
  258. 'Cannot import_data: {} is not save_on_stop'.format(self.vid))
  259. _create_sparse_file(self._path_import, size)
  260. return self._path_import
  261. def _import_data_end(self, success):
  262. (self._commit if success else _remove_file)(self._path_import)
  263. return self
  264. import_data_end = qubes.storage.Volume.locked(_coroutinized(
  265. _import_data_end))
  266. @qubes.storage.Volume.locked
  267. @asyncio.coroutine
  268. def import_volume(self, src_volume):
  269. if self.save_on_stop:
  270. try:
  271. success = False
  272. src_path = yield from qubes.utils.coro_maybe(
  273. src_volume.export())
  274. try:
  275. yield from _coroutinized(_copy_file)(
  276. src_path, self._path_import)
  277. finally:
  278. yield from qubes.utils.coro_maybe(
  279. src_volume.export_end(src_path))
  280. success = True
  281. finally:
  282. yield from _coroutinized(self._import_data_end)(success)
  283. return self
  284. def _path_revision(self, number, timestamp=None):
  285. if timestamp is None:
  286. timestamp = self.revisions[number]
  287. return self._path_clean + '.' + number + '@' + timestamp + 'Z'
  288. @property
  289. def _next_revision_number(self):
  290. numbers = self.revisions.keys()
  291. if numbers:
  292. return str(int(list(numbers)[-1]) + 1)
  293. return '1'
  294. @property
  295. def revisions(self):
  296. prefix = self._path_clean + '.'
  297. paths = glob.iglob(glob.escape(prefix) + '*@*Z')
  298. items = (path[len(prefix):-1].split('@') for path in paths)
  299. return collections.OrderedDict(sorted(items,
  300. key=lambda item: int(item[0])))
  301. @property
  302. def size(self):
  303. for path in (self._path_dirty, self._path_clean):
  304. with suppress(FileNotFoundError):
  305. return os.path.getsize(path)
  306. return self._size
  307. @property
  308. def usage(self):
  309. ''' Return volume disk usage from the VM's perspective. It is
  310. usually much lower from the host's perspective due to CoW.
  311. '''
  312. for path in (self._path_dirty, self._path_clean):
  313. with suppress(FileNotFoundError):
  314. return os.stat(path).st_blocks * 512
  315. return 0
  316. def _replace_file(dst):
  317. _make_dir(os.path.dirname(dst))
  318. return qubes.utils.replace_file(
  319. dst, permissions=0o600, log_level=logging.INFO)
  320. _rename_file = functools.partial(
  321. qubes.utils.rename_file, log_level=logging.INFO)
  322. _remove_file = functools.partial(
  323. qubes.utils.remove_file, log_level=logging.INFO)
  324. def _make_dir(path):
  325. ''' mkdir path, ignoring FileExistsError; return whether we
  326. created it.
  327. '''
  328. with suppress(FileExistsError):
  329. os.mkdir(path)
  330. qubes.utils.fsync_path(os.path.dirname(path))
  331. LOGGER.info('Created directory: %r', path)
  332. return True
  333. return False
  334. def _remove_empty_dir(path):
  335. try:
  336. os.rmdir(path)
  337. qubes.utils.fsync_path(os.path.dirname(path))
  338. LOGGER.info('Removed empty directory: %r', path)
  339. except OSError as ex:
  340. if ex.errno not in (errno.ENOENT, errno.ENOTEMPTY):
  341. raise
  342. def _resize_file(path, size):
  343. ''' Resize an existing file. '''
  344. with open(path, 'rb+') as file_io:
  345. file_io.truncate(size)
  346. os.fsync(file_io.fileno())
  347. def _create_sparse_file(path, size):
  348. ''' Create an empty sparse file. '''
  349. with _replace_file(path) as tmp_io:
  350. tmp_io.truncate(size)
  351. LOGGER.info('Created sparse file: %r', tmp_io.name)
  352. def _update_loopdev_sizes(img):
  353. ''' Resolve img; update the size of loop devices backed by it. '''
  354. needle = os.fsencode(os.path.realpath(img)) + b'\n'
  355. for sys_path in glob.iglob('/sys/block/loop[0-9]*/loop/backing_file'):
  356. try:
  357. with open(sys_path, 'rb') as sys_io:
  358. if sys_io.read() != needle:
  359. continue
  360. except FileNotFoundError:
  361. continue
  362. with open('/dev/' + sys_path.split('/')[3], 'rb') as dev_io:
  363. fcntl.ioctl(dev_io.fileno(), LOOP_SET_CAPACITY)
  364. def _attempt_ficlone(src_io, dst_io):
  365. try:
  366. fcntl.ioctl(dst_io.fileno(), FICLONE, src_io.fileno())
  367. return True
  368. except OSError as ex:
  369. if ex.errno not in (errno.EBADF, errno.EINVAL,
  370. errno.EOPNOTSUPP, errno.EXDEV):
  371. raise
  372. return False
  373. def _copy_file(src, dst):
  374. ''' Copy src to dst as a reflink if possible, sparse if not. '''
  375. with _replace_file(dst) as tmp_io:
  376. with open(src, 'rb') as src_io:
  377. if _attempt_ficlone(src_io, tmp_io):
  378. LOGGER.info('Reflinked file: %r -> %r', src, tmp_io.name)
  379. return True
  380. LOGGER.info('Copying file: %r -> %r', src, tmp_io.name)
  381. cmd = 'cp', '--sparse=always', src, tmp_io.name
  382. p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
  383. check=False)
  384. if p.returncode != 0:
  385. raise qubes.storage.StoragePoolException(str(p))
  386. return False
  387. def is_supported(dst_dir, src_dir=None):
  388. ''' Return whether destination directory supports reflink copies
  389. from source directory. (A temporary file is created in each
  390. directory, using O_TMPFILE if possible.)
  391. '''
  392. if src_dir is None:
  393. src_dir = dst_dir
  394. with tempfile.TemporaryFile(dir=src_dir) as src, \
  395. tempfile.TemporaryFile(dir=dst_dir) as dst:
  396. src.write(b'foo') # don't let any fs get clever with empty files
  397. return _attempt_ficlone(src, dst)