mirror of
https://github.com/trapexit/mergerfs.git
synced 2024-11-26 02:09:52 +08:00
829 lines
26 KiB
Groff
829 lines
26 KiB
Groff
.\"t
|
|
.TH "mergerfs" "1" "2016\-01\-21" "mergerfs user manual" ""
|
|
.SH NAME
|
|
.PP
|
|
mergerfs \- another (FUSE based) union filesystem
|
|
.SH SYNOPSIS
|
|
.PP
|
|
mergerfs \-o<options> <srcmounts> <mountpoint>
|
|
.SH DESCRIPTION
|
|
.PP
|
|
\f[B]mergerfs\f[] is a union filesystem geared towards simplifing
|
|
storage and management of files across numerous commodity storage
|
|
devices.
|
|
It is similar to \f[B]mhddfs\f[], \f[B]unionfs\f[], and \f[B]aufs\f[].
|
|
.SH FEATURES
|
|
.IP \[bu] 2
|
|
Runs in userspace (FUSE)
|
|
.IP \[bu] 2
|
|
Configurable behaviors
|
|
.IP \[bu] 2
|
|
Support for extended attributes (xattrs)
|
|
.IP \[bu] 2
|
|
Support for file attributes (chattr)
|
|
.IP \[bu] 2
|
|
Runtime configurable (via xattrs)
|
|
.IP \[bu] 2
|
|
Safe to run as root
|
|
.IP \[bu] 2
|
|
Opportunistic credential caching
|
|
.IP \[bu] 2
|
|
Works with heterogeneous filesystem types
|
|
.IP \[bu] 2
|
|
Handling of writes to full drives
|
|
.SH OPTIONS
|
|
.SS options
|
|
.IP \[bu] 2
|
|
\f[B]defaults\f[]: a shortcut for FUSE\[aq]s \f[B]atomic_o_trunc\f[],
|
|
\f[B]auto_cache\f[], \f[B]big_writes\f[], \f[B]default_permissions\f[],
|
|
\f[B]splice_move\f[], \f[B]splice_read\f[], and \f[B]splice_write\f[].
|
|
These options seem to provide the best performance.
|
|
.IP \[bu] 2
|
|
\f[B]direct_io\f[]: causes FUSE to bypass an addition caching step which
|
|
can increase write speeds at the detriment of read speed.
|
|
.IP \[bu] 2
|
|
\f[B]minfreespace\f[]: the minimum space value used for the
|
|
\f[B]lfs\f[], \f[B]fwfs\f[], and \f[B]epmfs\f[] policies.
|
|
Understands \[aq]K\[aq], \[aq]M\[aq], and \[aq]G\[aq] to represent
|
|
kilobyte, megabyte, and gigabyte respectively.
|
|
(default: 4G)
|
|
.IP \[bu] 2
|
|
\f[B]moveonenospc\f[]: when enabled (set to \f[B]true\f[]) if a
|
|
\f[B]write\f[] fails with \f[B]ENOSPC\f[] a scan of all drives will be
|
|
done looking for the drive with most free space which is at least the
|
|
size of the file plus the amount which failed to write.
|
|
An attempt to move the file to that drive will occur (keeping all
|
|
metadata possible) and if successful the original is unlinked and the
|
|
write retried.
|
|
(default: false)
|
|
.IP \[bu] 2
|
|
\f[B]func.<func>=<policy>\f[]: sets the specific FUSE function\[aq]s
|
|
policy.
|
|
See below for the list of value types.
|
|
Example: \f[B]func.getattr=newest\f[]
|
|
.IP \[bu] 2
|
|
\f[B]category.<category>=<policy>\f[]: Sets policy of all FUSE functions
|
|
in the provided category.
|
|
Example: \f[B]category.create=mfs\f[]
|
|
.PP
|
|
\f[B]NOTE:\f[] Options are evaluated in the order listed so if the
|
|
options are \f[B]func.rmdir=rand,category.action=ff\f[] the
|
|
\f[B]action\f[] category setting will override the \f[B]rmdir\f[]
|
|
setting.
|
|
.SS srcmounts
|
|
.PP
|
|
The source mounts argument is a colon (\[aq]:\[aq]) delimited list of
|
|
paths.
|
|
To make it simpler to include multiple source mounts without having to
|
|
modify your fstab (http://linux.die.net/man/5/fstab) we also support
|
|
globbing (http://linux.die.net/man/7/glob).
|
|
\f[B]The globbing tokens MUST be escaped when using via the shell else
|
|
the shell itself will probably expand it.\f[]
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
$\ mergerfs\ /mnt/disk\\*:/mnt/cdrom\ /media/drives
|
|
\f[]
|
|
.fi
|
|
.PP
|
|
The above line will use all mount points in /mnt prefixed with
|
|
\f[I]disk\f[] and the directory \f[I]cdrom\f[].
|
|
.PP
|
|
In /etc/fstab it\[aq]d look like the following:
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
#\ <file\ system>\ \ \ \ \ \ \ \ <mount\ point>\ \ <type>\ \ \ \ \ \ \ \ \ <options>\ \ \ \ \ \ \ \ \ \ \ \ \ <dump>\ \ <pass>
|
|
/mnt/disk*:/mnt/cdrom\ \ /media/drives\ \ fuse.mergerfs\ \ defaults,allow_other\ \ 0\ \ \ \ \ \ \ 0
|
|
\f[]
|
|
.fi
|
|
.PP
|
|
\f[B]NOTE:\f[] the globbing is done at mount or xattr update time.
|
|
If a new directory is added matching the glob after the fact it will not
|
|
be included.
|
|
.SH POLICIES
|
|
.PP
|
|
Filesystem calls are broken up into 3 categories: \f[B]action\f[],
|
|
\f[B]create\f[], \f[B]search\f[].
|
|
There are also some calls which have no policy attached due to state
|
|
being kept between calls.
|
|
These categories can be assigned a policy which dictates how
|
|
\f[B]mergerfs\f[] behaves.
|
|
Any policy can be assigned to a category though some aren\[aq]t terribly
|
|
practical.
|
|
For instance: \f[B]rand\f[] (Random) may be useful for \f[B]create\f[]
|
|
but could lead to very odd behavior if used for \f[B]search\f[].
|
|
.SS Functional classifications
|
|
.PP
|
|
.TS
|
|
tab(@);
|
|
l l.
|
|
T{
|
|
Category
|
|
T}@T{
|
|
FUSE Functions
|
|
T}
|
|
_
|
|
T{
|
|
action
|
|
T}@T{
|
|
chmod, chown, link, removexattr, rename, rmdir, setxattr, truncate,
|
|
unlink, utimens
|
|
T}
|
|
T{
|
|
create
|
|
T}@T{
|
|
create, mkdir, mknod, symlink
|
|
T}
|
|
T{
|
|
search
|
|
T}@T{
|
|
access, getattr, getxattr, ioctl, listxattr, open, readlink
|
|
T}
|
|
T{
|
|
N/A
|
|
T}@T{
|
|
fallocate, fgetattr, fsync, ftruncate, ioctl, read, readdir, release,
|
|
statfs, write
|
|
T}
|
|
.TE
|
|
.PP
|
|
\f[B]ioctl\f[] behaves differently if its acting on a directory.
|
|
It\[aq]ll use the \f[B]getattr\f[] policy to find and open the directory
|
|
before issuing the \f[B]ioctl\f[].
|
|
In other cases where something may be searched (to confirm a directory
|
|
exists across all source mounts) then \f[B]getattr\f[] will be used.
|
|
.SS Policy descriptions
|
|
.PP
|
|
.TS
|
|
tab(@);
|
|
l l.
|
|
T{
|
|
Policy
|
|
T}@T{
|
|
Description
|
|
T}
|
|
_
|
|
T{
|
|
ff (first found)
|
|
T}@T{
|
|
Given the order of the drives act on the first one found (regardless if
|
|
stat would return EACCES).
|
|
T}
|
|
T{
|
|
ffwp (first found w/ permissions)
|
|
T}@T{
|
|
Given the order of the drives act on the first one found which you have
|
|
access (stat does not error with EACCES).
|
|
T}
|
|
T{
|
|
newest (newest file)
|
|
T}@T{
|
|
If multiple files exist return the one with the most recent mtime.
|
|
T}
|
|
T{
|
|
mfs (most free space)
|
|
T}@T{
|
|
Use the drive with the most free space available.
|
|
T}
|
|
T{
|
|
epmfs (existing path, most free space)
|
|
T}@T{
|
|
If the path exists on multiple drives use the one with the most free
|
|
space and is greater than \f[B]minfreespace\f[].
|
|
If no drive has at least \f[B]minfreespace\f[] then fallback to
|
|
\f[B]mfs\f[].
|
|
T}
|
|
T{
|
|
fwfs (first with free space)
|
|
T}@T{
|
|
Pick the first drive which has at least \f[B]minfreespace\f[].
|
|
T}
|
|
T{
|
|
lfs (least free space)
|
|
T}@T{
|
|
Pick the drive with least available space but more than
|
|
\f[B]minfreespace\f[].
|
|
T}
|
|
T{
|
|
rand (random)
|
|
T}@T{
|
|
Pick an existing drive at random.
|
|
T}
|
|
T{
|
|
all
|
|
T}@T{
|
|
Applies action to all found.
|
|
For searches it will behave like first found \f[B]ff\f[].
|
|
T}
|
|
T{
|
|
enosys, einval, enotsup, exdev, erofs
|
|
T}@T{
|
|
Exclusively return \f[C]\-1\f[] with \f[C]errno\f[] set to the
|
|
respective value.
|
|
Useful for debugging other applications\[aq] behavior to errors.
|
|
T}
|
|
.TE
|
|
.SS Defaults
|
|
.PP
|
|
.TS
|
|
tab(@);
|
|
l l.
|
|
T{
|
|
Category
|
|
T}@T{
|
|
Policy
|
|
T}
|
|
_
|
|
T{
|
|
action
|
|
T}@T{
|
|
all
|
|
T}
|
|
T{
|
|
create
|
|
T}@T{
|
|
epmfs
|
|
T}
|
|
T{
|
|
search
|
|
T}@T{
|
|
ff
|
|
T}
|
|
.TE
|
|
.SS rename & link
|
|
.PP
|
|
rename (http://man7.org/linux/man-pages/man2/rename.2.html) is a tricky
|
|
function in a merged system.
|
|
Normally if a rename can\[aq]t be done atomically due to the source and
|
|
destination paths existing on different mount points it will return
|
|
\f[C]\-1\f[] with \f[C]errno\ =\ EXDEV\f[].
|
|
The atomic rename is most critical for replacing files in place
|
|
atomically (such as securing writing to a temp file and then replacing a
|
|
target).
|
|
The problem is that by merging multiple paths you can have N instances
|
|
of the source and destinations on different drives.
|
|
This can lead to several undesirable situtations with or without errors
|
|
and it\[aq]s not entirely obvious what to do when an error occurs.
|
|
.PP
|
|
Originally mergerfs would return EXDEV whenever a rename was requested
|
|
which was cross directory in any way.
|
|
This made the code simple and was technically complient with POSIX
|
|
requirements.
|
|
However, many applications fail to handle EXDEV at all and treat it as a
|
|
normal error or they only partially support EXDEV (don\[aq]t respond the
|
|
same as \f[C]mv\f[] would).
|
|
Such apps include: gvfsd\-fuse v1.20.3 and prior, Finder / CIFS/SMB
|
|
client in Apple OSX 10.9+, NZBGet, Samba\[aq]s recycling bin feature.
|
|
.IP \[bu] 2
|
|
If using a policy which tries to preserve directories (epmfs)
|
|
.IP \[bu] 2
|
|
Using the \f[C]rename\f[] policy get the list of files to rename
|
|
.IP \[bu] 2
|
|
For each file attempt rename:
|
|
.RS 2
|
|
.IP \[bu] 2
|
|
If failure with ENOENT run \f[C]create\f[] policy
|
|
.IP \[bu] 2
|
|
If create policy returns the same drive as currently evaluating then
|
|
clone the path
|
|
.IP \[bu] 2
|
|
Re\-attempt rename
|
|
.RE
|
|
.IP \[bu] 2
|
|
If \f[B]any\f[] of the renames succeed the higher level rename is
|
|
considered a success
|
|
.IP \[bu] 2
|
|
If \f[B]no\f[] renames succeed the first error encountered will be
|
|
returned
|
|
.IP \[bu] 2
|
|
On success:
|
|
.RS 2
|
|
.IP \[bu] 2
|
|
Remove the target from all drives with no source file
|
|
.IP \[bu] 2
|
|
Remove the source from all drives which failed to rename
|
|
.RE
|
|
.IP \[bu] 2
|
|
If using a policy which does \f[B]not\f[] try to preserve directories
|
|
.IP \[bu] 2
|
|
Using the \f[C]rename\f[] policy get the list of files to rename
|
|
.IP \[bu] 2
|
|
Using the \f[C]getattr\f[] policy get the target path
|
|
.IP \[bu] 2
|
|
For each file attempt rename:
|
|
.RS 2
|
|
.IP \[bu] 2
|
|
If the source drive != target drive:
|
|
.IP \[bu] 2
|
|
Clone target path from target drive to source drive
|
|
.IP \[bu] 2
|
|
Rename
|
|
.RE
|
|
.IP \[bu] 2
|
|
If \f[B]any\f[] of the renames succeed the higher level rename is
|
|
considered a success
|
|
.IP \[bu] 2
|
|
If \f[B]no\f[] renames succeed the first error encountered will be
|
|
returned
|
|
.IP \[bu] 2
|
|
On success:
|
|
.RS 2
|
|
.IP \[bu] 2
|
|
Remove the target from all drives with no source file
|
|
.IP \[bu] 2
|
|
Remove the source from all drives which failed to rename
|
|
.RE
|
|
.PP
|
|
The the removals are subject to normal entitlement checks.
|
|
.PP
|
|
The above behavior will help minimize the likelihood of EXDEV being
|
|
returned but it will still be possible.
|
|
To remove the possibility all together mergerfs would need to perform
|
|
the as \f[C]mv\f[] does when it receives EXDEV normally.
|
|
.PP
|
|
\f[C]link\f[] uses the same basic strategy.
|
|
.SS readdir
|
|
.PP
|
|
readdir (http://linux.die.net/man/3/readdir) is different from all other
|
|
filesystem functions.
|
|
It certainly could have it\[aq]s own set of policies to tweak its
|
|
behavior.
|
|
At this time it provides a simple \f[B]first found\f[] merging of
|
|
directories and files found.
|
|
That is: only the first file or directory found for a directory is
|
|
returned.
|
|
Given how FUSE works though the data representing the returned entry
|
|
comes from \f[B]getattr\f[].
|
|
.PP
|
|
It could be extended to offer the ability to see all files found.
|
|
Perhaps concatenating \f[B]#\f[] and a number to the name.
|
|
But to really be useful you\[aq]d need to be able to access them which
|
|
would complicate file lookup.
|
|
.SS statvfs
|
|
.PP
|
|
statvfs (http://linux.die.net/man/2/statvfs) normalizes the source
|
|
drives based on the fragment size and sums the number of adjusted blocks
|
|
and inodes.
|
|
This means you will see the combined space of all sources.
|
|
Total, used, and free.
|
|
The sources however are dedupped based on the drive so multiple mount
|
|
points on the same drive will not result in double counting it\[aq]s
|
|
space.
|
|
It is possible due to a race condition that the same drive could be
|
|
double counted but it\[aq]s rather unlikely.
|
|
.SH BUILDING
|
|
.PP
|
|
\f[B]NOTE:\f[] Prebuilt packages can be found at:
|
|
https://github.com/trapexit/mergerfs/releases
|
|
.PP
|
|
First get the code from github (http://github.com/trapexit/mergerfs).
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
$\ git\ clone\ https://github.com/trapexit/mergerfs.git
|
|
$\ #\ or
|
|
$\ wget\ https://github.com/trapexit/mergerfs/archive/master.zip
|
|
\f[]
|
|
.fi
|
|
.SS Debian / Ubuntu
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
$\ sudo\ apt\-get\ install\ g++\ pkg\-config\ git\ git\-buildpackage\ pandoc\ debhelper\ libfuse\-dev\ libattr1\-dev\ python
|
|
$\ cd\ mergerfs
|
|
$\ make\ deb
|
|
$\ sudo\ dpkg\ \-i\ ../mergerfs_version_arch.deb
|
|
\f[]
|
|
.fi
|
|
.SS Fedora
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
$\ su\ \-
|
|
#\ dnf\ install\ rpm\-build\ fuse\-devel\ libattr\-devel\ pandoc\ gcc\-c++\ git\ make\ which\ python
|
|
#\ cd\ mergerfs
|
|
#\ make\ rpm
|
|
#\ rpm\ \-i\ rpmbuild/RPMS/<arch>/mergerfs\-<verion>.<arch>.rpm
|
|
\f[]
|
|
.fi
|
|
.SS Generically
|
|
.PP
|
|
Have git, python, pkg\-config, pandoc, libfuse, libattr1 installed.
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
$\ cd\ mergerfs
|
|
$\ make
|
|
$\ make\ man
|
|
$\ sudo\ make\ install
|
|
\f[]
|
|
.fi
|
|
.SH RUNTIME
|
|
.SS \&.mergerfs pseudo file
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
<mountpoint>/.mergerfs
|
|
\f[]
|
|
.fi
|
|
.PP
|
|
There is a pseudo file available at the mount point which allows for the
|
|
runtime modification of certain \f[B]mergerfs\f[] options.
|
|
The file will not show up in \f[B]readdir\f[] but can be
|
|
\f[B]stat\f[]\[aq]ed and manipulated via
|
|
{list,get,set}xattrs (http://linux.die.net/man/2/listxattr) calls.
|
|
.PP
|
|
Even if xattrs are disabled the
|
|
{list,get,set}xattrs (http://linux.die.net/man/2/listxattr) calls will
|
|
still work.
|
|
.SS Keys
|
|
.PP
|
|
Use \f[C]xattr\ \-l\ /mount/point/.mergerfs\f[] to see all supported
|
|
keys.
|
|
.SS Example
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-l\ .mergerfs
|
|
user.mergerfs.srcmounts:\ /tmp/a:/tmp/b
|
|
user.mergerfs.minfreespace:\ 4294967295
|
|
user.mergerfs.moveonenospc:\ false
|
|
user.mergerfs.policies:\ all,einval,enosys,enotsup,epmfs,erofs,exdev,ff,ffwp,fwfs,lfs,mfs,newest,rand
|
|
user.mergerfs.version:\ x.y.z
|
|
user.mergerfs.category.action:\ all
|
|
user.mergerfs.category.create:\ epmfs
|
|
user.mergerfs.category.search:\ ff
|
|
user.mergerfs.func.access:\ ff
|
|
user.mergerfs.func.chmod:\ all
|
|
user.mergerfs.func.chown:\ all
|
|
user.mergerfs.func.create:\ epmfs
|
|
user.mergerfs.func.getattr:\ ff
|
|
user.mergerfs.func.getxattr:\ ff
|
|
user.mergerfs.func.link:\ all
|
|
user.mergerfs.func.listxattr:\ ff
|
|
user.mergerfs.func.mkdir:\ epmfs
|
|
user.mergerfs.func.mknod:\ epmfs
|
|
user.mergerfs.func.open:\ ff
|
|
user.mergerfs.func.readlink:\ ff
|
|
user.mergerfs.func.removexattr:\ all
|
|
user.mergerfs.func.rename:\ all
|
|
user.mergerfs.func.rmdir:\ all
|
|
user.mergerfs.func.setxattr:\ all
|
|
user.mergerfs.func.symlink:\ epmfs
|
|
user.mergerfs.func.truncate:\ all
|
|
user.mergerfs.func.unlink:\ all
|
|
user.mergerfs.func.utimens:\ all
|
|
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.category.search\ .mergerfs
|
|
ff
|
|
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.category.search\ ffwp\ .mergerfs
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.category.search\ .mergerfs
|
|
ffwp
|
|
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ +/tmp/c\ .mergerfs
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
|
|
/tmp/a:/tmp/b:/tmp/c
|
|
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ =/tmp/c\ .mergerfs
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
|
|
/tmp/c
|
|
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ \[aq]+</tmp/a:/tmp/b\[aq]\ .mergerfs
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
|
|
/tmp/a:/tmp/b:/tmp/c
|
|
\f[]
|
|
.fi
|
|
.SS user.mergerfs.srcmounts
|
|
.PP
|
|
For \f[B]user.mergerfs.srcmounts\f[] there are several instructions
|
|
available for manipulating the list.
|
|
The value provided is just as the value used at mount time.
|
|
A colon (\[aq]:\[aq]) delimited list of full path globs.
|
|
.PP
|
|
.TS
|
|
tab(@);
|
|
l l.
|
|
T{
|
|
Instruction
|
|
T}@T{
|
|
Description
|
|
T}
|
|
_
|
|
T{
|
|
[list]
|
|
T}@T{
|
|
set
|
|
T}
|
|
T{
|
|
+<[list]
|
|
T}@T{
|
|
prepend
|
|
T}
|
|
T{
|
|
+>[list]
|
|
T}@T{
|
|
append
|
|
T}
|
|
T{
|
|
\-[list]
|
|
T}@T{
|
|
remove all values provided
|
|
T}
|
|
T{
|
|
\-<
|
|
T}@T{
|
|
remove first in list
|
|
T}
|
|
T{
|
|
\->
|
|
T}@T{
|
|
remove last in list
|
|
T}
|
|
.TE
|
|
.SS minfreespace
|
|
.PP
|
|
Input: interger with an optional multiplier suffix.
|
|
\f[B]K\f[], \f[B]M\f[], or \f[B]G\f[].
|
|
.PP
|
|
Output: value in bytes
|
|
.SS moveonenospc
|
|
.PP
|
|
Input: \f[B]true\f[] and \f[B]false\f[]
|
|
.PP
|
|
Ouput: \f[B]true\f[] or \f[B]false\f[]
|
|
.SS categories / funcs
|
|
.PP
|
|
Input: short policy string as described elsewhere in this document
|
|
.PP
|
|
Output: the policy string except for categories where its funcs have
|
|
multiple types.
|
|
In that case it will be a comma separated list.
|
|
.SS mergerfs file xattrs
|
|
.PP
|
|
While they won\[aq]t show up when using
|
|
listxattr (http://linux.die.net/man/2/listxattr) \f[B]mergerfs\f[]
|
|
offers a number of special xattrs to query information about the files
|
|
served.
|
|
To access the values you will need to issue a
|
|
getxattr (http://linux.die.net/man/2/getxattr) for one of the following:
|
|
.IP \[bu] 2
|
|
\f[B]user.mergerfs.basepath:\f[] the base mount point for the file given
|
|
the current getattr policy
|
|
.IP \[bu] 2
|
|
\f[B]user.mergerfs.relpath:\f[] the relative path of the file from the
|
|
perspective of the mount point
|
|
.IP \[bu] 2
|
|
\f[B]user.mergerfs.fullpath:\f[] the full path of the original file
|
|
given the getattr policy
|
|
.IP \[bu] 2
|
|
\f[B]user.mergerfs.allpaths:\f[] a NUL (\[aq]\[aq]) separated list of
|
|
full paths to all files found
|
|
.IP
|
|
.nf
|
|
\f[C]
|
|
[trapexit:/tmp/mount]\ $\ ls
|
|
A\ B\ C
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.fullpath\ A
|
|
/mnt/a/full/path/to/A
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.basepath\ A
|
|
/mnt/a
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.relpath\ A
|
|
/full/path/to/A
|
|
[trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.allpaths\ A\ |\ tr\ \[aq]\\0\[aq]\ \[aq]\\n\[aq]
|
|
/mnt/a/full/path/to/A
|
|
/mnt/b/full/path/to/A
|
|
\f[]
|
|
.fi
|
|
.SH TOOLING
|
|
.PP
|
|
Find extra tooling to help with managing \f[C]mergerfs\f[] at:
|
|
https://github.com/trapexit/mergerfs\-tools
|
|
.IP \[bu] 2
|
|
fsck.mergerfs: Provides permissions and ownership auditing and the
|
|
ability to fix them
|
|
.SH TIPS / NOTES
|
|
.IP \[bu] 2
|
|
If you don\[aq]t see some directories / files you expect in a merged
|
|
point be sure the user has permission to all the underlying directories.
|
|
If \f[C]/drive0/a\f[] has is owned by \f[C]root:root\f[] with ACLs set
|
|
to \f[C]0700\f[] and \f[C]/drive1/a\f[] is \f[C]root:root\f[] and
|
|
\f[C]0755\f[] you\[aq]ll see only \f[C]/drive1/a\f[].
|
|
Use \f[C]fsck.mergerfs\f[] to audit the drive for out of sync
|
|
permissions.
|
|
.IP \[bu] 2
|
|
Since POSIX gives you only error or success on calls its difficult to
|
|
determine the proper behavior when applying the behavior to multiple
|
|
targets.
|
|
\f[B]mergerfs\f[] will return an error only if all attempts of an action
|
|
fail.
|
|
Any success will lead to a success returned.
|
|
.IP \[bu] 2
|
|
The recommended options are \f[B]defaults,allow_other\f[].
|
|
The \f[B]allow_other\f[] is to allow users who are not the one which
|
|
executed mergerfs access to the mountpoint.
|
|
\f[B]defaults\f[] is described above and should offer the best
|
|
performance.
|
|
It\[aq]s possible that if you\[aq]re running on an older platform the
|
|
\f[B]splice\f[] features aren\[aq]t available and could error.
|
|
In that case simply use the other options manually.
|
|
.IP \[bu] 2
|
|
If write performance is valued more than read it may be useful to enable
|
|
\f[B]direct_io\f[].
|
|
Best to benchmark with and without and choose appropriately.
|
|
.IP \[bu] 2
|
|
Remember: some policies mixed with some functions may result in strange
|
|
behaviors.
|
|
Not that some of these behaviors and race conditions couldn\[aq]t happen
|
|
outside \f[B]mergerfs\f[] but that they are far more likely to occur on
|
|
account of attempt to merge together multiple sources of data which
|
|
could be out of sync due to the different policies.
|
|
.IP \[bu] 2
|
|
An example: Kodi (http://kodi.tv) and Plex (http://plex.tv) can use
|
|
directory mtime (http://linux.die.net/man/2/stat) to more efficiently
|
|
determine whether to scan for new content rather than simply performing
|
|
a full scan.
|
|
If using the current default \f[B]getattr\f[] policy of \f[B]ff\f[] its
|
|
possible \f[B]Kodi\f[] will miss an update on account of it returning
|
|
the first directory found\[aq]s \f[B]stat\f[] info and its a later
|
|
directory on another mount which had the \f[B]mtime\f[] recently
|
|
updated.
|
|
To fix this you will want to set \f[B]func.getattr=newest\f[].
|
|
Remember though that this is just \f[B]stat\f[].
|
|
If the file is later \f[B]open\f[]\[aq]ed or \f[B]unlink\f[]\[aq]ed and
|
|
the policy is different for those then a completely different file or
|
|
directory could be acted on.
|
|
.IP \[bu] 2
|
|
Due to previously mentioned issues its generally best to set
|
|
\f[B]category\f[] wide policies rather than individual
|
|
\f[B]func\f[]\[aq]s.
|
|
This will help limit the confusion of tools such as
|
|
rsync (http://linux.die.net/man/1/rsync).
|
|
.SH Known Issues / Bugs
|
|
.SS Samba
|
|
.IP \[bu] 2
|
|
Moving files or directories between some directories on a SMB share fail
|
|
with IO errors.
|
|
.RS 2
|
|
.PP
|
|
Workaround: Copy the file/directory and then remove the original rather
|
|
than move.
|
|
.PP
|
|
This isn\[aq]t an issue with Samba but some SMB clients.
|
|
GVFS\-fuse v1.20.3 and prior (found in Ubuntu 14.04 among others) failed
|
|
to handle certain error codes correctly.
|
|
Particularly \f[B]STATUS_NOT_SAME_DEVICE\f[] which comes from the
|
|
\f[B]EXDEV\f[] which is returned by \f[B]rename\f[] when the call is
|
|
crossing mount points.
|
|
When a program gets an \f[B]EXDEV\f[] it needs to explicitly take an
|
|
alternate action to accomplish it\[aq]s goal.
|
|
In the case of \f[B]mv\f[] or similar it tries \f[B]rename\f[] and on
|
|
\f[B]EXDEV\f[] falls back to a manual copying of data between the two
|
|
locations and unlinking the source.
|
|
In these older versions of GVFS\-fuse if it received \f[B]EXDEV\f[] it
|
|
would translate that into \f[B]EIO\f[].
|
|
This would cause \f[B]mv\f[] or most any application attempting to move
|
|
files around on that SMB share to fail with a IO error.
|
|
.PP
|
|
GVFS\-fuse v1.22.0 (https://bugzilla.gnome.org/show_bug.cgi?id=734568)
|
|
and above fixed this issue but a large number of systems use the older
|
|
release.
|
|
On Ubuntu the version can be checked by issuing
|
|
\f[C]apt\-cache\ showpkg\ gvfs\-fuse\f[].
|
|
Most distros released in 2015 seem to have the updated release and will
|
|
work fine but older systems may not.
|
|
Upgrading gvfs\-fuse or the distro in general will address the problem.
|
|
.PP
|
|
In Apple\[aq]s MacOSX 10.9 they replaced Samba (client and server) with
|
|
their own product.
|
|
It appears their new client does not handle \f[B]EXDEV\f[] either and
|
|
responds similar to older release of gvfs on Linux.
|
|
.RE
|
|
.SS Supplemental groups
|
|
.IP \[bu] 2
|
|
Due to the overhead of
|
|
getgroups/setgroups (http://linux.die.net/man/2/setgroups) mergerfs
|
|
utilizes a cache.
|
|
This cache is opportunistic and per thread.
|
|
Each thread will query the supplemental groups for a user when that
|
|
particular thread needs to change credentials and will keep that data
|
|
for the lifetime of the mount or thread.
|
|
This means that if a user is added to a group it may not be picked up
|
|
without the restart of mergerfs.
|
|
However, since the high level FUSE API\[aq]s (at least the standard
|
|
version) thread pool dynamically grows and shrinks it\[aq]s possible
|
|
that over time a thread will be killed and later a new thread with no
|
|
cache will start and query the new data.
|
|
.RS 2
|
|
.PP
|
|
The gid cache uses fixed storage to simplify the design and be
|
|
compatible with older systems which may not have C++11 compilers (as the
|
|
original design required).
|
|
There is enough storage for 256 users\[aq] supplemental groups.
|
|
Each user is allowed upto 32 supplemental groups.
|
|
Linux >= 2.6.3 allows upto 65535 groups per user but most other *nixs
|
|
allow far less.
|
|
NFS allowing only 16.
|
|
The system does handle overflow gracefully.
|
|
If the user has more than 32 supplemental groups only the first 32 will
|
|
be used.
|
|
If more than 256 users are using the system when an uncached user is
|
|
found it will evict an existing user\[aq]s cache at random.
|
|
So long as there aren\[aq]t more than 256 active users this should be
|
|
fine.
|
|
If either value is too low for your needs you will have to modify
|
|
\f[C]gidcache.hpp\f[] to increase the values.
|
|
Note that doing so will increase the memory needed by each thread.
|
|
.RE
|
|
.SH FAQ
|
|
.PP
|
|
\f[I]It\[aq]s mentioned that there are some security issues with mhddfs.
|
|
What are they? How does mergerfs address them?\f[]
|
|
.PP
|
|
mhddfs (https://github.com/trapexit/mhddfs) tries to handle being run as
|
|
\f[B]root\f[] by calling
|
|
getuid() (https://github.com/trapexit/mhddfs/blob/cae96e6251dd91e2bdc24800b4a18a74044f6672/src/main.c#L319)
|
|
and if it returns \f[B]0\f[] then it will
|
|
chown (http://linux.die.net/man/1/chown) the file.
|
|
Not only is that a race condition but it doesn\[aq]t handle many other
|
|
situations.
|
|
Rather than attempting to simulate POSIX ACL behaviors the proper
|
|
behavior is to use seteuid (http://linux.die.net/man/2/seteuid) and
|
|
setegid (http://linux.die.net/man/2/setegid), become the user making the
|
|
original call and perform the action as them.
|
|
This is how mergerfs (https://github.com/trapexit/mergerfs) handles
|
|
things.
|
|
.PP
|
|
If you are familiar with POSIX standards you\[aq]ll know that this
|
|
behavior poses a problem.
|
|
\f[B]seteuid\f[] and \f[B]setegid\f[] affect the whole process and
|
|
\f[B]libfuse\f[] is multithreaded by default.
|
|
We\[aq]d need to lock access to \f[B]seteuid\f[] and \f[B]setegid\f[]
|
|
with a mutex so that the several threads aren\[aq]t stepping on one
|
|
another and files end up with weird permissions and ownership.
|
|
This however wouldn\[aq]t scale well.
|
|
With lots of calls the contention on that mutex would be extremely high.
|
|
Thankfully on Linux and OSX we have a better solution.
|
|
.PP
|
|
OSX has a non\-portable pthread
|
|
extension (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html)
|
|
for per\-thread user and group impersonation.
|
|
.PP
|
|
Linux does not support
|
|
pthread_setugid_np (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html)
|
|
but user and group IDs are a per\-thread attribute though documentation
|
|
on that fact or how to manipulate them is not well distributed.
|
|
From the \f[B]4.00\f[] release of the Linux man\-pages project for
|
|
setuid (http://man7.org/linux/man-pages/man2/setuid.2.html)
|
|
.RS
|
|
.PP
|
|
At the kernel level, user IDs and group IDs are a per\-thread attribute.
|
|
However, POSIX requires that all threads in a process share the same
|
|
credentials.
|
|
The NPTL threading implementation handles the POSIX requirements by
|
|
providing wrapper functions for the various system calls that change
|
|
process UIDs and GIDs.
|
|
These wrapper functions (including the one for setuid()) employ a
|
|
signal\-based technique to ensure that when one thread changes
|
|
credentials, all of the other threads in the process also change their
|
|
credentials.
|
|
For details, see nptl(7).
|
|
.RE
|
|
.PP
|
|
Turns out the setreuid syscalls apply only to the thread.
|
|
GLIBC hides this away using RT signals to inform all threads to change
|
|
credentials.
|
|
Taking after \f[B]Samba\f[] mergerfs uses
|
|
\f[B]syscall(SYS_setreuid,...)\f[] to set the callers credentials for
|
|
that thread only.
|
|
Jumping back to \f[B]root\f[] as necessary should escalated privileges
|
|
be needed (for instance: to clone paths).
|
|
.PP
|
|
For non\-Linux systems mergerfs uses a read\-write lock and changes
|
|
credentials only when necessary.
|
|
If multiple threads are to be user X then only the first one will need
|
|
to change the processes credentials.
|
|
So long as the other threads need to be user X they will take a readlock
|
|
allow multiple threads to share the credentials.
|
|
Once a request comes in to run as user Y that thread will attempt a
|
|
write lock and change to Y\[aq]s credentials when it can.
|
|
If the ability to give writers priority is supported then that flag will
|
|
be used so threads trying to change credentials don\[aq]t starve.
|
|
This isn\[aq]t the best solution but should work reasonably well.
|
|
As new platforms are supported if they offer per thread credentials
|
|
those APIs will be adopted.
|
|
.SH SUPPORT
|
|
.SS Issues with the software
|
|
.IP \[bu] 2
|
|
github.com: https://github.com/trapexit/mergerfs/issues
|
|
.IP \[bu] 2
|
|
email: trapexit\@spawn.link
|
|
.SS Support development
|
|
.IP \[bu] 2
|
|
Gratipay: https://gratipay.com/~trapexit
|
|
.IP \[bu] 2
|
|
BitCoin: 12CdMhEPQVmjz3SSynkAEuD5q9JmhTDCZA
|
|
.SH AUTHORS
|
|
Antonio SJ Musumeci <trapexit@spawn.link>.
|