| blob | 8bda651f1e44b2081bd5e7ec0f26211ee054b935 |
1 /*
2 Unix SMB/CIFS implementation.
4 trivial database library
6 Copyright (C) Andrew Tridgell 2005
8 ** NOTE! The following LGPL license applies to the tdb
9 ** library. This does NOT imply that all of Samba is released
10 ** under the LGPL
12 This library is free software; you can redistribute it and/or
13 modify it under the terms of the GNU Lesser General Public
14 License as published by the Free Software Foundation; either
15 version 2 of the License, or (at your option) any later version.
17 This library is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 Lesser General Public License for more details.
22 You should have received a copy of the GNU Lesser General Public
23 License along with this library; if not, write to the Free Software
24 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 */
29 /*
30 transaction design:
32 - only allow a single transaction at a time per database. This makes
33 using the transaction API simpler, as otherwise the caller would
34 have to cope with temporary failures in transactions that conflict
35 with other current transactions
37 - keep the transaction recovery information in the same file as the
38 database, using a special 'transaction recovery' record pointed at
39 by the header. This removes the need for extra journal files as
40 used by some other databases
42 - dynamically allocated the transaction recover record, re-using it
43 for subsequent transactions. If a larger record is needed then
44 tdb_free() the old record to place it on the normal tdb freelist
45 before allocating the new record
47 - during transactions, keep a linked list of writes all that have
48 been performed by intercepting all tdb_write() calls. The hooked
49 transaction versions of tdb_read() and tdb_write() check this
50 linked list and try to use the elements of the list in preference
51 to the real database.
53 - don't allow any locks to be held when a transaction starts,
54 otherwise we can end up with deadlock (plus lack of lock nesting
55 in posix locks would mean the lock is lost)
57 - if the caller gains a lock during the transaction but doesn't
58 release it then fail the commit
60 - allow for nested calls to tdb_transaction_start(), re-using the
61 existing transaction record. If the inner transaction is cancelled
62 then a subsequent commit will fail
64 - keep a mirrored copy of the tdb hash chain heads to allow for the
65 fast hash heads scan on traverse, updating the mirrored copy in
66 the transaction version of tdb_write
68 - allow callers to mix transaction and non-transaction use of tdb,
69 although once a transaction is started then an exclusive lock is
70 gained until the transaction is committed or cancelled
72 - the commit stategy involves first saving away all modified data
73 into a linearised buffer in the transaction recovery area, then
74 marking the transaction recovery area with a magic value to
75 indicate a valid recovery record. In total 4 fsync/msync calls are
76 needed per commit to prevent race conditions. It might be possible
77 to reduce this to 3 or even 2 with some more work.
79 - check for a valid recovery record on open of the tdb, while the
80 global lock is held. Automatically recover from the transaction
81 recovery area if needed, then continue with the open as
82 usual. This allows for smooth crash recovery with no administrator
83 intervention.
85 - if TDB_NOSYNC is passed to flags in tdb_open then transactions are
86 still available, but no transaction recovery area is used and no
87 fsync/msync calls are made.
89 */
96 tdb_off_t offset;
97 tdb_len_t length;
99 };
101 /*
102 hold the context of any current transaction
103 */
105 /* we keep a mirrored copy of the tdb hash heads here so
106 tdb_next_hash_chain() can operate efficiently */
109 /* the original io methods - used to do IOs to the real db */
112 /* the list of transaction elements. We use a doubly linked
113 list with a last pointer to allow us to keep the list
114 ordered, with first element at the front of the list. It
115 needs to be doubly linked as the read/write traversals need
116 to be backwards, while the commit needs to be forwards */
119 /* non-zero when an internal transaction error has
120 occurred. All write operations will then fail until the
121 transaction is ended */
124 /* when inside a transaction we need to keep track of any
125 nested tdb_transaction_start() calls, as these are allowed,
126 but don't create a new transaction */
129 /* old file size before transaction */
130 tdb_len_t old_map_size;
131 };
134 /*
135 read while in a transaction. We need to check first if the data is in our list
136 of transaction elements, then if not do a real read
137 */
140 {
143 /* we need to walk the list backwards to get the most recent data */
145 tdb_len_t partial;
149 }
152 }
154 /* an overlapping read - needs to be split into up to
155 2 reads and a memcpy */
160 }
164 }
169 }
173 }
180 }
183 }
185 /* its not in the transaction elements - do a real read */
188 fail:
193 }
196 /*
197 write while in a transaction
198 */
201 {
206 }
208 /* if the write is to a hash head, then update the transaction
209 hash heads */
214 }
216 /* first see if we can replace an existing entry */
218 tdb_len_t partial;
222 }
226 }
229 }
231 /* an overlapping write - needs to be split into up to
232 2 writes and a memcpy */
237 }
241 }
246 }
254 }
257 }
259 /* see if we can append the new entry to an existing entry */
272 }
277 }
280 }
282 /* add a new entry at the end of the list */
288 }
299 }
304 }
309 }
313 fail:
318 }
320 /*
321 accelerated hash chain head search, using the cached hash heads
322 */
324 {
327 /* the +1 takes account of the freelist */
330 }
331 }
333 }
335 /*
336 out of bounds check during a transaction
337 */
339 {
342 }
344 }
346 /*
347 transaction version of tdb_expand().
348 */
350 tdb_off_t addition)
351 {
352 /* add a write to the transaction elements, so subsequent
353 reads see the zero data */
356 }
359 }
361 /*
362 brlock during a transaction - ignore them
363 */
366 {
368 }
371 transaction_read,
372 transaction_write,
373 transaction_next_hash_chain,
374 transaction_oob,
375 transaction_expand_file,
376 transaction_brlock
377 };
380 /*
381 start a tdb transaction. No token is returned, as only a single
382 transaction is allowed to be pending per tdb_context
383 */
385 {
386 /* some sanity checks */
388 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction on a read-only or internal db\n"));
391 }
393 /* cope with nested tdb_transaction_start() calls */
399 }
402 /* the caller must not have any locks when starting a
403 transaction as otherwise we'll be screwed by lack
404 of nested locks in posix */
405 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction with locks held\n"));
408 }
411 /* you cannot use transactions inside a traverse (although you can use
412 traverse inside a transaction) as otherwise you can end up with
413 deadlock */
414 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction within a traverse\n"));
417 }
424 }
426 /* get the transaction write lock. This is a blocking lock. As
427 discussed with Volker, there are a number of ways we could
428 make this async, which we will probably do in the future */
434 }
436 /* get a read lock from the freelist to the end of file. This
437 is upgraded to a write lock during the commit */
442 }
444 /* setup a copy of the hash table heads so the hash scan in
445 traverse can be fast */
451 }
457 }
459 /* make sure we know about any file expansions already done by
460 anyone else */
464 /* finally hook the io methods, replacing them with
465 transaction specific methods */
469 /* by calling this transaction write here, we ensure that we don't grow the
470 transaction linked list due to hash table updates */
476 }
480 fail:
486 }
489 /*
490 cancel the current transaction
491 */
493 {
497 }
503 }
507 /* free all the transaction elements */
513 }
515 /* remove any global lock created during the transaction */
519 }
521 /* remove any locks created during the transaction */
527 }
531 }
533 /* restore the normal io methods */
542 }
544 /*
545 sync to disk
546 */
548 {
553 }
554 #ifdef MS_SYNC
563 }
564 }
565 #endif
567 }
570 /*
571 work out how much space the linearised recovery data will consume
572 */
574 {
582 }
584 }
587 }
589 /*
590 allocate the recovery area, or use an existing recovery area if it is
591 large enough
592 */
597 {
600 tdb_off_t recovery_head;
605 }
613 }
618 /* it fits in the existing area */
622 }
624 /* we need to free up the old recovery area, then allocate a
625 new one at the end of the file. Note that we cannot use
626 tdb_allocate() to allocate the new one as that might return
627 us an area that is being currently used (as of the start of
628 the transaction) */
631 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to free previous recovery area\n"));
633 }
634 }
636 /* the tdb_free() call might have increased the recovery size */
639 /* round up to a multiple of page size */
649 }
651 /* remap the file (if using mmap) */
654 /* we have to reset the old map size so that we don't try to expand the file
655 again in the transaction commit, which would destroy the recovery area */
658 /* write the recovery header offset and sync - we can sync without a race here
659 as the magic ptr in the recovery record has not been set */
665 }
668 }
671 /*
672 setup the recovery data that will be used on a crash during commit
673 */
676 {
678 tdb_len_t recovery_size;
686 /*
687 check that the recovery area has enough space
688 */
692 }
698 }
709 /* build the recovery data into a single blob to allow us to do a single
710 large write, which should be more efficient */
715 }
717 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: transaction data over new region boundary\n"));
721 }
726 }
727 /* the recovery area contains the old data, not the
728 new data, so we have to call the original tdb_read
729 method to get it */
734 }
736 }
738 /* and the tailer */
743 /* write the recovery data to the recovery area */
745 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery data\n"));
749 }
751 /* as we don't have ordered writes, we have to sync the recovery
752 data before we update the magic to indicate that the recovery
753 data is present */
757 }
767 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery magic\n"));
770 }
772 /* ensure the recovery magic marker is on disk */
775 }
778 }
780 /*
781 commit the current transaction
782 */
784 {
792 }
799 }
804 }
806 /* check for a null transaction */
810 }
814 /* if there are any locks pending then the caller has not
815 nested their locks properly, so fail the transaction */
821 }
823 /* upgrade the main transaction lock region to a write lock */
829 }
831 /* get the global lock - this prevents new users attaching to the database
832 during the commit */
838 }
841 /* write the recovery data to the end of the file */
847 }
848 }
850 /* expand the file to the new size if needed */
860 }
863 }
865 /* perform all the writes */
872 /* we've overwritten part of the data and
873 possibly expanded the file, so we need to
874 run the crash recovery code */
883 }
887 }
890 /* ensure the new data is on disk */
893 }
895 /* remove the recovery marker */
899 }
901 /* ensure the recovery marker has been removed on disk */
904 }
905 }
909 /*
910 TODO: maybe write to some dummy hdr field, or write to magic
911 offset without mmap, before the last sync, instead of the
912 utime() call
913 */
915 /* on some systems (like Linux 2.6.x) changes via mmap/msync
916 don't change the mtime of the file, this means the file may
917 not be backed up (as tdb rounding to block sizes means that
918 file size changes are quite rare too). The following forces
919 mtime changes when a transaction completes */
920 #ifdef HAVE_UTIME
922 #endif
924 /* use a transaction cancel to free memory and remove the
925 transaction locks */
928 }
931 /*
932 recover from an aborted transaction. Must be called with exclusive
933 database write access already established (including the global
934 lock to prevent new processes attaching)
935 */
937 {
943 /* find the recovery area */
948 }
951 /* we have never allocated a recovery record */
953 }
955 /* read the recovery record */
961 }
964 /* there is no valid recovery data */
966 }
969 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: attempt to recover read only database\n"));
972 }
981 }
983 /* read the full recovery data */
989 }
991 /* recover the file data */
997 }
1003 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to recover %d bytes at offset %d\n", len, ofs));
1006 }
1008 }
1016 }
1018 /* if the recovery area is after the recovered eof then remove it */
1024 }
1025 }
1027 /* remove the recovery magic */
1033 }
1035 /* reduce the file size to the old size */
1038 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to reduce to recovery size\n"));
1041 }
1049 }
1052 recovery_eof));
1054 /* all done */
1056 }