2018-12-11 22:01:50 +01:00
|
|
|
// Package versionhandshake wraps a transport.{Connecter,AuthenticatedListener}
|
|
|
|
|
// to add an exchange of protocol version information on connection establishment.
|
|
|
|
|
//
|
|
|
|
|
// The protocol version information (banner) is plain text, thus making it
|
|
|
|
|
// easy to diagnose issues with standard tools.
|
|
|
|
|
package versionhandshake
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"net"
|
|
|
|
|
"strings"
|
|
|
|
|
"time"
|
|
|
|
|
"unicode/utf8"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type HandshakeMessage struct {
|
|
|
|
|
ProtocolVersion int
|
2019-03-22 19:41:12 +01:00
|
|
|
Extensions []string
|
2018-12-11 22:01:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A HandshakeError describes what went wrong during the handshake.
|
|
|
|
|
// It implements net.Error and is always temporary.
|
|
|
|
|
type HandshakeError struct {
|
|
|
|
|
msg string
|
|
|
|
|
// If not nil, the underlying IO error that caused the handshake to fail.
|
2019-03-22 19:41:12 +01:00
|
|
|
IOError error
|
2019-03-15 15:59:47 +01:00
|
|
|
isAcceptError bool
|
2018-12-11 22:01:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var _ net.Error = &HandshakeError{}
|
|
|
|
|
|
|
|
|
|
func (e HandshakeError) Error() string { return e.msg }
|
|
|
|
|
|
2019-03-15 15:59:47 +01:00
|
|
|
// Like with net.OpErr (Go issue 6163), a client failing to handshake
|
|
|
|
|
// should be a temporary Accept error toward the Listener .
|
|
|
|
|
func (e HandshakeError) Temporary() bool {
|
2019-03-22 19:41:12 +01:00
|
|
|
if e.isAcceptError {
|
2019-03-15 15:59:47 +01:00
|
|
|
return true
|
|
|
|
|
}
|
2019-03-22 19:41:12 +01:00
|
|
|
te, ok := e.IOError.(interface{ Temporary() bool })
|
2019-03-15 15:59:47 +01:00
|
|
|
return ok && te.Temporary()
|
|
|
|
|
}
|
2018-12-11 22:01:50 +01:00
|
|
|
|
|
|
|
|
// If the underlying IOError was net.Error.Timeout(), Timeout() returns that value.
|
|
|
|
|
// Otherwise false.
|
|
|
|
|
func (e HandshakeError) Timeout() bool {
|
|
|
|
|
if neterr, ok := e.IOError.(net.Error); ok {
|
|
|
|
|
return neterr.Timeout()
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-22 19:41:12 +01:00
|
|
|
func hsErr(format string, args ...interface{}) *HandshakeError {
|
2018-12-11 22:01:50 +01:00
|
|
|
return &HandshakeError{msg: fmt.Sprintf(format, args...)}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-22 19:41:12 +01:00
|
|
|
func hsIOErr(err error, format string, args ...interface{}) *HandshakeError {
|
2018-12-11 22:01:50 +01:00
|
|
|
return &HandshakeError{IOError: err, msg: fmt.Sprintf(format, args...)}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// MaxProtocolVersion is the maximum allowed protocol version.
|
|
|
|
|
// This is a protocol constant, changing it may break the wire format.
|
|
|
|
|
const MaxProtocolVersion = 9999
|
|
|
|
|
|
|
|
|
|
// Only returns *HandshakeError as error.
|
|
|
|
|
func (m *HandshakeMessage) Encode() ([]byte, error) {
|
|
|
|
|
if m.ProtocolVersion <= 0 || m.ProtocolVersion > MaxProtocolVersion {
|
|
|
|
|
return nil, hsErr(fmt.Sprintf("protocol version must be in [1, %d]", MaxProtocolVersion))
|
|
|
|
|
}
|
|
|
|
|
if len(m.Extensions) >= MaxProtocolVersion {
|
|
|
|
|
return nil, hsErr(fmt.Sprintf("protocol only supports [0, %d] extensions", MaxProtocolVersion))
|
|
|
|
|
}
|
|
|
|
|
// EXTENSIONS is a count of subsequent \n separated lines that contain protocol extensions
|
|
|
|
|
var extensions strings.Builder
|
|
|
|
|
for i, ext := range m.Extensions {
|
|
|
|
|
if strings.ContainsAny(ext, "\n") {
|
|
|
|
|
return nil, hsErr("Extension #%d contains forbidden newline character", i)
|
|
|
|
|
}
|
|
|
|
|
if !utf8.ValidString(ext) {
|
|
|
|
|
return nil, hsErr("Extension #%d is not valid UTF-8", i)
|
|
|
|
|
}
|
|
|
|
|
extensions.WriteString(ext)
|
|
|
|
|
extensions.WriteString("\n")
|
|
|
|
|
}
|
|
|
|
|
withoutLen := fmt.Sprintf("ZREPL_ZFS_REPLICATION PROTOVERSION=%04d EXTENSIONS=%04d\n%s",
|
|
|
|
|
m.ProtocolVersion, len(m.Extensions), extensions.String())
|
|
|
|
|
withLen := fmt.Sprintf("%010d %s", len(withoutLen), withoutLen)
|
|
|
|
|
return []byte(withLen), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *HandshakeMessage) DecodeReader(r io.Reader, maxLen int) error {
|
|
|
|
|
var lenAndSpace [11]byte
|
|
|
|
|
if _, err := io.ReadFull(r, lenAndSpace[:]); err != nil {
|
|
|
|
|
return hsIOErr(err, "error reading protocol banner length: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if !utf8.Valid(lenAndSpace[:]) {
|
|
|
|
|
return hsErr("invalid start of handshake message: not valid UTF-8")
|
|
|
|
|
}
|
|
|
|
|
var followLen int
|
|
|
|
|
n, err := fmt.Sscanf(string(lenAndSpace[:]), "%010d ", &followLen)
|
|
|
|
|
if n != 1 || err != nil {
|
|
|
|
|
return hsErr("could not parse handshake message length")
|
|
|
|
|
}
|
|
|
|
|
if followLen > maxLen {
|
|
|
|
|
return hsErr("handshake message length exceeds max length (%d vs %d)",
|
|
|
|
|
followLen, maxLen)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var buf bytes.Buffer
|
|
|
|
|
_, err = io.Copy(&buf, io.LimitReader(r, int64(followLen)))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return hsIOErr(err, "error reading protocol banner body: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
protoVersion, extensionCount int
|
|
|
|
|
)
|
|
|
|
|
n, err = fmt.Fscanf(&buf, "ZREPL_ZFS_REPLICATION PROTOVERSION=%04d EXTENSIONS=%4d\n",
|
|
|
|
|
&protoVersion, &extensionCount)
|
|
|
|
|
if n != 2 || err != nil {
|
|
|
|
|
return hsErr("could not parse handshake message: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if protoVersion < 1 {
|
|
|
|
|
return hsErr("invalid protocol version %q", protoVersion)
|
|
|
|
|
}
|
|
|
|
|
m.ProtocolVersion = protoVersion
|
|
|
|
|
|
|
|
|
|
if extensionCount < 0 {
|
|
|
|
|
return hsErr("invalid extension count %q", extensionCount)
|
|
|
|
|
}
|
|
|
|
|
if extensionCount == 0 {
|
|
|
|
|
if buf.Len() != 0 {
|
|
|
|
|
return hsErr("unexpected data trailing after header")
|
|
|
|
|
}
|
|
|
|
|
m.Extensions = nil
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
s := buf.String()
|
|
|
|
|
if strings.Count(s, "\n") != extensionCount {
|
|
|
|
|
return hsErr("inconsistent extension count: found %d, header says %d", len(m.Extensions), extensionCount)
|
|
|
|
|
}
|
|
|
|
|
exts := strings.Split(s, "\n")
|
|
|
|
|
if exts[len(exts)-1] != "" {
|
|
|
|
|
return hsErr("unexpected data trailing after last extension newline")
|
|
|
|
|
}
|
2019-03-22 19:41:12 +01:00
|
|
|
m.Extensions = exts[0 : len(exts)-1]
|
2018-12-11 22:01:50 +01:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-15 15:59:47 +01:00
|
|
|
func DoHandshakeCurrentVersion(conn net.Conn, deadline time.Time) *HandshakeError {
|
2018-12-11 22:01:50 +01:00
|
|
|
// current protocol version is hardcoded here
|
new features: {resumable,encrypted,hold-protected} send-recv, last-received-hold
- **Resumable Send & Recv Support**
No knobs required, automatically used where supported.
- **Hold-Protected Send & Recv**
Automatic ZFS holds to ensure that we can always resume a replication step.
- **Encrypted Send & Recv Support** for OpenZFS native encryption.
Configurable at the job level, i.e., for all filesystems a job is responsible for.
- **Receive-side hold on last received dataset**
The counterpart to the replication cursor bookmark on the send-side.
Ensures that incremental replication will always be possible between a sender and receiver.
Design Doc
----------
`replication/design.md` doc describes how we use ZFS holds and bookmarks to ensure that a single replication step is always resumable.
The replication algorithm described in the design doc introduces the notion of job IDs (please read the details on this design doc).
We reuse the job names for job IDs and use `JobID` type to ensure that a job name can be embedded into hold tags, bookmark names, etc.
This might BREAK CONFIG on upgrade.
Protocol Version Bump
---------------------
This commit makes backwards-incompatible changes to the replication/pdu protobufs.
Thus, bump the version number used in the protocol handshake.
Replication Cursor Format Change
--------------------------------
The new replication cursor bookmark format is: `#zrepl_CURSOR_G_${this.GUID}_J_${jobid}`
Including the GUID enables transaction-safe moving-forward of the cursor.
Including the job id enables that multiple sending jobs can send the same filesystem without interfering.
The `zrepl migrate replication-cursor:v1-v2` subcommand can be used to safely destroy old-format cursors once zrepl has created new-format cursors.
Changes in This Commit
----------------------
- package zfs
- infrastructure for holds
- infrastructure for resume token decoding
- implement a variant of OpenZFS's `entity_namecheck` and use it for validation in new code
- ZFSSendArgs to specify a ZFS send operation
- validation code protects against malicious resume tokens by checking that the token encodes the same send parameters that the send-side would use if no resume token were available (i.e. same filesystem, `fromguid`, `toguid`)
- RecvOptions support for `recv -s` flag
- convert a bunch of ZFS operations to be idempotent
- achieved through more differentiated error message scraping / additional pre-/post-checks
- package replication/pdu
- add field for encryption to send request messages
- add fields for resume handling to send & recv request messages
- receive requests now contain `FilesystemVersion To` in addition to the filesystem into which the stream should be `recv`d into
- can use `zfs recv $root_fs/$client_id/path/to/dataset@${To.Name}`, which enables additional validation after recv (i.e. whether `To.Guid` matched what we received in the stream)
- used to set `last-received-hold`
- package replication/logic
- introduce `PlannerPolicy` struct, currently only used to configure whether encrypted sends should be requested from the sender
- integrate encryption and resume token support into `Step` struct
- package endpoint
- move the concepts that endpoint builds on top of ZFS to a single file `endpoint/endpoint_zfs.go`
- step-holds + step-bookmarks
- last-received-hold
- new replication cursor + old replication cursor compat code
- adjust `endpoint/endpoint.go` handlers for
- encryption
- resumability
- new replication cursor
- last-received-hold
- client subcommand `zrepl holds list`: list all holds and hold-like bookmarks that zrepl thinks belong to it
- client subcommand `zrepl migrate replication-cursor:v1-v2`
2019-09-11 17:19:17 +02:00
|
|
|
return DoHandshakeVersion(conn, deadline, 2)
|
2018-12-11 22:01:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const HandshakeMessageMaxLen = 16 * 4096
|
|
|
|
|
|
2019-03-22 20:45:27 +01:00
|
|
|
func DoHandshakeVersion(conn net.Conn, deadline time.Time, version int) (rErr *HandshakeError) {
|
2018-12-11 22:01:50 +01:00
|
|
|
ours := HandshakeMessage{
|
|
|
|
|
ProtocolVersion: version,
|
2019-03-22 19:41:12 +01:00
|
|
|
Extensions: nil,
|
2018-12-11 22:01:50 +01:00
|
|
|
}
|
|
|
|
|
hsb, err := ours.Encode()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return hsErr("could not encode protocol banner: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-22 20:45:27 +01:00
|
|
|
err = conn.SetDeadline(deadline)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return hsErr("could not set deadline for protocol banner handshake: %s", err)
|
|
|
|
|
}
|
|
|
|
|
defer func() {
|
|
|
|
|
if rErr != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
err := conn.SetDeadline(time.Time{})
|
|
|
|
|
if err != nil {
|
|
|
|
|
rErr = hsErr("could not reset deadline after protocol banner handshake: %s", err)
|
|
|
|
|
}
|
|
|
|
|
}()
|
2018-12-11 22:01:50 +01:00
|
|
|
_, err = io.Copy(conn, bytes.NewBuffer(hsb))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return hsErr("could not send protocol banner: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
theirs := HandshakeMessage{}
|
|
|
|
|
if err := theirs.DecodeReader(conn, HandshakeMessageMaxLen); err != nil {
|
|
|
|
|
return hsErr("could not decode protocol banner: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if theirs.ProtocolVersion != ours.ProtocolVersion {
|
|
|
|
|
return hsErr("protocol versions do not match: ours is %d, theirs is %d",
|
|
|
|
|
ours.ProtocolVersion, theirs.ProtocolVersion)
|
|
|
|
|
}
|
|
|
|
|
// ignore extensions, we don't use them
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|