Shared Subtrees --------------- Contents: 1) Overview 2) Features 3) Setting mount states 4) Use-case 5) Detailed semantics 6) Quiz 7) FAQ 8) Implementation 1) Overview ----------- Consider the following situation: A process wants to clone its own namespace, but still wants to access the CD that got mounted recently. Shared subtree semantics provide the necessary mechanism to accomplish the above. It provides the necessary building blocks for features like per-user-namespace and versioned filesystem. 2) Features ----------- Shared subtree provides four different flavors of mounts; struct vfsmount to be precise a. shared mount b. slave mount c. private mount d. unbindable mount 2a) A shared mount can be replicated to as many mountpoints and all the replicas continue to be exactly same. Here is an example: Let's say /mnt has a mount that is shared. mount --make-shared /mnt Note: mount(8) command now supports the --make-shared flag, so the sample 'smount' program is no longer needed and has been removed. # mount --bind /mnt /tmp The above command replicates the mount at /mnt to the mountpoint /tmp and the contents of both the mounts remain identical. #ls /mnt a b c #ls /tmp a b c Now let's say we mount a device at /tmp/a # mount /dev/sd0 /tmp/a #ls /tmp/a t1 t2 t3 #ls /mnt/a t1 t2 t3 Note that the mount has propagated to the mount at /mnt as well. And the same is true even when /dev/sd0 is mounted on /mnt/a. The contents will be visible under /tmp/a too. 2b) A slave mount is like a shared mount except that mount and umount events only propagate towards it. All slave mounts have a master mount which is a shared. Here is an example: Let's say /mnt has a mount which is shared. # mount --make-shared /mnt Let's bind mount /mnt to /tmp # mount --bind /mnt /tmp the new mount at /tmp becomes a shared mount and it is a replica of the mount at /mnt. Now let's make the mount at /tmp; a slave of /mnt # mount --make-slave /tmp let's mount /dev/sd0 on /mnt/a # mount /dev/sd0 /mnt/a #ls /mnt/a t1 t2 t3 #ls /tmp/a t1 t2 t3 Note the mount event has propagated to the mount at /tmp However let's see what happens if we mount something on the mount at /tmp # mount /dev/sd1 /tmp/b #ls /tmp/b s1 s2 s3 #ls /mnt/b Note how the mount event has not propagated to the mount at /mnt 2c) A private mount does not forward or receive propagation. This is the mount we are familiar with. Its the default type. 2d) A unbindable mount is a unbindable private mount let's say we have a mount at /mnt and we make it unbindable # mount --make-unbindable /mnt Let's try to bind mount this mount somewhere else. # mount --bind /mnt /tmp mount: wrong fs type, bad option, bad superblock on /mnt, or too many mounted file systems Binding a unbindable mount is a invalid operation. 3) Setting mount states The mount command (util-linux package) can be used to set mount states: mount --make-shared mountpoint mount --make-slave mountpoint mount --make-private mountpoint mount --make-unbindable mountpoint 4) Use cases ------------ A) A process wants to clone its own namespace, but still wants to access the CD that got mounted recently. Solution: The system administrator can make the mount at /cdrom shared mount --bind /cdrom /cdrom mount --make-shared /cdrom Now any process that clones off a new namespace will have a mount at /cdrom which is a replica of the same mount in the parent namespace. So when a CD is inserted and mounted at /cdrom that mount gets propagated to the other mount at /cdrom in all the other clone namespaces. B) A process wants its mounts invisible to any other process, but still be able to see the other system mounts. Solution: To begin with, the administrator can mark the entire mount tree as shareable. mount --make-rshared / A new process can clone off a new namespace. And mark some part of its namespace as slave mount --make-rslave /myprivatetree Hence forth any mounts within the /myprivatetree done by the process will not show up in any other namespace. However mounts done in the parent namespace under /myprivatetree still shows up in the process's namespace. Apart from the above semantics this feature provides the building blocks to solve the following problems: C) Per-user namespace The above semantics allows a way to share mounts across namespaces. But namespaces are associated with processes. If namespaces are made first class objects with user API to associate/disassociate a namespace with userid, then each user could have his/her own namespace and tailor it to his/her requirements. This needs to be supported in PAM. D) Versioned files If the entire mount tree is visible at multiple locations, then an underlying versioning file system can return different versions of the file depending on the path used to access that file. An example is: mount --make-shared / mount --rbind / /view/v1 mount --rbind / /view/v2 mount --rbind / /view/v3 mount --rbind / /view/v4 and if /usr has a versioning filesystem mounted, then that mount appears at /view/v1/usr, /view/v2/usr, /view/v3/usr and /view/v4/usr too A user can request v3 version of the file /usr/fs/namespace.c by accessing /view/v3/usr/fs/namespace.c . The underlying versioning filesystem can then decipher that v3 version of the filesystem is being requested and return the corresponding inode. 5) Detailed semantics: ------------------- The section below explains the detailed semantics of bind, rbind, move, mount, umount and clone-namespace operations. Note: the word 'vfsmount' and the noun 'mount' have been used to mean the same thing, throughout this document. 5a) Mount states A given mount can be in one of the following states 1) shared 2) slave 3) shared and slave 4) private 5) unbindable A 'propagation event' is defined as event generated on a vfsmount that leads to mount or unmount actions in other vfsmounts. A 'peer group' is defined as a group of vfsmounts that propagate events to each other. (1) Shared mounts A 'shared mount' is defined as a vfsmount that belongs to a 'peer group'. For example: mount --make-shared /mnt mount --bind /mnt /tmp The mount at /mnt and that at /tmp are both shared and belong to the same peer group. Anything mounted or unmounted under /mnt or /tmp reflect in all the other mounts of its peer group. (2) Slave mounts A 'slave mount' is defined as a vfsmount that receives propagation events and does not forward propagation events. A slave mount as the name implies has a master mount from which mount/unmount events are received. Events do not propagate from the slave mount to the master. Only a shared mount can be made a slave by executing the following command mount --make-slave mount A shared mount that is made as a slave is no more shared unless modified to become shared. (3) Shared and Slave A vfsmount can be both shared as well as slave. This state indicates that the mount is a slave of some vfsmount, and has its own peer group too. This vfsmount receives propagation events from its master vfsmount, and also forwards propagation events to its 'peer group' and to its slave vfsmounts. Strictly speaking, the vfsmount is shared having its own peer group, and this peer-group is a slave of some other peer group. Only a slave vfsmount can be made as 'shared and slave' by either executing the following command mount --make-shared mount or by moving the slave vfsmount under a shared vfsmount. (4) Private mount A 'private mount' is defined as vfsmount that does not receive or forward any propagation events. (5) Unbindable mount A 'unbindable mount' is defined as vfsmount that does not receive or forward any propagation events and cannot be bind mounted. State diagram: The state diagram below explains the state transition of a mount, in response to various commands. ------------------------------------------------------------------------ | |make-shared | make-slave | make-private |make-unbindab| --------------|------------|--------------|--------------|-------------| |shared |shared |*slave/private| private | unbindable | | | | | | | |-------------|------------|--------------|--------------|-------------| |slave |shared | **slave | private | unbindable | | |and slave | | | | |-------------|------------|--------------|--------------|-------------| |shared |shared | slave | private | unbindable | |and slave |and slave | | | | |-------------|------------|--------------|--------------|-------------| |private |shared | **private | private | unbindable | |-------------|------------|--------------|--------------|-------------| |unbindable |shared |**unbindable | private | unbindable | ------------------------------------------------------------------------ * if the shared mount is the only mount in its peer group, making it slave, makes it private automatically. Note that there is no master to which it can be slaved to. ** slaving a non-shared mount has no effect on the mount. Apart from the commands listed below, the 'move' operation also changes the state of a mount depending on type of the destination mount. Its explained in section 5d. 5b) Bind semantics Consider the following command mount --bind A/a B/b where 'A' is the source mount, 'a' is the dentry in the mount 'A', 'B' is the destination mount and 'b' is the dentry in the destination mount. The outcome depends on the type of mount of 'A' and 'B'. The table below contains quick reference. --------------------------------------------------------------------------- | BIND MOUNT OPERATION | |************************************************************************** |source(A)->| shared | private | slave | unbindable | | dest(B) | | | | | | | | | | | | | v | | | | | |************************************************************************** | shared | shared | shared | shared & slave | invalid | | | | | | | |non-shared| shared | private | slave | invalid | *************************************************************************** Details: 1. 'A' is a shared mount and 'B' is a shared mount. A new mount 'C' which is clone of 'A', is created. Its root dentry is 'a' . 'C' is mounted on mount 'B' at dentry 'b'. Also new mount 'C1', 'C2', 'C3' ... are created and mounted at the dentry 'b' on all mounts where 'B' propagates to. A new propagation tree containing 'C1',..,'Cn' is created. This propagation tree is identical to the propagation tree of 'B'. And finally the peer-group of 'C' is merged with the peer group of 'A'. 2. 'A' is a private mount and 'B' is a shared mount. A new mount 'C' which is clone of 'A', is created. Its root dentry is 'a'. 'C' is mounted on mount 'B' at dentry 'b'. Also new mount 'C1', 'C2', 'C3' ... are created and mounted at the dentry 'b' on all mounts where 'B' propagates to. A new propagation tree is set containing all new mounts 'C', 'C1', .., 'Cn' with exactly the same configuration as the propagation tree for 'B'. 3. 'A' is a slave mount of mount 'Z' and 'B' is a shared mount. A new mount 'C' which is clone of 'A', is created. Its root dentry is 'a' . 'C' is mounted on mount 'B' at dentry 'b'. Also new mounts 'C1', 'C2', 'C3' ... are created and mounted at the dentry 'b' on all mounts where 'B' propagates to. A new propagation tree containing the new mounts 'C','C1',.. 'Cn' is created. This propagation tree is identical to the propagation tree for 'B'. And finally the mount 'C' and its peer group is made the slave of mount 'Z'. In other words, mount 'C' is in the state 'slave and shared'. 4. 'A' is a unbindable mount and 'B' is a shared mount. This is a invalid operation. 5. 'A' is a private mount and 'B' is a non-shared(private or slave or unbindable) mount. A new mount 'C' which is clone of 'A', is created. Its root dentry is 'a'. 'C' is mounted on mount 'B' at dentry 'b'. 6. 'A' is a shared mount and 'B' is a non-shared mount. A new mount 'C' which is a clone of 'A' is created. Its root dentry is 'a'. 'C' is mounted on mount 'B' at dentry 'b'. 'C' is made a member of the peer-group of 'A'. 7. 'A' is a slave mount of mount 'Z' and 'B' is a non-shared mount. A new mount 'C' which is a clone of 'A' is created. Its root dentry is 'a'. 'C' is mounted on mount 'B' at dentry 'b'. Also 'C' is set as a slave mount of 'Z'. In other words 'A' and 'C' are both slave mounts of 'Z'. All mount/unmount events on 'Z' propagates to 'A' and 'C'. But mount/unmount on 'A' do not propagate anywhere else. Similarly mount/unmount on 'C' do not propagate anywhere else. 8. 'A' is a unbindable mount and 'B' is a non-shared mount. This is a invalid operation. A unbindable mount cannot be bind mounted. 5c) Rbind semantics rbind is same as bind. Bind replicates the specified mount. Rbind replicates all the mounts in the tree belonging to the specified mount. Rbind mount is bind mount applied to all the mounts in the tree. If the source tree that is rbind has some unbindable mounts, then the subtree under the unbindable mount is pruned in the new location. eg: let's say we have the following mount tree. A / \ B C / \ / \ D E F G Let's say all the mount except the mount C in the tree are of a type other than unbindable. If this tree is rbound to say Z We will have the following tree at the new location. Z | A' / B' Note how the tree under C is pruned / \ in the new location. D' E' 5d) Move semantics Consider the following command mount --move A B/b where 'A' is the source mount, 'B' is the destination mount and 'b' is the dentry in the destination mount. The outcome depends on the type of the mount of 'A' and 'B'. The table below is a quick reference. --------------------------------------------------------------------------- | MOVE MOUNT OPERATION | |************************************************************************** | source(A)->| shared | private | slave | unbindable | | dest(B) | | | | | | | | | | | | | v | | | | | |************************************************************************** | shared | shared | shared |shared and slave| invalid | | | | | | | |non-shared| shared | private | slave | unbindable | *************************************************************************** NOTE: moving a mount residing under a shared mount is invalid. Details follow: 1. 'A' is a shared mount and 'B' is a shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Also new mounts 'A1', 'A2'...'An' are created and mounted at dentry 'b' on all mounts that receive propagation from mount 'B'. A new propagation tree is created in the exact same configuration as that of 'B'. This new propagation tree contains all the new mounts 'A1', 'A2'... 'An'. And this new propagation tree is appended to the already existing propagation tree of 'A'. 2. 'A' is a private mount and 'B' is a shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Also new mount 'A1', 'A2'... 'An' are created and mounted at dentry 'b' on all mounts that receive propagation from mount 'B'. The mount 'A' becomes a shared mount and a propagation tree is created which is identical to that of 'B'. This new propagation tree contains all the new mounts 'A1', 'A2'... 'An'. 3. 'A' is a slave mount of mount 'Z' and 'B' is a shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Also new mounts 'A1', 'A2'... 'An' are created and mounted at dentry 'b' on all mounts that receive propagation from mount 'B'. A new propagation tree is created in the exact same configuration as that of 'B'. This new propagation tree contains all the new mounts 'A1', 'A2'... 'An'. And this new propagation tree is appended to the already existing propagation tree of 'A'. Mount 'A' continues to be the slave mount of 'Z' but it also becomes 'shared'. 4. 'A' is a unbindable mount and 'B' is a shared mount. The operation is invalid. Because mounting anything on the shared mount 'B' can create new mounts that get mounted on the mounts that receive propagation from 'B'. And since the mount 'A' is unbindable, cloning it to mount at other mountpoints is not possible. 5. 'A' is a private mount and 'B' is a non-shared(private or slave or unbindable) mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. 6. 'A' is a shared mount and 'B' is a non-shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Mount 'A' continues to be a shared mount. 7. 'A' is a slave mount of mount 'Z' and 'B' is a non-shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Mount 'A' continues to be a slave mount of mount 'Z'. 8. 'A' is a unbindable mount and 'B' is a non-shared mount. The mount 'A' is mounted on mount 'B' at dentry 'b'. Mount 'A' continues to be a unbindable mount. 5e) Mount semantics Consider the following command mount device B/b 'B' is the destination mount and 'b' is the dentry in the destination mount. The above operation is the same as bind operation with the exception that the source mount is always a private mount. 5f) Unmount semantics Consider the following command umount A where 'A' is a mount mounted on mount 'B' at dentry 'b'. If mount 'B' is shared, then all most-recently-mounted mounts at dentry 'b' on mounts that receive propagation from mount 'B' and does not have sub-mounts within them are unmounted. Example: Let's say 'B1', 'B2', 'B3' are shared mounts that propagate to each other. let's say 'A1', 'A2', 'A3' are first mounted at dentry 'b' on mount 'B1', 'B2' and 'B3' respectively. let's say 'C1', 'C2', 'C3' are next mounted at the same dentry 'b' on mount 'B1', 'B2' and 'B3' respectively. if 'C1' is unmounted, all the mounts that are most-recently-mounted on 'B1' and on the mounts that 'B1' propagates-to are unmounted. 'B1' propagates to 'B2' and 'B3'. And the most recently mounted mount on 'B2' at dentry 'b' is 'C2', and that of mount 'B3' is 'C3'. So all 'C1', 'C2' and 'C3' should be unmounted. If any of 'C2' or 'C3' has some child mounts, then that mount is not unmounted, but all other mounts are unmounted. However if 'C1' is told to be unmounted and 'C1' has some sub-mounts, the umount operation is failed entirely. 5g) Clone Namespace A cloned namespace contains all the mounts as that of the parent namespace. Let's say 'A' and 'B' are the corresponding mounts in the parent and the child namespace. If 'A' is shared, then 'B' is also shared and 'A' and 'B' propagate to each other. If 'A' is a slave mount of 'Z', then 'B' is also the slave mount of 'Z'. If 'A' is a private mount, then 'B' is a private mount too. If 'A' is unbindable mount, then 'B' is a unbindable mount too. 6) Quiz A. What is the result of the following command sequence? mount --bind /mnt /mnt mount --make-shared /mnt mount --bind /mnt /tmp mount --move /tmp /mnt/1 what should be the contents of /mnt /mnt/1 /mnt/1/1 should be? Should they all be identical? or should /mnt and /mnt/1 be identical only? B. What is the result of the following command sequence? mount --make-rshared / mkdir -p /v/1 mount --rbind / /v/1 what should be the content of /v/1/v/1 be? C. What is the result of the following command sequence? mount --bind /mnt /mnt mount --make-shared /mnt mkdir -p /mnt/1/2/3 /mnt/1/test mount --bind /mnt/1 /tmp mount --make-slave /mnt mount --make-shared /mnt mount --bind /mnt/1/2 /tmp1 mount --make-slave /mnt At this point we have the first mount at /tmp and its root dentry is 1. Let's call this mount 'A' And then we have a second mount at /tmp1 with root dentry 2. Let's call this mount 'B' Next we have a third mount at /mnt with root dentry mnt. Let's call this mount 'C' 'B' is the slave of 'A' and 'C' is a slave of 'B' A -> B -> C at this point if we execute the following command mount --bind /bin /tmp/test The mount is attempted on 'A' will the mount propagate to 'B' and 'C' ? what would be the contents of /mnt/1/test be? 7) FAQ Q1. Why is bind mount needed? How is it different from symbolic links? symbolic links can get stale if the destination mount gets unmounted or moved. Bind mounts continue to exist even if the other mount is unmounted or moved. Q2. Why can't the shared subtree be implemented using exportfs? exportfs is a heavyweight way of accomplishing part of what shared subtree can do. I cannot imagine a way to implement the semantics of slave mount using exportfs? Q3 Why is unbindable mount needed? Let's say we want to replicate the mount tree at multiple locations within the same subtree. if one rbind mounts a tree within the same subtree 'n' times the number of mounts created is an exponential function of 'n'. Having unbindable mount can help prune the unneeded bind mounts. Here is an example. step 1: let's say the root tree has just two directories with one vfsmount. root / \ tmp usr And we want to replicate the tree at multiple mountpoints under /root/tmp step2: mount --make-shared /root mkdir -p /tmp/m1 mount --rbind /root /tmp/m1 the new tree now looks like this: root / \ tmp usr / m1 / \ tmp usr / m1 it has two vfsmounts step3: mkdir -p /tmp/m2 mount --rbind /root /tmp/m2 the new tree now looks like this: root / \ tmp usr / \ m1 m2 / \ / \ tmp usr tmp usr / \ / m1 m2 m1 / \ / \ tmp usr tmp usr / / \ m1 m1 m2 / \ tmp usr / \ m1 m2 it has 6 vfsmounts step 4: mkdir -p /tmp/m3 mount --rbind /root /tmp/m3 I won't draw the tree..but it has 24 vfsmounts at step i the number of vfsmounts is V[i] = i*V[i-1]. This is an exponential function. And this tree has way more mounts than what we really needed in the first place. One could use a series of umount at each step to prune out the unneeded mounts. But there is a better solution. Unclonable mounts come in handy here. step 1: let's say the root tree has just two directories with one vfsmount. root / \ tmp usr How do we set up the same tree at multiple locations under /root/tmp step2: mount --bind /root/tmp /root/tmp mount --make-rshared /root mount --make-unbindable /root/tmp mkdir -p /tmp/m1 mount --rbind /root /tmp/m1 the new tree now looks like this: root / \ tmp usr / m1 / \ tmp usr step3: mkdir -p /tmp/m2 mount --rbind /root /tmp/m2 the new tree now looks like this: root / \ tmp usr / \ m1 m2 / \ / \ tmp usr tmp usr step4: mkdir -p /tmp/m3 mount --rbind /root /tmp/m3 the new tree now looks like this: root / \ tmp usr / \ \ m1 m2 m3 / \ / \ / \ tmp usr tmp usr tmp usr 8) Implementation 8A) Datastructure 4 new fields are introduced to struct vfsmount ->mnt_share ->mnt_slave_list ->mnt_slave ->mnt_master ->mnt_share links together all the mount to/from which this vfsmount send/receives propagation events. ->mnt_slave_list links all the mounts to which this vfsmount propagates to. ->mnt_slave links together all the slaves that its master vfsmount propagates to. ->mnt_master points to the master vfsmount from which this vfsmount receives propagation. ->mnt_flags takes two more flags to indicate the propagation status of the vfsmount. MNT_SHARE indicates that the vfsmount is a shared vfsmount. MNT_UNCLONABLE indicates that the vfsmount cannot be replicated. All the shared vfsmounts in a peer group form a cyclic list through ->mnt_share. All vfsmounts with the same ->mnt_master form on a cyclic list anchored in ->mnt_master->mnt_slave_list and going through ->mnt_slave. ->mnt_master can point to arbitrary (and possibly different) members of master peer group. To find all immediate slaves of a peer group you need to go through _all_ ->mnt_slave_list of its members. Conceptually it's just a single set - distribution among the individual lists does not affect propagation or the way propagation tree is modified by operations. All vfsmounts in a peer group have the same ->mnt_master. If it is non-NULL, they form a contiguous (ordered) segment of slave list. A example propagation tree looks as shown in the figure below. [ NOTE: Though it looks like a forest, if we consider all the shared mounts as a conceptual entity called 'pnode', it becomes a tree] A <--> B <--> C <---> D /|\ /| |\ / F G J K H I / E<-->K /|\ M L N In the above figure A,B,C and D all are shared and propagate to each other. 'A' has got 3 slave mounts 'E' 'F' and 'G' 'C' has got 2 slave mounts 'J' and 'K' and 'D' has got two slave mounts 'H' and 'I'. 'E' is also shared with 'K' and they propagate to each other. And 'K' has 3 slaves 'M', 'L' and 'N' A's ->mnt_share links with the ->mnt_share of 'B' 'C' and 'D' A's ->mnt_slave_list links with ->mnt_slave of 'E', 'K', 'F' and 'G' E's ->mnt_share links with ->mnt_share of K 'E', 'K', 'F', 'G' have their ->mnt_master point to struct vfsmount of 'A' 'M', 'L', 'N' have their ->mnt_master point to struct vfsmount of 'K' K's ->mnt_slave_list links with ->mnt_slave of 'M', 'L' and 'N' C's ->mnt_slave_list links with ->mnt_slave of 'J' and 'K' J and K's ->mnt_master points to struct vfsmount of C and finally D's ->mnt_slave_list links with ->mnt_slave of 'H' and 'I' 'H' and 'I' have their ->mnt_master pointing to struct vfsmount of 'D'. NOTE: The propagation tree is orthogonal to the mount tree. 8B Locking: ->mnt_share, ->mnt_slave, ->mnt_slave_list, ->mnt_master are protected by namespace_sem (exclusive for modifications, shared for reading). Normally we have ->mnt_flags modifications serialized by vfsmount_lock. There are two exceptions: do_add_mount() and clone_mnt(). The former modifies a vfsmount that has not been visible in any shared data structures yet. The latter holds namespace_sem and the only references to vfsmount are in lists that can't be traversed without namespace_sem. 8C Algorithm: The crux of the implementation resides in rbind/move operation. The overall algorithm breaks the operation into 3 phases: (look at attach_recursive_mnt() and propagate_mnt()) 1. prepare phase. 2. commit phases. 3. abort phases. Prepare phase: for each mount in the source tree: a) Create the necessary number of mount trees to be attached to each of the mounts that receive propagation from the destination mount. b) Do not attach any of the trees to its destination. However note down its ->mnt_parent and ->mnt_mountpoint c) Link all the new mounts to form a propagation tree that is identical to the propagation tree of the destination mount. If this phase is successful, there should be 'n' new propagation trees; where 'n' is the number of mounts in the source tree. Go to the commit phase Also there should be 'm' new mount trees, where 'm' is the number of mounts to which the destination mount propagates to. if any memory allocations fail, go to the abort phase. Commit phase attach each of the mount trees to their corresponding destination mounts. Abort phase delete all the newly created trees. NOTE: all the propagation related functionality resides in the file pnode.c ------------------------------------------------------------------------ version 0.1 (created the initial document, Ram Pai linuxram@us.ibm.com) version 0.2 (Incorporated comments from Al Viro)