locking: unify global lock for flock and lockd

There have been two file locks used to protect lvm
"global state": "ORPHANS" and "GLOBAL".

Commands that used the ORPHAN flock in exclusive mode:
  pvcreate, pvremove, vgcreate, vgextend, vgremove,
  vgcfgrestore

Commands that used the ORPHAN flock in shared mode:
  vgimportclone, pvs, pvscan, pvresize, pvmove,
  pvdisplay, pvchange, fullreport

Commands that used the GLOBAL flock in exclusive mode:
  pvchange, pvscan, vgimportclone, vgscan

Commands that used the GLOBAL flock in shared mode:
  pvscan --cache, pvs

The ORPHAN lock covers the important cases of serializing
the use of orphan PVs.  It also partially covers the
reporting of orphan PVs (although not correctly as
explained below.)

The GLOBAL lock doesn't seem to have a clear purpose
(it may have eroded over time.)

Neither lock correctly protects the VG namespace, or
orphan PV properties.

To simplify and correct these issues, the two separate
flocks are combined into the one GLOBAL flock, and this flock
is used from the locking sites that are in place for the
lvmlockd global lock.

The logic behind the lvmlockd (distributed) global lock is
that any command that changes "global state" needs to take
the global lock in ex mode.  Global state in lvm is: the list
of VG names, the set of orphan PVs, and any properties of
orphan PVs.  Reading this global state can use the global lock
in sh mode to ensure it doesn't change while being reported.

The locking of global state now looks like:

lockd_global()
  previously named lockd_gl(), acquires the distributed
  global lock through lvmlockd.  This is unchanged.
  It serializes distributed lvm commands that are changing
  global state.  This is a no-op when lvmlockd is not in use.

lockf_global()
  acquires an flock on a local file.  It serializes local lvm
  commands that are changing global state.

lock_global()
  first calls lockf_global() to acquire the local flock for
  global state, and if this succeeds, it calls lockd_global()
  to acquire the distributed lock for global state.

Replace instances of lockd_gl() with lock_global(), so that the
existing sites for lvmlockd global state locking are now also
used for local file locking of global state.  Remove the previous
file locking calls lock_vol(GLOBAL) and lock_vol(ORPHAN).

The following commands which change global state are now
serialized with the exclusive global flock:

pvchange (of orphan), pvresize (of orphan), pvcreate, pvremove,
vgcreate, vgextend, vgremove, vgreduce, vgrename,
vgcfgrestore, vgimportclone, vgmerge, vgsplit

Commands that use a shared flock to read global state (and will
be serialized against the prior list) are those that use
process_each functions that are based on processing a list of
all VG names, or all PVs.  The list of all VGs or all PVs is
global state and the shared lock prevents those lists from
changing while the command is processing them.

The ORPHAN lock previously attempted to produce an accurate
listing of orphan PVs, but it was only acquired at the end of
the command during the fake vg_read of the fake orphan vg.
This is not when orphan PVs were determined; they were
determined by elimination beforehand by processing all real
VGs, and subtracting the PVs in the real VGs from the list
of all PVs that had been identified during the initial scan.
This is fixed by holding the single global lock in shared mode
while processing all VGs to determine the list of orphan PVs.

1 files changed, 95 insertions, 5 deletions

diff --git a/lib/locking/locking.c b/lib/locking/locking.c
index a23b2725e..fd2b9750f 100644
--- a/lib/locking/locking.c
+++ b/lib/locking/locking.c
@@ -15,6 +15,7 @@
 
 #include "lib/misc/lib.h"
 #include "lib/locking/locking.h"
+#include "lib/locking/lvmlockd.h"
 #include "locking_types.h"
 #include "lib/misc/lvm-string.h"
 #include "lib/activate/activate.h"
@@ -185,13 +186,14 @@ int lock_vol(struct cmd_context *cmd, const char *vol, uint32_t flags, const str
 {
 	char resource[258] __attribute__((aligned(8)));
 	uint32_t lck_type = flags & LCK_TYPE_MASK;
+	int is_global = !strcmp(vol, VG_GLOBAL);
+
+	if (is_orphan_vg(vol))
+		return 1;
 
 	if (!_blocking_supported)
 		flags |= LCK_NONBLOCK;
 
-	if (is_orphan_vg(vol))
-		vol = VG_ORPHANS;
-
 	if (!dm_strncpy(resource, vol, sizeof(resource))) {
 		log_error(INTERNAL_ERROR "Resource name %s is too long.", vol);
 		return 0;
@@ -211,7 +213,7 @@ int lock_vol(struct cmd_context *cmd, const char *vol, uint32_t flags, const str
 		if (lck_type != LCK_WRITE)
 			goto out_hold;
 
-		if (cmd->is_activating && strcmp(vol, VG_GLOBAL))
+		if (cmd->is_activating && !is_global)
 			goto out_hold;
 
 		goto out_fail;
@@ -252,7 +254,7 @@ int lock_vol(struct cmd_context *cmd, const char *vol, uint32_t flags, const str
 	 * refuse write lock requests.
 	 */
 	if (cmd->metadata_read_only) {
-		if ((lck_type == LCK_WRITE) && strcmp(vol, VG_GLOBAL)) {
+		if (lck_type == LCK_WRITE) {
 			log_error("Operation prohibited while global/metadata_read_only is set.");
 			goto out_fail;
 		}
@@ -264,6 +266,9 @@ int lock_vol(struct cmd_context *cmd, const char *vol, uint32_t flags, const str
 		goto out_fail;
 
 out_hold:
+	if (is_global)
+		return 1;
+
 	/*
 	 * FIXME: other parts of the code want to check if a VG is
 	 * locked by looking in lvmcache.  They shouldn't need to
@@ -279,6 +284,8 @@ out_hold:
 	return 1;
 
 out_fail:
+	if (is_global)
+		return 0;
 	if (lck_type == LCK_UNLOCK)
 		_update_vg_lock_count(resource, flags);
 	return 0;
@@ -318,3 +325,86 @@ int sync_local_dev_names(struct cmd_context* cmd)
 	return 1;
 }
 
+/*
+ * The lockf_global_ex flag is used to prevent changing
+ * an explicitly acquired ex global lock to sh in process_each.
+ */
+
+static int _lockf_global(struct cmd_context *cmd, const char *mode, int convert)
+{
+	uint32_t flags = 0;
+	int ret;
+
+	if (convert)
+		flags |= LCK_CONVERT;
+
+	if (!strcmp(mode, "ex")) {
+		flags |= LCK_WRITE;
+
+		if (cmd->lockf_global_ex) {
+			log_warn("global flock already held ex");
+			return 1;
+		}
+
+		ret = lock_vol(cmd, VG_GLOBAL, flags, NULL);
+		if (ret)
+			cmd->lockf_global_ex = 1;
+
+	} else if (!strcmp(mode, "sh")) {
+		if (cmd->lockf_global_ex)
+			return 1;
+
+		flags |= LCK_READ;
+
+		ret = lock_vol(cmd, VG_GLOBAL, flags, NULL);
+
+	} else if (!strcmp(mode, "un")) {
+		ret = lock_vol(cmd, VG_GLOBAL, LCK_UNLOCK, NULL);
+		cmd->lockf_global_ex = 0;
+	}
+
+	return ret;
+}
+
+int lockf_global(struct cmd_context *cmd, const char *mode)
+{
+	return _lockf_global(cmd, mode, 0);
+}
+
+int lockf_global_convert(struct cmd_context *cmd, const char *mode)
+{
+	return _lockf_global(cmd, mode, 1);
+}
+
+int lock_global(struct cmd_context *cmd, const char *mode)
+{
+	if (!lockf_global(cmd, mode))
+		return 0;
+
+	if (!lockd_global(cmd, mode)) {
+		lockf_global(cmd, "un");
+		return 0;
+	}
+
+	return 1;
+}
+
+/*
+ * The global lock is already held, convert it to another mode.
+ *
+ * Currently only used for sh->ex.
+ *
+ * (The lockf_global_ex flag would need overriding
+ * to handle ex->sh.)
+ */
+
+int lock_global_convert(struct cmd_context *cmd, const char *mode)
+{
+	if (!lockf_global_convert(cmd, mode))
+		return 0;
+
+	if (!lockd_global(cmd, mode))
+		return 0;
+
+	return 1;
+}