zfs: support force exporting pools

This is primarily of use when a pool has lost its disk, while the user
doesn't care about any pending (or otherwise) transactions.

Implement various control methods to make this feasible:
- txg_wait can now take a NOSUSPEND flag, in which case the caller will
  be alerted if their txg can't be committed.  This is primarily of
  interest for callers that would normally pass TXG_WAIT, but don't want
  to wait if the pool becomes suspended, which allows unwinding in some
  cases, specifically when one is attempting a non-forced export.
  Without this, the non-forced export would preclude a forced export
  by virtue of holding the namespace lock indefinitely.
- txg_wait also returns failure for TXG_WAIT users if a pool is actually
  being force exported.  Adjust most callers to tolerate this.
- spa_config_enter_flags now takes a NOSUSPEND flag to the same effect.
- DMU objset initiator which may be set on an objset being forcibly
  exported / unmounted.
- SPA export initiator may be set on a pool being forcibly exported.
- DMU send/recv now use an interruption mechanism which relies on the
  SPA export initiator being able to enumerate datasets and closing any
  send/recv streams, causing their EINTR paths to be invoked.
- ZIO now has a cancel entry point, which tells all suspended zios to
  fail, and which suppresses the failures for non-CANFAIL users.
- metaslab, etc. cleanup, which consists of simply throwing away any
  changes that were not able to be synced out.
- Linux specific: introduce a new tunable,
  zfs_forced_export_unmount_enabled, which allows the filesystem to
  remain in a modified 'unmounted' state upon exiting zpl_umount_begin,
  to achieve parity with FreeBSD and illumos,
  which have VFS-level support for yanking filesystems out from under
  users.  However, this only helps when the user is actively performing
  I/O, while not sitting on the filesystem.  In particular, this allows
  test #3 below to pass on Linux.
- Add basic logic to zpool to indicate a force-exporting pool, instead
  of crashing due to lack of config, etc.

Add tests which cover the basic use cases:
- Force export while a send is in progress
- Force export while a recv is in progress
- Force export while POSIX I/O is in progress

This change modifies the libzfs ABI:
- New ZPOOL_STATUS_FORCE_EXPORTING zpool_status_t enum value.
- New field libzfs_force_export for libzfs_handle.

Signed-off-by:	Will Andrews <will@firepipe.net>
Sponsored-by:	Klara, Inc.
Sponsored-by:	Catalogics, Inc.
Closes #3461

Author: wca

cmd/zpool/zpool_main.c

@@ -356,7 +356,7 @@ get_usage(zpool_help_t idx)
 	case HELP_DETACH:
 		return (gettext("\tdetach <pool> <device>\n"));
 	case HELP_EXPORT:
-		return (gettext("\texport [-af] <pool> ...\n"));
+		return (gettext("\texport [-afF] <pool> ...\n"));
 	case HELP_HISTORY:
 		return (gettext("\thistory [-il] [<pool>] ...\n"));
 	case HELP_IMPORT:
@@ -1813,7 +1813,7 @@ zpool_export_one(zpool_handle_t *zhp, void *data)
 {
 	export_cbdata_t *cb = data;
 
-	if (zpool_disable_datasets(zhp, cb->force) != 0)
+	if (zpool_disable_datasets(zhp, cb->force || cb->hardforce) != 0)
 		return (1);
 
 	/* The history must be logged as part of the export */
@@ -1834,10 +1834,13 @@ zpool_export_one(zpool_handle_t *zhp, void *data)
  *
  *	-a	Export all pools
  *	-f	Forcefully unmount datasets
+ *	-F	Forcefully export, dropping all outstanding dirty data
  *
  * Export the given pools.  By default, the command will attempt to cleanly
  * unmount any active datasets within the pool.  If the '-f' flag is specified,
- * then the datasets will be forcefully unmounted.
+ * then the datasets will be forcefully unmounted.  If the '-F' flag is
+ * specified, the pool's dirty data, if any, will simply be dropped after a
+ * best-effort attempt to forcibly stop all activity.
  */
 int
 zpool_do_export(int argc, char **argv)

include/libzfs.h

@@ -393,6 +393,7 @@ typedef enum {
 	ZPOOL_STATUS_REBUILD_SCRUB,	/* recommend scrubbing the pool */
 	ZPOOL_STATUS_NON_NATIVE_ASHIFT,	/* (e.g. 512e dev with ashift of 9) */
 	ZPOOL_STATUS_COMPATIBILITY_ERR,	/* bad 'compatibility' property */
+	ZPOOL_STATUS_FORCE_EXPORTING,	/* pool is being force exported */
 
 	/*
 	 * Finally, the following indicates a healthy pool.

include/libzfs_impl.h

@@ -72,6 +72,7 @@ struct libzfs_handle {
 	boolean_t libzfs_prop_debug;
 	regex_t libzfs_urire;
 	uint64_t libzfs_max_nvlist;
+	boolean_t libzfs_force_export;
 };
 
 struct zfs_handle {

include/os/freebsd/spl/sys/thread.h

@@ -31,4 +31,7 @@
 
 #define	getcomm() curthread->td_name
 #define	getpid() curthread->td_tid
+#define	thread_signal spl_kthread_signal
+extern int spl_kthread_signal(kthread_t *tsk, int sig);
+
 #endif

include/os/linux/spl/sys/thread.h

@@ -55,6 +55,7 @@ typedef void (*thread_func_t)(void *);
 	#func, arg, len, pp, state, pri)
 /* END CSTYLED */
 
+#define	thread_signal(t, s)		spl_kthread_signal(t, s)
 #define	thread_exit()			__thread_exit()
 #define	thread_join(t)			VERIFY(0)
 #define	curthread			current
@@ -67,6 +68,7 @@ extern kthread_t *__thread_create(caddr_t stk, size_t  stksize,
 extern void __thread_exit(void);
 extern struct task_struct *spl_kthread_create(int (*func)(void *),
     void *data, const char namefmt[], ...);
+extern int spl_kthread_signal(kthread_t *tsk, int sig);
 
 extern proc_t p0;
 

include/os/linux/zfs/sys/zfs_vfsops_os.h

@@ -101,7 +101,8 @@ struct zfsvfs {
 	boolean_t	z_utf8;		/* utf8-only */
 	int		z_norm;		/* normalization flags */
 	boolean_t	z_relatime;	/* enable relatime mount option */
-	boolean_t	z_unmounted;	/* unmounted */
+	boolean_t	z_unmounted;	/* mount status */
+	boolean_t	z_force_unmounted; /* force-unmounted status */
 	rrmlock_t	z_teardown_lock;
 	krwlock_t	z_teardown_inactive_lock;
 	list_t		z_all_znodes;	/* all znodes in the fs */

include/os/linux/zfs/sys/zfs_znode_impl.h

@@ -80,14 +80,27 @@ extern "C" {
 #define	ZFS_ENTER_ERROR(zfsvfs, error)				\
 do {								\
 	rrm_enter_read(&(zfsvfs)->z_teardown_lock, FTAG);	\
-	if ((zfsvfs)->z_unmounted) {				\
+	if ((zfsvfs)->z_unmounted == B_TRUE ||			\
+	    (zfsvfs)->z_force_unmounted == B_TRUE) {		\
 		ZFS_EXIT(zfsvfs);				\
 		return (error);					\
 	}							\
 } while (0)
 #define	ZFS_ENTER(zfsvfs)	ZFS_ENTER_ERROR(zfsvfs, EIO)
 #define	ZPL_ENTER(zfsvfs)	ZFS_ENTER_ERROR(zfsvfs, -EIO)
 
+/* ZFS_ENTER but ok with forced unmount having begun */
+#define	_ZFS_ENTER_UNMOUNTOK(zfsvfs, error)			\
+do {								\
+	rrm_enter_read(&(zfsvfs)->z_teardown_lock, FTAG);	\
+	if ((zfsvfs)->z_unmounted == B_TRUE) {			\
+		ZFS_EXIT(zfsvfs);				\
+		return (error);					\
+	}							\
+} while (0)
+#define	ZFS_ENTER_UNMOUNTOK(zfsvfs)	_ZFS_ENTER_UNMOUNTOK(zfsvfs, EIO)
+#define	ZPL_ENTER_UNMOUNTOK(zfsvfs)	_ZFS_ENTER_UNMOUNTOK(zfsvfs, -EIO)
+
 /* Must be called before exiting the operation. */
 #define	ZFS_EXIT(zfsvfs)					\
 do {								\

include/sys/arc.h

@@ -329,6 +329,7 @@ void l2arc_fini(void);
 void l2arc_start(void);
 void l2arc_stop(void);
 void l2arc_spa_rebuild_start(spa_t *spa);
+void l2arc_spa_rebuild_stop(spa_t *spa);
 
 #ifndef _KERNEL
 extern boolean_t arc_watch;

include/sys/dmu.h

@@ -276,6 +276,7 @@ typedef enum dmu_object_type {
 #define	TXG_NOWAIT	(0ULL)
 #define	TXG_WAIT	(1ULL<<0)
 #define	TXG_NOTHROTTLE	(1ULL<<1)
+#define	TXG_NOSUSPEND	(1ULL<<2)
 
 void byteswap_uint64_array(void *buf, size_t size);
 void byteswap_uint32_array(void *buf, size_t size);

include/sys/dmu_impl.h

@@ -241,6 +241,7 @@ typedef struct dmu_sendstatus {
 	list_node_t dss_link;
 	int dss_outfd;
 	proc_t *dss_proc;
+	kthread_t *dss_thread;
 	offset_t *dss_off;
 	uint64_t dss_blocks; /* blocks visited during the sending process */
 } dmu_sendstatus_t;