| blob | ee9beeb3d37e3b9e85e98bf1f3964ddf2a2e7421 |
1 /*
2 Unix SMB/CIFS implementation.
4 trivial database library
6 Copyright (C) Andrew Tridgell 2005
8 ** NOTE! The following LGPL license applies to the tdb
9 ** library. This does NOT imply that all of Samba is released
10 ** under the LGPL
12 This library is free software; you can redistribute it and/or
13 modify it under the terms of the GNU Lesser General Public
14 License as published by the Free Software Foundation; either
15 version 3 of the License, or (at your option) any later version.
17 This library is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 Lesser General Public License for more details.
22 You should have received a copy of the GNU Lesser General Public
23 License along with this library; if not, see <http://www.gnu.org/licenses/>.
24 */
28 /*
29 transaction design:
31 - only allow a single transaction at a time per database. This makes
32 using the transaction API simpler, as otherwise the caller would
33 have to cope with temporary failures in transactions that conflict
34 with other current transactions
36 - keep the transaction recovery information in the same file as the
37 database, using a special 'transaction recovery' record pointed at
38 by the header. This removes the need for extra journal files as
39 used by some other databases
41 - dynamically allocated the transaction recover record, re-using it
42 for subsequent transactions. If a larger record is needed then
43 tdb_free() the old record to place it on the normal tdb freelist
44 before allocating the new record
46 - during transactions, keep a linked list of writes all that have
47 been performed by intercepting all tdb_write() calls. The hooked
48 transaction versions of tdb_read() and tdb_write() check this
49 linked list and try to use the elements of the list in preference
50 to the real database.
52 - don't allow any locks to be held when a transaction starts,
53 otherwise we can end up with deadlock (plus lack of lock nesting
54 in posix locks would mean the lock is lost)
56 - if the caller gains a lock during the transaction but doesn't
57 release it then fail the commit
59 - allow for nested calls to tdb_transaction_start(), re-using the
60 existing transaction record. If the inner transaction is cancelled
61 then a subsequent commit will fail
63 - keep a mirrored copy of the tdb hash chain heads to allow for the
64 fast hash heads scan on traverse, updating the mirrored copy in
65 the transaction version of tdb_write
67 - allow callers to mix transaction and non-transaction use of tdb,
68 although once a transaction is started then an exclusive lock is
69 gained until the transaction is committed or cancelled
71 - the commit stategy involves first saving away all modified data
72 into a linearised buffer in the transaction recovery area, then
73 marking the transaction recovery area with a magic value to
74 indicate a valid recovery record. In total 4 fsync/msync calls are
75 needed per commit to prevent race conditions. It might be possible
76 to reduce this to 3 or even 2 with some more work.
78 - check for a valid recovery record on open of the tdb, while the
79 open lock is held. Automatically recover from the transaction
80 recovery area if needed, then continue with the open as
81 usual. This allows for smooth crash recovery with no administrator
82 intervention.
84 - if TDB_NOSYNC is passed to flags in tdb_open then transactions are
85 still available, but no fsync/msync calls are made. This means we
86 are still proof against a process dying during transaction commit,
87 but not against machine reboot.
89 - if TDB_ALLOW_NESTING is passed to flags in tdb open, or added using
90 tdb_add_flags() transaction nesting is enabled.
91 It resets the TDB_DISALLOW_NESTING flag, as both cannot be used together.
92 The default is that transaction nesting is allowed.
93 Note: this default may change in future versions of tdb.
95 Beware. when transactions are nested a transaction successfully
96 completed with tdb_transaction_commit() can be silently unrolled later.
98 - if TDB_DISALLOW_NESTING is passed to flags in tdb open, or added using
99 tdb_add_flags() transaction nesting is disabled.
100 It resets the TDB_ALLOW_NESTING flag, as both cannot be used together.
101 An attempt create a nested transaction will fail with TDB_ERR_NESTING.
102 The default is that transaction nesting is allowed.
103 Note: this default may change in future versions of tdb.
104 */
107 /*
108 hold the context of any current transaction
109 */
111 /* we keep a mirrored copy of the tdb hash heads here so
112 tdb_next_hash_chain() can operate efficiently */
115 /* the original io methods - used to do IOs to the real db */
118 /* the list of transaction blocks. When a block is first
119 written to, it gets created in this list */
125 /* non-zero when an internal transaction error has
126 occurred. All write operations will then fail until the
127 transaction is ended */
130 /* when inside a transaction we need to keep track of any
131 nested tdb_transaction_start() calls, as these are allowed,
132 but don't create a new transaction */
135 /* set when a prepare has already occurred */
137 tdb_off_t magic_offset;
139 /* old file size before transaction */
140 tdb_len_t old_map_size;
142 /* did we expand in this transaction */
144 };
147 /*
148 read while in a transaction. We need to check first if the data is in our list
149 of transaction elements, then if not do a real read
150 */
153 {
156 /* break it down into block sized ops */
161 }
165 }
169 }
173 /* see if we have it in the block list */
176 /* nope, do a real read */
179 }
181 }
183 /* it is in the block list. Now check for the last block */
187 }
188 }
190 /* now copy it out of this block */
194 }
197 fail:
202 }
205 /*
206 write while in a transaction
207 */
210 {
213 /* Only a commit is allowed on a prepared transaction */
216 TDB_LOG((tdb, TDB_DEBUG_FATAL, "transaction_write: transaction already prepared, write not allowed\n"));
219 }
221 /* if the write is to a hash head, then update the transaction
222 hash heads */
227 }
229 /* break it up into block sized chunks */
234 }
239 }
240 }
244 }
251 /* expand the blocks array */
259 }
263 }
269 }
271 /* allocate and fill a block? */
278 }
283 }
290 }
293 }
294 }
295 }
297 /* overwrite part of an existing block */
302 }
306 }
307 }
311 fail:
316 }
319 /*
320 write while in a transaction - this variant never expands the transaction blocks, it only
321 updates existing blocks. This means it cannot change the recovery size
322 */
325 {
328 /* break it up into block sized chunks */
333 }
338 }
339 }
343 }
351 }
357 }
359 }
361 /* overwrite part of an existing block */
365 }
368 /*
369 accelerated hash chain head search, using the cached hash heads
370 */
372 {
375 /* the +1 takes account of the freelist */
378 }
379 }
381 }
383 /*
384 out of bounds check during a transaction
385 */
388 {
391 }
394 }
396 /*
397 transaction version of tdb_expand().
398 */
400 tdb_off_t addition)
401 {
402 /* add a write to the transaction elements, so subsequent
403 reads see the zero data */
406 }
411 }
414 transaction_read,
415 transaction_write,
416 transaction_next_hash_chain,
417 transaction_oob,
418 transaction_expand_file,
419 };
422 /*
423 start a tdb transaction. No token is returned, as only a single
424 transaction is allowed to be pending per tdb_context
425 */
428 {
429 /* some sanity checks */
431 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction on a read-only or internal db\n"));
434 }
436 /* cope with nested tdb_transaction_start() calls */
441 }
446 }
449 /* the caller must not have any locks when starting a
450 transaction as otherwise we'll be screwed by lack
451 of nested locks in posix */
452 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction with locks held\n"));
455 }
458 /* you cannot use transactions inside a traverse (although you can use
459 traverse inside a transaction) as otherwise you can end up with
460 deadlock */
461 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction within a traverse\n"));
464 }
471 }
473 /* a page at a time seems like a reasonable compromise between compactness and efficiency */
476 /* get the transaction write lock. This is a blocking lock. As
477 discussed with Volker, there are a number of ways we could
478 make this async, which we will probably do in the future */
484 }
486 }
488 /* get a read lock from the freelist to the end of file. This
489 is upgraded to a write lock during the commit */
493 }
495 /* setup a copy of the hash table heads so the hash scan in
496 traverse can be fast */
502 }
508 }
510 /* make sure we know about any file expansions already done by
511 anyone else */
515 /* finally hook the io methods, replacing them with
516 transaction specific methods */
520 /* Trace at the end, so we get sequence number correct. */
524 fail:
526 fail_allrecord_lock:
532 }
535 {
537 }
540 {
542 }
544 /*
545 sync to disk
546 */
548 {
551 }
553 #ifdef HAVE_FDATASYNC
555 #else
557 #endif
561 }
562 #ifdef HAVE_MMAP
571 }
572 }
573 #endif
575 }
579 {
585 }
591 }
595 /* free all the transaction blocks */
599 }
600 }
607 /* remove the recovery marker */
612 }
613 }
615 /* This also removes the OPEN_LOCK, if we have it. */
618 /* restore the normal io methods */
625 }
627 /*
628 cancel the current transaction
629 */
631 {
634 }
636 /*
637 work out how much space the linearised recovery data will consume
638 */
640 {
648 }
651 }
657 }
658 }
661 }
667 {
670 }
675 }
680 }
682 /* ignore invalid recovery regions: can happen in crash */
687 }
689 }
691 /*
692 allocate the recovery area, or use an existing recovery area if it is
693 large enough
694 */
699 {
707 }
711 /* Existing recovery area? */
713 /* it fits in the existing area */
717 }
719 /* If recovery area in middle of file, we need a new one. */
722 /* we need to free up the old recovery area, then allocate a
723 new one at the end of the file. Note that we cannot use
724 tdb_allocate() to allocate the new one as that might return
725 us an area that is being currently used (as of the start of
726 the transaction) */
730 "tdb_recovery_allocate: failed to"
733 }
735 /* the tdb_free() call might have increased
736 * the recovery size */
738 }
740 /* New head will be at end of file. */
742 }
744 /* Now we know where it will be. */
747 /* Expand by more than we need, so we don't do it often. */
760 }
762 /* remap the file (if using mmap) */
765 /* we have to reset the old map size so that we don't try to expand the file
766 again in the transaction commit, which would destroy the recovery area */
769 /* write the recovery header offset and sync - we can sync without a race here
770 as the magic ptr in the recovery record has not been set */
776 }
777 if (transaction_write_existing(tdb, TDB_RECOVERY_HEAD, &recovery_head, sizeof(tdb_off_t)) == -1) {
780 }
783 }
786 /*
787 setup the recovery data that will be used on a crash during commit
788 */
791 {
792 tdb_len_t recovery_size;
801 /*
802 check that the recovery area has enough space
803 */
807 }
813 }
824 /* build the recovery data into a single blob to allow us to do a single
825 large write, which should be more efficient */
828 tdb_off_t offset;
829 tdb_len_t length;
833 }
839 }
843 }
845 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: transaction data over new region boundary\n"));
849 }
854 }
855 /* the recovery area contains the old data, not the
856 new data, so we have to call the original tdb_read
857 method to get it */
862 }
864 }
866 /* and the tailer */
871 }
873 /* write the recovery data to the recovery area */
875 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery data\n"));
879 }
880 if (transaction_write_existing(tdb, recovery_offset, data, sizeof(*rec) + recovery_size) == -1) {
881 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write secondary recovery data\n"));
885 }
887 /* as we don't have ordered writes, we have to sync the recovery
888 data before we update the magic to indicate that the recovery
889 data is present */
893 }
903 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery magic\n"));
906 }
908 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write secondary recovery magic\n"));
911 }
913 /* ensure the recovery magic marker is on disk */
916 }
919 }
922 {
928 }
933 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_prepare_commit: transaction already prepared\n"));
935 }
942 }
947 }
949 /* check for a null transaction */
952 }
956 /* if there are any locks pending then the caller has not
957 nested their locks properly, so fail the transaction */
963 }
965 /* upgrade the main transaction lock region to a write lock */
967 TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_prepare_commit: failed to upgrade hash locks\n"));
970 }
972 /* get the open lock - this prevents new users attaching to the database
973 during the commit */
978 }
980 /* write the recovery data to the end of the file */
982 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_prepare_commit: failed to setup recovery data\n"));
985 }
989 /* expand the file to the new size if needed */
998 }
1001 }
1003 /* Keep the open lock until the actual commit */
1006 }
1008 /*
1009 prepare to commit the current transaction
1010 */
1012 {
1015 }
1017 /* A repack is worthwhile if the largest is less than half total free. */
1019 {
1020 tdb_off_t ptr;
1026 }
1032 }
1034 }
1037 }
1039 /*
1040 commit the current transaction
1041 */
1043 {
1051 }
1060 }
1066 }
1068 /* check for a null transaction */
1072 }
1078 }
1082 /* perform all the writes */
1084 tdb_off_t offset;
1085 tdb_len_t length;
1089 }
1095 }
1100 /* we've overwritten part of the data and
1101 possibly expanded the file, so we need to
1102 run the crash recovery code */
1110 }
1112 }
1114 /* Do this before we drop lock or blocks. */
1117 }
1122 /* ensure the new data is on disk */
1125 }
1127 /*
1128 TODO: maybe write to some dummy hdr field, or write to magic
1129 offset without mmap, before the last sync, instead of the
1130 utime() call
1131 */
1133 /* on some systems (like Linux 2.6.x) changes via mmap/msync
1134 don't change the mtime of the file, this means the file may
1135 not be backed up (as tdb rounding to block sizes means that
1136 file size changes are quite rare too). The following forces
1137 mtime changes when a transaction completes */
1138 #ifdef HAVE_UTIME
1140 #endif
1142 /* use a transaction cancel to free memory and remove the
1143 transaction locks */
1148 }
1151 }
1154 /*
1155 recover from an aborted transaction. Must be called with exclusive
1156 database write access already established (including the open
1157 lock to prevent new processes attaching)
1158 */
1160 {
1166 /* find the recovery area */
1171 }
1174 /* we have never allocated a recovery record */
1176 }
1178 /* read the recovery record */
1184 }
1187 /* there is no valid recovery data */
1189 }
1192 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: attempt to recover read only database\n"));
1195 }
1201 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to allocate recovery data\n"));
1204 }
1206 /* read the full recovery data */
1212 }
1214 /* recover the file data */
1220 }
1226 TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to recover %d bytes at offset %d\n", len, ofs));
1229 }
1231 }
1239 }
1241 /* if the recovery area is after the recovered eof then remove it */
1247 }
1248 }
1250 /* remove the recovery magic */
1256 }
1262 }
1265 recovery_eof));
1267 /* all done */
1269 }
1271 /* Any I/O failures we say "needs recovery". */
1273 {
1274 tdb_off_t recovery_head;
1277 /* find the recovery area */
1280 }
1283 /* we have never allocated a recovery record */
1285 }
1287 /* read the recovery record */
1291 }
1294 }