Support idmapped mount in user namespace

[youzhongyang]

Signed-off-by: Youzhong Yang yyang@mathworks.com

Motivation and Context

fs.idmapped.v5.17 enables "the idmapping infrastructure to support idmapped mounts of filesystems mounted with an idmapping". We need to improve the idmapped mount support in ZFS too.

Description

This pull request contains the following changes:

• Duplicate the kernel side idmapping inline functions so we don't have to rely on their availability. Two functions related to init_user_ns are also added.
• xattr setter functions are fixed to take mnt_ns argument. Without this, cp -p would fail for an idmapped mount in a user namespace.
• idmap_util is enhanced/fixed for its use in a user ns context.
• One test case added to test idmapped mount in a user ns.

How Has This Been Tested?

Full test suite run in a Ubuntu 22.04 VM; manual run of xfstests idmapped mount test cases.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[cyphar]

/cc @brauner in case you want to take a look at this?

[brauner]

So just as an FYI. Kernel v5.17 has most of the infrastructure do correctly deal with idmapped mounts of idmapped filesystems. But the kernel which has a few further corner cases massaged out is v5.19. So I would advocate for v5.19 or v6.0 as the kernel with first class idmapped mounts of idmapped filesystems support.

[brauner]

Why don't you always return init_user_ns? That should always be available even without CONFIG_USER_NS and not having NULL returned from these functions makes thing safer.

[youzhongyang]

This makes sense. We support kernel as old as 3.10, I checked 3.10, init_user_ns is available.

[brauner]

Why don't you always return init_user_ns? That should always be available even without CONFIG_USER_NS and not having NULL returned from these functions makes thing safer.

[youzhongyang]

Some old kernel (e.g. unpatched 3.10) does not have super_block->s_user_ns, but returning init_user_ns in that case makes sense.

As the inline zfs_i_user_ns() will be used in zfs module (CDDL licensed) and the symbol "init_user_ns" is GPL, for this zfs_i_user_ns() to return &init_user_ns, we have to use a function zfs_get_init_userns() to get its pointer. My thought was to avoid function call if we can as it would be no fun to do tons of function calls when a busy server needs to handle lots of iops.

[brauner]

I wonder if the perf impact is measurable. But just chatted with @sforshee and he pointed out that you could probably just stash the address in a local pointer at module init. The address won't change.

[youzhongyang]

Good idea. Will work on this.

[behlendorf]

What we've done elsewhere is to grab the init_user_ns from init_task.cred.user_ns which we do have access to. That's worked out reasonably well, I'd recommend that approach rather than introducing a new helpful function. You can use kcred->user_ns.

[brauner]

I would try to code it in such a manner that these functions can never receive a NULL pointer. See my other comments.

[youzhongyang]

I kind of agree but here is my take on having NULL - on older kernel version(< 5.12) which does not provide "mnt_userns" in the inode_operations callbacks, a NULL mnt_userns would provide a shortcut for no id mapping. If we try to use &init_user_ns in such case, a function call is needed (due to its GPL nature) and we have to check if it is the initial user ns in order to have a shortcut. As you can see, this would need more CPU cycles.

@behlendorf What is your thought on this?

[brauner]

Just so I understand, you're deliberately operating on plain {g,u}id_t types instead of k{g,u}id_t and vfs{g,u}id_t types?

[youzhongyang]

Yes. I see no need to massage around different types.

[brauner]

I think security wise this isn't a good idea which is why we have raw {g,u}id_t for raw on-disk or userspace values, {k,g}uid_t for filesystem- or kernel-wide values, and vfs{g,u}id_t for vfs/vfsmount specific values so they can never be confused and used for one another. Just a note, not a request to change things.

[brauner]

The permission checking here confuses me a bit. Afaict, zpl_inode_owner_or_capable is just an ifdef for inode_owner_or_capable. The inode_capable_or_owner() helper should always receive the current_user_ns() and the mnt_userns. If idmapped mounts aren't supported then init_user_ns should be passed for mnt_userns. The mnt_userns is never used for capability checks currently so if zpl_inode_owner_or_capable checks any capabilities in the mnt_userns when passed mnt_userns as the first argument then the permission checking is wrong.

The current_user_ns() is used to check for stuff like CAP_FSETID and the mnt_userns only matters for remapping the ownership; capabilities aren't checked in there yet. We might have use-cases for this in the future but we don't right now.

[youzhongyang]

You are right. zpl_inode_owner_or_capable() is an wrapper on inode_owner_or_capable().

I searched latest kernel code, there are a bunch of places where mnt_userns is passed into inode_owner_or_capable(). Are they all wrong? for example, this one: https://github.com/torvalds/linux/blob/master/fs/posix_acl.c#L1142

Without this change, doing "cp -p" of an idmapped file in a user namespace would fail.

[brauner]

Sorry, I misremembered how I wrote inode_owner_or_capable(). It's correct the way you've done it. Fwiw, in the future I will pass down struct mnt_idmap instead of the plain namespace for additional type safety. The mnt_userns won't be visible outside the really low-level code and won't be exposed to the vfs and especially not to individual filesystems eliminating all confusions.

[brauner]

Same comment as above.

[brauner]

I would really not do this NULL pointer passing. I've carefully coded this upstream so that idmapped mounts always pass the init_user_ns around as an indicator for non-idmapped mounts.

[youzhongyang]

These cases the xattr_handler callback does not provide user ns argument so a NULL is passed to the underlying "__***" function to match the args list.

I will think more about this NULL stuff.

[brauner]

Do you support kernels without sb->s_user_ns?

[youzhongyang]

Yes we do.

[youzhongyang]

@brauner - Thank you very much for your review comments. I think I've addressed all of them, would you please take a look at the new changes? Here is a summary of them:

• &init_user_ns is now stashed in zfs module as "zfs_init_user_ns"; zfs_is_init_userns() checks against the stashed pointer to save some CPU cycles.
• now all the NULLs are replaced with zfs_init_user_ns.

I've run a full zfs test suite, and xfstests idmapped test cases. All look good.

[brauner]

This looks pretty sane to me. I haven't tested it of course.

One thing: If zfs supports functioning as a lower or upper filesystem for overlayfs then you want to test that with xfstests too. This can be done via:

sudo ./check -overlay -g quick

and if you want to test zfs as lower/upper with overlayfs on top of idmapped mounts you will need:

export IDMAPPED_MOUNTS=true

in local.config and then

sudo ./check -overlay -g quick

[behlendorf]

One thing: If zfs supports functioning as a lower or upper filesystem for overlayfs then you want to test that with xfstests too.

As it turns out support for overlayfs was merged just last month, so it's be good to run these tests. Thanks for pointing them out!

[youzhongyang]

Thanks for the xfstests info about overlay. I played a bit, xfs only, nothing zfs, kernel 5.19.0-17-generic on Ubuntu:

./check -overlay -g quick

Failed 13 of 648 tests

Failures: generic/513 generic/623 generic/633 generic/673 generic/675 generic/683 generic/684 generic/685 generic/686 generic/687 generic/688 generic/696 overlay/064

The local.config:

export TEST_DEV=/dev/sdc
export TEST_DIR=/mnt/test
export SCRATCH_DEV=/dev/sdd
export SCRATCH_MNT=/mnt/scratch
export FSTYP=xfs
export IDMAPPED_MOUNTS=true

Making xfstests work for zfs file system seems to be non-trivial, someone needs to spend quite some time digging into the test framework and making tweaks/changes.

[brauner]

Failures: generic/513 generic/623 generic/633 generic/673 generic/675 generic/683 generic/684 generic/685 generic/686 generic/687 generic/688 generic/696 overlay/064

Note that some of these failures are expected. This specifically includes generic/673, generic/683, generic/685, generic/686, generic/687. This is unrelated to idmapped mounts. And I have fixes for this in my for-next tree. You need:
https://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git/log/?h=fs.ovl.setgid
Everything in there that's on top of v6.1-rc1.

[brauner]

Failures: generic/513 generic/623 generic/633 generic/673 generic/675 generic/683 generic/684 generic/685 generic/686 generic/687 generic/688 generic/696 overlay/064

Note that some of these failures are expected. This specifically includes generic/673, generic/683, generic/685, generic/686, generic/687. This is unrelated to idmapped mounts. And I have fixes for this in my for-next tree. You need: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git/log/?h=fs.ovl.setgid Everything in there that's on top of v6.1-rc1.

Failures of generic/623 is expected as well since it's trying to issue an xfs specific ioctl while on overlayfs. So that can be ignored too.

[brauner]

Failures: generic/513 generic/623 generic/633 generic/673 generic/675 generic/683 generic/684 generic/685 generic/686 generic/687 generic/688 generic/696 overlay/064

Note that some of these failures are expected. This specifically includes generic/673, generic/683, generic/685, generic/686, generic/687. This is unrelated to idmapped mounts. And I have fixes for this in my for-next tree. You need: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git/log/?h=fs.ovl.setgid Everything in there that's on top of v6.1-rc1.

Failures of generic/623 is expected as well since it's trying to issue an xfs specific ioctl while on overlayfs. So that can be ignored too.

IOW, most of these failures are fixed on v6.0 and v6.1 and more will be fixed on v6.2. But none of them are related to idmapped mounts.

[youzhongyang]

Failures: generic/513 generic/623 generic/633 generic/673 generic/675 generic/683 generic/684 generic/685 generic/686 generic/687 generic/688 generic/696 overlay/064

Note that some of these failures are expected. This specifically includes generic/673, generic/683, generic/685, generic/686, generic/687. This is unrelated to idmapped mounts. And I have fixes for this in my for-next tree. You need: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/idmapping.git/log/?h=fs.ovl.setgid Everything in there that's on top of v6.1-rc1.

Failures of generic/623 is expected as well since it's trying to issue an xfs specific ioctl while on overlayfs. So that can be ignored too.

IOW, most of these failures are fixed on v6.0 and v6.1 and more will be fixed on v6.2. But none of them are related to idmapped mounts.

Good to know, thanks. I am happy with the result of those idmapped mount test cases.

I will come back to overlay + idmapped mount testing when time permits.

[youzhongyang]

Able to reproduce the build error on a Ubuntu 18.04 VM in AWS (kernel 5.4.0-1084-aws), with the added "extern struct task_struct init_task" in cred.h, the build passed.

[brauner]

One thing: If zfs supports functioning as a lower or upper filesystem for overlayfs then you want to test that with xfstests too.

As it turns out support for overlayfs was merged just last month, so it's be good to run these tests. Thanks for pointing them out!

Yep, I sent patches for supporting overlayfs on top of idmapped mounts starting with v5.19 without POSIX ACL support. Starting with v6.0 overlayfs also has support for POSIX ACLs on top of idmapped layers.

[youzhongyang]

The zvol_misc_trim failure on Ubuntu was reproducible without this PR, as of commit da3d266.

[Fri Nov  4 10:14:28 2022] VERIFY(zh->zh_claim_txg == 0) failed
[Fri Nov  4 10:14:28 2022] PANIC at zil.c:807:zil_create()
[Fri Nov  4 10:14:28 2022] Showing stack for process 33864
[Fri Nov  4 10:14:28 2022] CPU: 0 PID: 33864 Comm: zvol Kdump: loaded Tainted: P           OE     5.19.0-17-generic #17
[Fri Nov  4 10:14:28 2022] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[Fri Nov  4 10:14:28 2022] Call Trace:
[Fri Nov  4 10:14:28 2022]  <TASK>
[Fri Nov  4 10:14:28 2022]  show_stack+0x4e/0x61
[Fri Nov  4 10:14:28 2022]  dump_stack_lvl+0x4a/0x6d
[Fri Nov  4 10:14:28 2022]  dump_stack+0x10/0x18
[Fri Nov  4 10:14:28 2022]  spl_dumpstack+0x29/0x35 [spl]
[Fri Nov  4 10:14:28 2022]  spl_panic+0xf0/0x108 [spl]
[Fri Nov  4 10:14:28 2022]  ? mutex_lock+0x12/0x50
[Fri Nov  4 10:14:28 2022]  spl_assert+0x1b/0x30 [zfs]
[Fri Nov  4 10:14:28 2022]  zil_create+0x437/0x570 [zfs]
[Fri Nov  4 10:14:28 2022]  ? __slab_free+0xf1/0x310
[Fri Nov  4 10:14:28 2022]  zil_process_commit_list+0x228/0x490 [zfs]
[Fri Nov  4 10:14:28 2022]  zil_commit_writer+0x105/0x190 [zfs]
[Fri Nov  4 10:14:28 2022]  zil_commit_impl+0x62/0xc0 [zfs]
[Fri Nov  4 10:14:28 2022]  zil_commit+0x4e/0x1a0 [zfs]
[Fri Nov  4 10:14:28 2022]  zvol_write+0x3d7/0x550 [zfs]
[Fri Nov  4 10:14:28 2022]  ? psi_task_switch+0x1fc/0x240
[Fri Nov  4 10:14:28 2022]  ? raw_spin_rq_unlock+0x10/0x40
[Fri Nov  4 10:14:28 2022]  zvol_write_task+0x12/0x30 [zfs]
[Fri Nov  4 10:14:28 2022]  taskq_thread+0x210/0x450 [spl]
[Fri Nov  4 10:14:28 2022]  ? wake_up_q+0xa0/0xa0
[Fri Nov  4 10:14:28 2022]  ? zvol_write+0x550/0x550 [zfs]
[Fri Nov  4 10:14:28 2022]  ? param_set_taskq_kick+0x120/0x120 [spl]
[Fri Nov  4 10:14:28 2022]  kthread+0xe6/0x110
[Fri Nov  4 10:14:28 2022]  ? kthread_complete_and_exit+0x20/0x20
[Fri Nov  4 10:14:28 2022]  ret_from_fork+0x1f/0x30
[Fri Nov  4 10:14:28 2022]  </TASK>

[youzhongyang]

Something fell apart on Fedora 35 running kernel 6.0.5-100.fc35.x86_64, 4 out of 5 idmap_mount test cases failed. I was able to reproduce on a similar AWS VM.

Investigation underway.

[brauner]

Something fell apart on Fedora 35 running kernel 6.0.5-100.fc35.x86_64, 4 out of 5 idmap_mount test cases failed. I was able to reproduce on a similar AWS VM.

Investigation underway.

What are the errors you're seeing on Fedora?

[behlendorf]

@youzhongyang we recently started see those same failures on Fedora 35 on the master branch without this PR.

[youzhongyang]

Something fell apart on Fedora 35 running kernel 6.0.5-100.fc35.x86_64, 4 out of 5 idmap_mount test cases failed. I was able to reproduce on a similar AWS VM.
Investigation underway.

What are the errors you're seeing on Fedora?

Hi @brauner, I created a script to reproduce the issue:

#!/bin/bash -x

set -e

export UID1=1000000
export GID1=1000000
export UID2=2000000
export GID2=2000000

export TESTDIR=/var/tmp/testdir
export WORKDIR=$TESTDIR/idmap_test
export IDMAPDIR=$TESTDIR/idmap_dest
export IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util

truncate -s 4g /var/tmp/file-dev0
FILEDEV=$(losetup --find --show /var/tmp/file-dev0)
zpool create -f testpool $FILEDEV
zfs create testpool/testfs
zfs set mountpoint=$TESTDIR testpool/testfs

if ! $IDMAP_UTIL -c $TESTDIR; then
    echo "ERROR: Idmap mount not supported."
    exit
fi

mkdir -p $WORKDIR
mkdir -p $IDMAPDIR

chown $UID1:$GID1 $WORKDIR

# idmap mount $WORKDIR to $IDMAPDIR with uid and gid map
# "1000000 2000000 1"
$IDMAP_UTIL -m "u:${UID1}:${UID2}:1" -m "g:${GID1}:${GID2}:1" $WORKDIR $IDMAPDIR

SETPRIV="setpriv --reuid $UID2 --regid $GID2 --clear-groups"

$SETPRIV touch $IDMAPDIR/file1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1)"

$SETPRIV mv $IDMAPDIR/file1 $IDMAPDIR/file1_renamed
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1_renamed)"

$SETPRIV mv $IDMAPDIR/file1_renamed $IDMAPDIR/file1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1)"

$SETPRIV mkdir $IDMAPDIR/subdir
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir)"

$SETPRIV ln -s file1 $IDMAPDIR/file1_sym
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1_sym)"

$SETPRIV ln $IDMAPDIR/file1 $IDMAPDIR/subdir/file1_hard
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file1_hard)"

$SETPRIV touch $IDMAPDIR/subdir/file2
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

# it fails here, no error for the chown, but
# the uid and gid are wrong!
$SETPRIV chown $UID2:$GID2 $IDMAPDIR/subdir/file2
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

if $SETPRIV chown $UID1 $IDMAPDIR/subdir/file2; then
   echo "ERROR: able to chown $UID1 $IDMAPDIR/subdir/file2"
   exit
fi
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

$SETPRIV cp -r $IDMAPDIR/subdir $IDMAPDIR/subdir1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir1/file2)"
$SETPRIV rm -rf $IDMAPDIR/subdir1

$SETPRIV cp -rp $IDMAPDIR/subdir $IDMAPDIR/subdir1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir1/file1_hard)"
$SETPRIV rm -rf $IDMAPDIR/subdir1

if mountpoint $IDMAPDIR; then
   umount $IDMAPDIR
fi
rm -rf $IDMAPDIR $WORKDIR

zpool destroy -f testpool
rm -rf /var/tmp/testdir
losetup -d $FILEDEV

Here is its output when running on Fedora 35 kernel 6.0.5:

# ./reproduce
+ set -e
+ export UID1=1000000
+ UID1=1000000
+ export GID1=1000000
+ GID1=1000000
+ export UID2=2000000
+ UID2=2000000
+ export GID2=2000000
+ GID2=2000000
+ export TESTDIR=/var/tmp/testdir
+ TESTDIR=/var/tmp/testdir
+ export WORKDIR=/var/tmp/testdir/idmap_test
+ WORKDIR=/var/tmp/testdir/idmap_test
+ export IDMAPDIR=/var/tmp/testdir/idmap_dest
+ IDMAPDIR=/var/tmp/testdir/idmap_dest
+ export IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util
+ IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util
+ truncate -s 4g /var/tmp/file-dev0
++ losetup --find --show /var/tmp/file-dev0
+ FILEDEV=/dev/loop0
+ zpool create -f testpool /dev/loop0
+ zfs create testpool/testfs
+ zfs set mountpoint=/var/tmp/testdir testpool/testfs
+ /usr/share/zfs/zfs-tests/bin/idmap_util -c /var/tmp/testdir
idmapped mount is supported on [/var/tmp/testdir].
+ mkdir -p /var/tmp/testdir/idmap_test
+ mkdir -p /var/tmp/testdir/idmap_dest
+ chown 1000000:1000000 /var/tmp/testdir/idmap_test
+ /usr/share/zfs/zfs-tests/bin/idmap_util -m u:1000000:2000000:1 -m g:1000000:2000000:1 /var/tmp/testdir/idmap_test /var/tmp/testdir/idmap_dest
+ SETPRIV='setpriv --reuid 2000000 --regid 2000000 --clear-groups'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups touch /var/tmp/testdir/idmap_dest/file1
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mv /var/tmp/testdir/idmap_dest/file1 /var/tmp/testdir/idmap_dest/file1_renamed
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1_renamed
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mv /var/tmp/testdir/idmap_dest/file1_renamed /var/tmp/testdir/idmap_dest/file1
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mkdir /var/tmp/testdir/idmap_dest/subdir
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups ln -s file1 /var/tmp/testdir/idmap_dest/file1_sym
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1_sym
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups ln /var/tmp/testdir/idmap_dest/file1 /var/tmp/testdir/idmap_dest/subdir/file1_hard
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file1_hard
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups touch /var/tmp/testdir/idmap_dest/subdir/file2
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file2
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups chown 2000000:2000000 /var/tmp/testdir/idmap_dest/subdir/file2
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file2
+ test '1000000 1000000' = '2000000 2000000'

It looks like a regression to me. How could it work on kernels all the way up to 5.19, and then fail on 6.0.5?

[youzhongyang]

Running bpftrace showed the &init_user_ns is passed into zpl_getattr() call, which looks correct. Not sure why the 'stat' program gets the wrong uid and gid back:

# bpftrace -e 'kprobe:zpl_create,kprobe:zpl_mknod,kprobe:zpl_tmpfile,kprobe:zpl_mkdir,kprobe:zpl_getattr,kprobe:zpl_setattr,kprobe:zpl_rename2,kprobe:zpl_symlink { printf("%s %d %s mnt_ns %p\n", comm, pid, probe, arg0); }'
Attaching 8 probes...
zfs 2672 kprobe:zpl_mkdir mnt_ns 0xffffffffab055d80
mkdir 2732 kprobe:zpl_mkdir mnt_ns 0xffffffffab055d80
mkdir 2733 kprobe:zpl_mkdir mnt_ns 0xffffffffab055d80
chown 2734 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
chown 2734 kprobe:zpl_setattr mnt_ns 0xffffffffab055d80
touch 2743 kprobe:zpl_create mnt_ns 0xffff8e9d06a62be0
touch 2743 kprobe:zpl_setattr mnt_ns 0xffff8e9d06a62be0
stat 2755 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
mv 2756 kprobe:zpl_rename2 mnt_ns 0xffff8e9d06a62be0
stat 2776 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
mv 2777 kprobe:zpl_rename2 mnt_ns 0xffff8e9d06a62be0
stat 2778 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
mkdir 2779 kprobe:zpl_mkdir mnt_ns 0xffff8e9d06a62be0
stat 2780 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
ln 2781 kprobe:zpl_symlink mnt_ns 0xffff8e9d06a62be0
stat 2782 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
stat 2784 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
touch 2785 kprobe:zpl_create mnt_ns 0xffff8e9d06a62be0
touch 2785 kprobe:zpl_setattr mnt_ns 0xffff8e9d06a62be0
stat 2786 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80
chown 2787 kprobe:zpl_getattr mnt_ns 0xffff8e9d06a62be0
chown 2787 kprobe:zpl_setattr mnt_ns 0xffff8e9d06a62be0
stat 2788 kprobe:zpl_getattr mnt_ns 0xffffffffab055d80

[brauner]

Something fell apart on Fedora 35 running kernel 6.0.5-100.fc35.x86_64, 4 out of 5 idmap_mount test cases failed. I was able to reproduce on a similar AWS VM.
Investigation underway.

What are the errors you're seeing on Fedora?

Hi @brauner, I created a script to reproduce the issue:

#!/bin/bash -x

set -e

export UID1=1000000
export GID1=1000000
export UID2=2000000
export GID2=2000000

export TESTDIR=/var/tmp/testdir
export WORKDIR=$TESTDIR/idmap_test
export IDMAPDIR=$TESTDIR/idmap_dest
export IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util

truncate -s 4g /var/tmp/file-dev0
FILEDEV=$(losetup --find --show /var/tmp/file-dev0)
zpool create -f testpool $FILEDEV
zfs create testpool/testfs
zfs set mountpoint=$TESTDIR testpool/testfs

if ! $IDMAP_UTIL -c $TESTDIR; then
    echo "ERROR: Idmap mount not supported."
    exit
fi

mkdir -p $WORKDIR
mkdir -p $IDMAPDIR

chown $UID1:$GID1 $WORKDIR

# idmap mount $WORKDIR to $IDMAPDIR with uid and gid map
# "1000000 2000000 1"
$IDMAP_UTIL -m "u:${UID1}:${UID2}:1" -m "g:${GID1}:${GID2}:1" $WORKDIR $IDMAPDIR

SETPRIV="setpriv --reuid $UID2 --regid $GID2 --clear-groups"

$SETPRIV touch $IDMAPDIR/file1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1)"

$SETPRIV mv $IDMAPDIR/file1 $IDMAPDIR/file1_renamed
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1_renamed)"

$SETPRIV mv $IDMAPDIR/file1_renamed $IDMAPDIR/file1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1)"

$SETPRIV mkdir $IDMAPDIR/subdir
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir)"

$SETPRIV ln -s file1 $IDMAPDIR/file1_sym
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/file1_sym)"

$SETPRIV ln $IDMAPDIR/file1 $IDMAPDIR/subdir/file1_hard
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file1_hard)"

$SETPRIV touch $IDMAPDIR/subdir/file2
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

# it fails here, no error for the chown, but
# the uid and gid are wrong!
$SETPRIV chown $UID2:$GID2 $IDMAPDIR/subdir/file2
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

if $SETPRIV chown $UID1 $IDMAPDIR/subdir/file2; then
   echo "ERROR: able to chown $UID1 $IDMAPDIR/subdir/file2"
   exit
fi
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir/file2)"

$SETPRIV cp -r $IDMAPDIR/subdir $IDMAPDIR/subdir1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir1/file2)"
$SETPRIV rm -rf $IDMAPDIR/subdir1

$SETPRIV cp -rp $IDMAPDIR/subdir $IDMAPDIR/subdir1
test "$UID1 $GID1" = "$(stat -c '%u %g' $WORKDIR/subdir1/file1_hard)"
$SETPRIV rm -rf $IDMAPDIR/subdir1

if mountpoint $IDMAPDIR; then
   umount $IDMAPDIR
fi
rm -rf $IDMAPDIR $WORKDIR

zpool destroy -f testpool
rm -rf /var/tmp/testdir
losetup -d $FILEDEV

Here is its output when running on Fedora 35 kernel 6.0.5:

# ./reproduce
+ set -e
+ export UID1=1000000
+ UID1=1000000
+ export GID1=1000000
+ GID1=1000000
+ export UID2=2000000
+ UID2=2000000
+ export GID2=2000000
+ GID2=2000000
+ export TESTDIR=/var/tmp/testdir
+ TESTDIR=/var/tmp/testdir
+ export WORKDIR=/var/tmp/testdir/idmap_test
+ WORKDIR=/var/tmp/testdir/idmap_test
+ export IDMAPDIR=/var/tmp/testdir/idmap_dest
+ IDMAPDIR=/var/tmp/testdir/idmap_dest
+ export IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util
+ IDMAP_UTIL=/usr/share/zfs/zfs-tests/bin/idmap_util
+ truncate -s 4g /var/tmp/file-dev0
++ losetup --find --show /var/tmp/file-dev0
+ FILEDEV=/dev/loop0
+ zpool create -f testpool /dev/loop0
+ zfs create testpool/testfs
+ zfs set mountpoint=/var/tmp/testdir testpool/testfs
+ /usr/share/zfs/zfs-tests/bin/idmap_util -c /var/tmp/testdir
idmapped mount is supported on [/var/tmp/testdir].
+ mkdir -p /var/tmp/testdir/idmap_test
+ mkdir -p /var/tmp/testdir/idmap_dest
+ chown 1000000:1000000 /var/tmp/testdir/idmap_test
+ /usr/share/zfs/zfs-tests/bin/idmap_util -m u:1000000:2000000:1 -m g:1000000:2000000:1 /var/tmp/testdir/idmap_test /var/tmp/testdir/idmap_dest
+ SETPRIV='setpriv --reuid 2000000 --regid 2000000 --clear-groups'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups touch /var/tmp/testdir/idmap_dest/file1
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mv /var/tmp/testdir/idmap_dest/file1 /var/tmp/testdir/idmap_dest/file1_renamed
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1_renamed
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mv /var/tmp/testdir/idmap_dest/file1_renamed /var/tmp/testdir/idmap_dest/file1
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups mkdir /var/tmp/testdir/idmap_dest/subdir
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups ln -s file1 /var/tmp/testdir/idmap_dest/file1_sym
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/file1_sym
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups ln /var/tmp/testdir/idmap_dest/file1 /var/tmp/testdir/idmap_dest/subdir/file1_hard
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file1_hard
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups touch /var/tmp/testdir/idmap_dest/subdir/file2
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file2
+ test '1000000 1000000' = '1000000 1000000'
+ setpriv --reuid 2000000 --regid 2000000 --clear-groups chown 2000000:2000000 /var/tmp/testdir/idmap_dest/subdir/file2
++ stat -c '%u %g' /var/tmp/testdir/idmap_test/subdir/file2
+ test '1000000 1000000' = '2000000 2000000'

It looks like a regression to me. How could it work on kernels all the way up to 5.19, and then fail on 6.0.5?

Heh, @behlendorf and @youzhongyang that's not a regression you just haven't adapted to the vfs{g,u}id_t port I did upstream. The problem is that you're not relying on setattr_copy() in zfs_setattr() otherwise you wouldn't have seen that issue. In short the new semantics are summarized in:

b27c82e1296572cfa3997e58db3118a33915f85c ("attr: port attribute changes to new types")

Basically, prior to these changes we placed k{g,u}id_t values in struct iattr's ia_{g,u}id members which could be directly written to inode->i_{g,u}id but that left filesystems without the option to know whether this is an idmapped mount value or not and in general, was type unsafe. So we added vfs{g,u}id_t and now struct iattr contains a union encompassing ia_{g,u}id and ia_vfs{g,u}id. Filesystems raising FS_ALLOW_IDMAP need to use the ia_vfs{g,u}id members and thus can only use helpers that operate on vfs{g,u}id_t. It'll be some time until we can remove the union. In any case, take a look at:

35faf3109a78516f60ca13f957083d5e5535fde0 ("fs: port to iattr ownership update helpers")

for the required filesystem conversion. I suspect you need at least sm like:

diff --git a/module/os/linux/zfs/zpl_inode.c b/module/os/linux/zfs/zpl_inode.c
index 64016f9ac..52f10977e 100644
--- a/module/os/linux/zfs/zpl_inode.c
+++ b/module/os/linux/zfs/zpl_inode.c
@@ -468,8 +468,12 @@ zpl_setattr(struct dentry *dentry, struct iattr *ia)
        vap = kmem_zalloc(sizeof (vattr_t), KM_SLEEP);
        vap->va_mask = ia->ia_valid & ATTR_IATTR_MASK;
        vap->va_mode = ia->ia_mode;
-       vap->va_uid = KUID_TO_SUID(ia->ia_uid);
-       vap->va_gid = KGID_TO_SGID(ia->ia_gid);
+       if (ia->ia_valid & ATTR_UID)
+               vap->va_uid = KUID_TO_SUID(
+                   from_vfsuid(user_ns, i_user_ns(inode), ia->ia_vfsuid));
+       if (ia->ia_valid & ATTR_GID)
+               vap->va_gid = KGID_TO_SGID(
+                   from_vfsgid(user_ns, i_user_ns(inode), ia->ia_vfsgid));
        vap->va_size = ia->ia_size;
        vap->va_atime = ia->ia_atime;
        vap->va_mtime = ia->ia_mtime;

[youzhongyang]

@brauner Thanks for the clarification. The unions in 'struct iattr' are done in this commit, which is available in kernel 6+, this somehow explains why it works in 5.19, but not in 6.0.

I think we need another detector for this data structure change, and modify the zfs code so that it works either way.