Commit 9cfcceea authored by Ram Pai's avatar Ram Pai Committed by Linus Torvalds
Browse files

[PATCH] Complete description of shared subtrees.


Signed-off-by: default avatarRam Pai <linuxram@us.ibm.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 9676f0c6
Shared Subtrees
---------------
Contents:
1) Overview
2) Features
3) smount command
4) Use-case
5) Detailed semantics
6) Quiz
7) FAQ
8) Implementation
1) Overview
-----------
Consider the following situation:
A process wants to clone its own namespace, but still wants to access the CD
that got mounted recently. Shared subtree semantics provide the necessary
mechanism to accomplish the above.
It provides the necessary building blocks for features like per-user-namespace
and versioned filesystem.
2) Features
-----------
Shared subtree provides four different flavors of mounts; struct vfsmount to be
precise
a. shared mount
b. slave mount
c. private mount
d. unbindable mount
2a) A shared mount can be replicated to as many mountpoints and all the
replicas continue to be exactly same.
Here is an example:
Lets say /mnt has a mount that is shared.
mount --make-shared /mnt
note: mount command does not yet support the --make-shared flag.
I have included a small C program which does the same by executing
'smount /mnt shared'
#mount --bind /mnt /tmp
The above command replicates the mount at /mnt to the mountpoint /tmp
and the contents of both the mounts remain identical.
#ls /mnt
a b c
#ls /tmp
a b c
Now lets say we mount a device at /tmp/a
#mount /dev/sd0 /tmp/a
#ls /tmp/a
t1 t2 t2
#ls /mnt/a
t1 t2 t2
Note that the mount has propagated to the mount at /mnt as well.
And the same is true even when /dev/sd0 is mounted on /mnt/a. The
contents will be visible under /tmp/a too.
2b) A slave mount is like a shared mount except that mount and umount events
only propagate towards it.
All slave mounts have a master mount which is a shared.
Here is an example:
Lets say /mnt has a mount which is shared.
#mount --make-shared /mnt
Lets bind mount /mnt to /tmp
#mount --bind /mnt /tmp
the new mount at /tmp becomes a shared mount and it is a replica of
the mount at /mnt.
Now lets make the mount at /tmp; a slave of /mnt
#mount --make-slave /tmp
[or smount /tmp slave]
lets mount /dev/sd0 on /mnt/a
#mount /dev/sd0 /mnt/a
#ls /mnt/a
t1 t2 t3
#ls /tmp/a
t1 t2 t3
Note the mount event has propagated to the mount at /tmp
However lets see what happens if we mount something on the mount at /tmp
#mount /dev/sd1 /tmp/b
#ls /tmp/b
s1 s2 s3
#ls /mnt/b
Note how the mount event has not propagated to the mount at
/mnt
2c) A private mount does not forward or receive propagation.
This is the mount we are familiar with. Its the default type.
2d) A unbindable mount is a unbindable private mount
lets say we have a mount at /mnt and we make is unbindable
#mount --make-unbindable /mnt
[ smount /mnt unbindable ]
Lets try to bind mount this mount somewhere else.
# mount --bind /mnt /tmp
mount: wrong fs type, bad option, bad superblock on /mnt,
or too many mounted file systems
Binding a unbindable mount is a invalid operation.
3) smount command
Currently the mount command is not aware of shared subtree features.
Work is in progress to add the support in mount ( util-linux package ).
Till then use the following program.
------------------------------------------------------------------------
//
//this code was developed my Miklos Szeredi <miklos@szeredi.hu>
//and modified by Ram Pai <linuxram@us.ibm.com>
// sample usage:
// smount /tmp shared
//
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/fsuid.h>
#ifndef MS_REC
#define MS_REC 0x4000 /* 16384: Recursive loopback */
#endif
#ifndef MS_SHARED
#define MS_SHARED 1<<20 /* Shared */
#endif
#ifndef MS_PRIVATE
#define MS_PRIVATE 1<<18 /* Private */
#endif
#ifndef MS_SLAVE
#define MS_SLAVE 1<<19 /* Slave */
#endif
#ifndef MS_UNBINDABLE
#define MS_UNBINDABLE 1<<17 /* Unbindable */
#endif
int main(int argc, char *argv[])
{
int type;
if(argc != 3) {
fprintf(stderr, "usage: %s dir "
"<rshared|rslave|rprivate|runbindable|shared|slave"
"|private|unbindable>\n" , argv[0]);
return 1;
}
fprintf(stdout, "%s %s %s\n", argv[0], argv[1], argv[2]);
if (strcmp(argv[2],"rshared")==0)
type=(MS_SHARED|MS_REC);
else if (strcmp(argv[2],"rslave")==0)
type=(MS_SLAVE|MS_REC);
else if (strcmp(argv[2],"rprivate")==0)
type=(MS_PRIVATE|MS_REC);
else if (strcmp(argv[2],"runbindable")==0)
type=(MS_UNBINDABLE|MS_REC);
else if (strcmp(argv[2],"shared")==0)
type=MS_SHARED;
else if (strcmp(argv[2],"slave")==0)
type=MS_SLAVE;
else if (strcmp(argv[2],"private")==0)
type=MS_PRIVATE;
else if (strcmp(argv[2],"unbindable")==0)
type=MS_UNBINDABLE;
else {
fprintf(stderr, "invalid operation: %s\n", argv[2]);
return 1;
}
setfsuid(getuid());
if(mount("", argv[1], "dontcare", type, "") == -1) {
perror("mount");
return 1;
}
return 0;
}
-----------------------------------------------------------------------
Copy the above code snippet into smount.c
gcc -o smount smount.c
(i) To mark all the mounts under /mnt as shared execute the following
command:
smount /mnt rshared
the corresponding syntax planned for mount command is
mount --make-rshared /mnt
just to mark a mount /mnt as shared, execute the following
command:
smount /mnt shared
the corresponding syntax planned for mount command is
mount --make-shared /mnt
(ii) To mark all the shared mounts under /mnt as slave execute the
following
command:
smount /mnt rslave
the corresponding syntax planned for mount command is
mount --make-rslave /mnt
just to mark a mount /mnt as slave, execute the following
command:
smount /mnt slave
the corresponding syntax planned for mount command is
mount --make-slave /mnt
(iii) To mark all the mounts under /mnt as private execute the
following command:
smount /mnt rprivate
the corresponding syntax planned for mount command is
mount --make-rprivate /mnt
just to mark a mount /mnt as private, execute the following
command:
smount /mnt private
the corresponding syntax planned for mount command is
mount --make-private /mnt
NOTE: by default all the mounts are created as private. But if
you want to change some shared/slave/unbindable mount as
private at a later point in time, this command can help.
(iv) To mark all the mounts under /mnt as unbindable execute the
following
command:
smount /mnt runbindable
the corresponding syntax planned for mount command is
mount --make-runbindable /mnt
just to mark a mount /mnt as unbindable, execute the following
command:
smount /mnt unbindable
the corresponding syntax planned for mount command is
mount --make-unbindable /mnt
4) Use cases
------------
A) A process wants to clone its own namespace, but still wants to
access the CD that got mounted recently.
Solution:
The system administrator can make the mount at /cdrom shared
mount --bind /cdrom /cdrom
mount --make-shared /cdrom
Now any process that clones off a new namespace will have a
mount at /cdrom which is a replica of the same mount in the
parent namespace.
So when a CD is inserted and mounted at /cdrom that mount gets
propagated to the other mount at /cdrom in all the other clone
namespaces.
B) A process wants its mounts invisible to any other process, but
still be able to see the other system mounts.
Solution:
To begin with, the administrator can mark the entire mount tree
as shareable.
mount --make-rshared /
A new process can clone off a new namespace. And mark some part
of its namespace as slave
mount --make-rslave /myprivatetree
Hence forth any mounts within the /myprivatetree done by the
process will not show up in any other namespace. However mounts
done in the parent namespace under /myprivatetree still shows
up in the process's namespace.
Apart from the above semantics this feature provides the
building blocks to solve the following problems:
C) Per-user namespace
The above semantics allows a way to share mounts across
namespaces. But namespaces are associated with processes. If
namespaces are made first class objects with user API to
associate/disassociate a namespace with userid, then each user
could have his/her own namespace and tailor it to his/her
requirements. Offcourse its needs support from PAM.
D) Versioned files
If the entire mount tree is visible at multiple locations, then
a underlying versioning file system can return different
version of the file depending on the path used to access that
file.
An example is:
mount --make-shared /
mount --rbind / /view/v1
mount --rbind / /view/v2
mount --rbind / /view/v3
mount --rbind / /view/v4
and if /usr has a versioning filesystem mounted, than that
mount appears at /view/v1/usr, /view/v2/usr, /view/v3/usr and
/view/v4/usr too
A user can request v3 version of the file /usr/fs/namespace.c
by accessing /view/v3/usr/fs/namespace.c . The underlying
versioning filesystem can then decipher that v3 version of the
filesystem is being requested and return the corresponding
inode.
5) Detailed semantics:
-------------------
The section below explains the detailed semantics of
bind, rbind, move, mount, umount and clone-namespace operations.
Note: the word 'vfsmount' and the noun 'mount' have been used
to mean the same thing, throughout this document.
5a) Mount states
A given mount can be in one of the following states
1) shared
2) slave
3) shared and slave
4) private
5) unbindable
A 'propagation event' is defined as event generated on a vfsmount
that leads to mount or unmount actions in other vfsmounts.
A 'peer group' is defined as a group of vfsmounts that propagate
events to each other.
(1) Shared mounts
A 'shared mount' is defined as a vfsmount that belongs to a
'peer group'.
For example:
mount --make-shared /mnt
mount --bin /mnt /tmp
The mount at /mnt and that at /tmp are both shared and belong
to the same peer group. Anything mounted or unmounted under
/mnt or /tmp reflect in all the other mounts of its peer
group.
(2) Slave mounts
A 'slave mount' is defined as a vfsmount that receives
propagation events and does not forward propagation events.
A slave mount as the name implies has a master mount from which
mount/unmount events are received. Events do not propagate from
the slave mount to the master. Only a shared mount can be made
a slave by executing the following command
mount --make-slave mount
A shared mount that is made as a slave is no more shared unless
modified to become shared.
(3) Shared and Slave
A vfsmount can be both shared as well as slave. This state
indicates that the mount is a slave of some vfsmount, and
has its own peer group too. This vfsmount receives propagation
events from its master vfsmount, and also forwards propagation
events to its 'peer group' and to its slave vfsmounts.
Strictly speaking, the vfsmount is shared having its own
peer group, and this peer-group is a slave of some other
peer group.
Only a slave vfsmount can be made as 'shared and slave' by
either executing the following command
mount --make-shared mount
or by moving the slave vfsmount under a shared vfsmount.
(4) Private mount
A 'private mount' is defined as vfsmount that does not
receive or forward any propagation events.
(5) Unbindable mount
A 'unbindable mount' is defined as vfsmount that does not
receive or forward any propagation events and cannot
be bind mounted.
State diagram:
The state diagram below explains the state transition of a mount,
in response to various commands.
------------------------------------------------------------------------
| |make-shared | make-slave | make-private |make-unbindab|
--------------|------------|--------------|--------------|-------------|
|shared |shared |*slave/private| private | unbindable |
| | | | | |
|-------------|------------|--------------|--------------|-------------|
|slave |shared | **slave | private | unbindable |
| |and slave | | | |
|-------------|------------|--------------|--------------|-------------|
|shared |shared | slave | private | unbindable |
|and slave |and slave | | | |
|-------------|------------|--------------|--------------|-------------|
|private |shared | **private | private | unbindable |
|-------------|------------|--------------|--------------|-------------|
|unbindable |shared |**unbindable | private | unbindable |
------------------------------------------------------------------------
* if the shared mount is the only mount in its peer group, making it
slave, makes it private automatically. Note that there is no master to
which it can be slaved to.
** slaving a non-shared mount has no effect on the mount.
Apart from the commands listed below, the 'move' operation also changes
the state of a mount depending on type of the destination mount. Its
explained in section 5d.
5b) Bind semantics
Consider the following command
mount --bind A/a B/b
where 'A' is the source mount, 'a' is the dentry in the mount 'A', 'B'
is the destination mount and 'b' is the dentry in the destination mount.
The outcome depends on the type of mount of 'A' and 'B'. The table
below contains quick reference.
---------------------------------------------------------------------------
| BIND MOUNT OPERATION |
|**************************************************************************
|source(A)->| shared | private | slave | unbindable |
| dest(B) | | | | |
| | | | | | |
| v | | | | |
|**************************************************************************
| shared | shared | shared | shared & slave | invalid |
| | | | | |
|non-shared| shared | private | slave | invalid |
***************************************************************************
Details:
1. 'A' is a shared mount and 'B' is a shared mount. A new mount 'C'
which is clone of 'A', is created. Its root dentry is 'a' . 'C' is
mounted on mount 'B' at dentry 'b'. Also new mount 'C1', 'C2', 'C3' ...
are created and mounted at the dentry 'b' on all mounts where 'B'
propagates to. A new propagation tree containing 'C1',..,'Cn' is
created. This propagation tree is identical to the propagation tree of
'B'. And finally the peer-group of 'C' is merged with the peer group
of 'A'.
2. 'A' is a private mount and 'B' is a shared mount. A new mount 'C'
which is clone of 'A', is created. Its root dentry is 'a'. 'C' is
mounted on mount 'B' at dentry 'b'. Also new mount 'C1', 'C2', 'C3' ...
are created and mounted at the dentry 'b' on all mounts where 'B'
propagates to. A new propagation tree is set containing all new mounts
'C', 'C1', .., 'Cn' with exactly the same configuration as the
propagation tree for 'B'.
3. 'A' is a slave mount of mount 'Z' and 'B' is a shared mount. A new
mount 'C' which is clone of 'A', is created. Its root dentry is 'a' .
'C' is mounted on mount 'B' at dentry 'b'. Also new mounts 'C1', 'C2',
'C3' ... are created and mounted at the dentry 'b' on all mounts where
'B' propagates to. A new propagation tree containing the new mounts
'C','C1',.. 'Cn' is created. This propagation tree is identical to the
propagation tree for 'B'. And finally the mount 'C' and its peer group
is made the slave of mount 'Z'. In other words, mount 'C' is in the
state 'slave and shared'.
4. 'A' is a unbindable mount and 'B' is a shared mount. This is a
invalid operation.
5. 'A' is a private mount and 'B' is a non-shared(private or slave or
unbindable) mount. A new mount 'C' which is clone of 'A', is created.
Its root dentry is 'a'. 'C' is mounted on mount 'B' at dentry 'b'.
6. 'A' is a shared mount and 'B' is a non-shared mount. A new mount 'C'
which is a clone of 'A' is created. Its root dentry is 'a'. 'C' is
mounted on mount 'B' at dentry 'b'. 'C' is made a member of the
peer-group of 'A'.
7. 'A' is a slave mount of mount 'Z' and 'B' is a non-shared mount. A
new mount 'C' which is a clone of 'A' is created. Its root dentry is
'a'. 'C' is mounted on mount 'B' at dentry 'b'. Also 'C' is set as a
slave mount of 'Z'. In other words 'A' and 'C' are both slave mounts of
'Z'. All mount/unmount events on 'Z' propagates to 'A' and 'C'. But
mount/unmount on 'A' do not propagate anywhere else. Similarly
mount/unmount on 'C' do not propagate anywhere else.
8. 'A' is a unbindable mount and 'B' is a non-shared mount. This is a
invalid operation. A unbindable mount cannot be bind mounted.
5c) Rbind semantics
rbind is same as bind. Bind replicates the specified mount. Rbind
replicates all the mounts in the tree belonging to the specified mount.
Rbind mount is bind mount applied to all the mounts in the tree.
If the source tree that is rbind has some unbindable mounts,
then the subtree under the unbindable mount is pruned in the new
location.
eg: lets say we have the following mount tree.
A
/ \
B C
/ \ / \
D E F G
Lets say all the mount except the mount C in the tree are
of a type other than unbindable.
If this tree is rbound to say Z
We will have the following tree at the new location.
Z
|
A'
/
B' Note how the tree under C is pruned
/ \ in the new location.
D' E'
5d) Move semantics
Consider the following command
mount --move A B/b
where 'A' is the source mount, 'B' is the destination mount and 'b' is
the dentry in the destination mount.
The outcome depends on the type of the mount of 'A' and 'B'. The table
below is a quick reference.
---------------------------------------------------------------------------
| MOVE MOUNT OPERATION |
|**************************************************************************
| source(A)->| shared | private | slave | unbindable |
| dest(B) | | | | |
| | | | | | |
| v | | | | |
|**************************************************************************
| shared | shared | shared |shared and slave| invalid |
| | | | | |
|non-shared| shared | private | slave | unbindable |
***************************************************************************
NOTE: moving a mount residing under a shared mount is invalid.
Details follow:
1. 'A' is a shared mount and 'B' is a shared mount. The mount 'A' is
mounted on mount 'B' at dentry 'b'. Also new mounts 'A1', 'A2'...'An'
are created and mounted at dentry 'b' on all mounts that receive
propagation from mount 'B'. A new propagation tree is created in the
exact same configuration as that of 'B'. This new propagation tree
contains all the new mounts 'A1', 'A2'... 'An'. And this new
propagation tree is appended to the already existing propagation tree
of 'A'.
2. 'A' is a private mount and 'B' is a shared mount. The mount 'A' is
mounted on mount 'B' at dentry 'b'. Also new mount 'A1', 'A2'... 'An'
are created and mounted at dentry 'b' on all mounts that receive
propagation from mount 'B'. The mount 'A' becomes a shared mount and a
propagation tree is created which is identical to that of
'B'. This new propagation tree contains all the new mounts 'A1',
'A2'... 'An'.
3. 'A' is a slave mount of mount 'Z' and 'B' is a shared mount. The
mount 'A' is mounted on mount 'B' at dentry 'b'. Also new mounts 'A1',
'A2'... 'An' are created and mounted at dentry 'b' on all mounts that
receive propagation from mount 'B'. A new propagation tree is created
in the exact same configuration as that of 'B'. This new propagation
tree contains all the new mounts 'A1', 'A2'... 'An'. And this new
propagation tree is appended to the already existing propagation tree of
'A'. Mount 'A' continues to be the slave mount of 'Z' but it also
becomes 'shared'.
4. 'A' is a unbindable mount and 'B' is a shared mount. The operation
is invalid. Because mounting anything on the shared mount 'B' can
create new mounts that get mounted on the mounts that receive
propagation from 'B'. And since the mount 'A' is unbindable, cloning
it to mount at other mountpoints is not possible.
5. 'A' is a private mount and 'B' is a non-shared(private or slave or
unbindable) mount. The mount 'A' is mounted on mount 'B' at dentry 'b'.
6. 'A' is a shared mount and 'B' is a non-shared mount. The mount 'A'
is mounted on mount 'B' at dentry 'b'. Mount 'A' continues to be a
shared mount.