implement corruption correcting recv

[alek-p]

This patch implements a new type of zfs receive: corrective receive (-c). This type of recv is used to heal corrupted data when a replica of the data already exists (in the form of a sendfile for example).
Metadata can not be healed using a corrective receive.

This patch enables us to receive a send stream into an existing snapshot for the purpose of correcting data corruption.

Motivation and Context

In the past in the rare cases where ZFS has experienced permanent data corruption, full recovery of the dataset(s) has not always been possible even if replicas existed.
This patch makes recovery from permanent data corruption possible.

Description

For every write and spill record in the send stream, we read the corresponding block from disk and if that read fails with a checksum error we overwrite that block with data from the send stream.
After the data is healed we reread the block to make sure it's healed and remove the healed blocks form the corruption lists seen in zpool status.

To makes sure will have correctly matched the data in the send stream to the right dataset to heal there is a restriction that the GUID for the snapshot being received into must match the GUID in the send stream. There are likely several snapshots referring to the same potentially corrupted data so there may be many snapshots with the above condition holding that are able to heal a single block.

The other thing to point out is that we can only correct data. Specifically, we are only able to heal records of type DRR_WRITE and DRR_SPILL since those are the only ones that contain all of the data needed to recreate the damaged block.

How Has This Been Tested?

I've been running unit testing very similar to the test that I've added to the zfs-tests

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[alek-p]

The next logical extension for part two of this work is to provide a way for a corrupted pool to tell a backup system to generate a minimal send stream in such a way as to enable the corrupted pool to be healed with this generated send stream.
The interface could be something like the following, but maybe there are better suggestions?

# dumps spa err list that are part of this snapshot and the snapshot guid
zfs send -C data/fs@snap > /tmp/errlist 

# on replica system generates healing sendfile based on the errors list
zfs send -cc /tmp/errlist backup_data > /tmp/healing_sendfile

# heal our data with the minimal healing sendfile
zfs recv -c data/fs@snap < /tmp/healing_sendfile

[behlendorf]

Using zfs recv is this way to correct damaged blocks is an interesting idea. I've left some initial comments and we should be able to get you some additional feedback on the approach.

[behlendorf]

See comment below, but I'd suggest moving this check in to the top of receive_process_record for healing receives.

[behlendorf]

Functionally this looks right, but it is possible for dmu_read to return errors other than ECKSUM, for example EIO. Could you add a comment to clarify it's also possible the block couldn't be read at all and was skipped,

[behlendorf]

nit: this should be unreachable but please go ahead remove this debugging.

[behlendorf]

Why EBUSY rather than returning the actual errno?

[behlendorf]

Rather than add a new top-level receive_heal_record(), did you try moving this logic in to receive_write() and receive_spill() respectively. This will allow you to leverage all of the existing stream sanity checks, and the cleanup logic which consumes the arc_buf automatically on error. The common bits at the end of receive_heal_record() which rewrites in-place can be left in it's own function which is called by both.

[behlendorf]

Good news, commit b63e2d8 added support to master to inject targeted damage in to file blocks. Please use it to ensure this test is reliable.

[behlendorf]

Also added to master is the new zpool wait subcommand, you can now run log_must zpool wait -t scrub $TESTPOOL and avoid this ugliness.

[behlendorf]

You should be able to get rid of the garbage file after switching to the targeted injection.

[ahrens]

How does this interact with encryption and zfs send --raw? E.g. if the snapshot is encrypted, do they need to do a raw send, or does the receive encrypt it on the fly (using the crypt params in the BP)?

[ahrens]

I think it's time to add --long-opts for zfs receive. It's really too bad we didn't do this from the beginning for all of the subcommands.

[alek-p]

part two of this work will likely need long-ops but I'd like to avoid adding it now

[ahrens]

I think that we don't want to change existing libzfs_core function signatures if we can help it. Let's add a new function instead.

[ahrens]

if error is nonzero, shouldn't we be returning that?

[ahrens]

Since we're now using val as the snapshot's object number, how about renaming it to reflect that, e.g. snapobj

[ahrens]

I don't think this avl_is_empty case is needed - the right thing will happen below (i.e. the first call to avl_destroy_nodes will return NULL).

[ahrens]

You need to use DB_DNODE_ENTER/EXIT around the DB_DNODE(), or better yet dmu_buf_dnode_enter() as you do below. Or if you're going to cast the dbuf, you might as well just dereference db_blkid

[ahrens]

Why no prefetching?

[ahrens]

Is there any check that the size is the same as the BP's psize (possibly rounded up to ashift)? Or at least that this can't write past the end of what's allocated for the BP?

[ahrens]

Do we really need to handle this case? Seems like we could say that it needs to be a zfs send --compressed stream to use it with zfs recv -c. Plus, trying to recompress it and get the exact same byte stream adds more restrictions on changing the checksum algorithm implementations, which we'd like to avoid. (cc @allanjude)

[ahrens]

Given the current functionality, we would expect there to be a LOT more records for non-corrupt blocks, than for corrupt blocks. So I'm even more concerned about the synchronous (and not eligible for predictive prefetch) dmu_read()'s to determine if we want to correct this block.

We'd typically (e.g. with >1 vdev) get better performance by simply always asynchronously zio_rewrite()ing every record (i.e. without checking if its actually corrupt). Since you'd have Nrecords async writes vs the current PR's Nrecords sync reads. Plus the code would be a lot simpler.

I wonder if we should wait for the extensions (to send only the corrupt blocks) are ready, or at least design recv -c to work best in that mode. E.g. by assuming that nearly all records will be for corrupt blocks?

[alek-p]

Thanks for the reviews guys. I've addressed most of the comments in the version I just pushed. I'm still thinking about the right way to do the rewrite I/O. Perhaps always rewriting (instead of readin first) is the right way to go hmm...

It seems to be too big a limitation to impose saying we have to use send --compressed with corrective recv so I'd like to keep the parts that are able to switch compressions if possible.
Perhaps we can deal with the compression algos that don't recompress the same way seperatley from the other compressison types and only make those send streams be compressed.

[codecov]

Codecov Report

Merging #9323 into master will decrease coverage by 0.67%.
The diff coverage is 73.8%.

@@            Coverage Diff             @@
##           master    #9323      +/-   ##
==========================================
- Coverage   79.79%   79.12%   -0.68%     
==========================================
  Files         279      401     +122     
  Lines       81396   122676   +41280     
==========================================
+ Hits        64951    97065   +32114     
- Misses      16445    25611    +9166

Flag	Coverage Δ
#kernel	79.77% <74.09%> (-0.02%)	⬇️
#user	66.63% <18.93%> (?)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update afc8f0a...adb30d5. Read the comment docs.

[alek-p]

After talking with my colleagues @datto we think it may be too dangerous to rewrite everything that we encounter in the send stream as writing has the potential to do more damage in the cases where corruption is coming from failing HW for example.
We want to prioritize getting the dataset healthy and not necessarily the performance of the healing. In theory, recv healing should be a rare event that does not need to be highly performant. Having said that I'm still working on the way that I/O is done for corrective recv.

The other open question was about the way to handle compression alogos that may not recompress the same block the same way. The suggestion here to avoid this problem we will only heal when the checksum of the data to be used for healing matches the checksum already on disk.

The last thing I'm still working on is to make sure raw and large block send streams are compatible with healing recv.

[ahrens]

Superseded by #9372