You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

759 lines
25 KiB

  1. .\"t
  2. .TH "mergerfs" "1" "2015\-10\-11" "mergerfs user manual" ""
  3. .SH NAME
  4. .PP
  5. mergerfs \- another FUSE union filesystem
  6. .SH SYNOPSIS
  7. .PP
  8. mergerfs \-o<options> <srcpoints> <mountpoint>
  9. .SH DESCRIPTION
  10. .PP
  11. \f[B]mergerfs\f[] is similar to \f[B]mhddfs\f[], \f[B]unionfs\f[], and
  12. \f[B]aufs\f[].
  13. Like \f[B]mhddfs\f[] in that it too uses \f[B]FUSE\f[].
  14. Like \f[B]aufs\f[] in that it provides multiple policies for how to
  15. handle behavior.
  16. .PP
  17. Why \f[B]mergerfs\f[] when those exist?
  18. \f[B]mhddfs\f[] has not been updated in some time nor very flexible.
  19. There are also security issues when with running as root.
  20. \f[B]aufs\f[] is more flexible than \f[B]mhddfs\f[] but kernel based and
  21. difficult to debug when problems arise.
  22. Neither support file attributes
  23. (chattr (http://linux.die.net/man/1/chattr)).
  24. .SH FEATURES
  25. .IP \[bu] 2
  26. Runs in userspace (FUSE)
  27. .IP \[bu] 2
  28. Configurable behaviors
  29. .IP \[bu] 2
  30. Supports extended attributes (xattrs)
  31. .IP \[bu] 2
  32. Supports file attributes (chattr)
  33. .IP \[bu] 2
  34. Dynamically configurable (via xattrs)
  35. .IP \[bu] 2
  36. Safe to run as root
  37. .IP \[bu] 2
  38. Opportunistic credential caching
  39. .IP \[bu] 2
  40. Works with heterogeneous filesystem types
  41. .SH OPTIONS
  42. .SS options
  43. .IP \[bu] 2
  44. \f[B]defaults\f[]: a shortcut for FUSE\[aq]s \f[B]atomic_o_trunc\f[],
  45. \f[B]auto_cache\f[], \f[B]big_writes\f[], \f[B]default_permissions\f[],
  46. \f[B]splice_move\f[], \f[B]splice_read\f[], and \f[B]splice_write\f[].
  47. These options seem to provide the best performance.
  48. .IP \[bu] 2
  49. \f[B]direct_io\f[]: causes FUSE to bypass an addition caching step which
  50. can increase write speeds at the detriment of read speed.
  51. .IP \[bu] 2
  52. \f[B]minfreespace\f[]: the minimum space value used for the
  53. \f[B]lfs\f[], \f[B]fwfs\f[], and \f[B]epmfs\f[] policies.
  54. Understands \[aq]K\[aq], \[aq]M\[aq], and \[aq]G\[aq] to represent
  55. kilobyte, megabyte, and gigabyte respectively.
  56. (default: 4G)
  57. .IP \[bu] 2
  58. \f[B]moveonenospc\f[]: when enabled (set to \f[B]true\f[]) if a
  59. \f[B]write\f[] fails with \f[B]ENOSPC\f[] a scan of all drives will be
  60. done looking for the drive with most free space which is at least the
  61. size of the file plus the amount which failed to write.
  62. An attempt to move the file to that drive will occur (keeping all
  63. metadata possible) and if successful the original is unlinked and the
  64. write retried.
  65. (default: false)
  66. .IP \[bu] 2
  67. \f[B]func.<func>=<policy>\f[]: sets the specific FUSE function\[aq]s
  68. policy.
  69. See below for the list of value types.
  70. Example: \f[B]func.getattr=newest\f[]
  71. .IP \[bu] 2
  72. \f[B]category.<category>=<policy>\f[]: Sets policy of all FUSE functions
  73. in the provided category.
  74. Example: \f[B]category.create=mfs\f[]
  75. .PP
  76. \f[B]NOTE:\f[] Options are evaluated in the order listed so if the
  77. options are \f[B]func.rmdir=rand,category.action=ff\f[] the
  78. \f[B]action\f[] category setting will override the \f[B]rmdir\f[]
  79. setting.
  80. .SS srcpoints
  81. .PP
  82. The source points argument is a colon (\[aq]:\[aq]) delimited list of
  83. paths.
  84. To make it simpler to include multiple source points without having to
  85. modify your fstab (http://linux.die.net/man/5/fstab) we also support
  86. globbing (http://linux.die.net/man/7/glob).
  87. \f[B]The globbing tokens MUST be escaped when using via the shell else
  88. the shell itself will probably expand it.\f[]
  89. .IP
  90. .nf
  91. \f[C]
  92. $\ mergerfs\ /mnt/disk\\*:/mnt/cdrom\ /media/drives
  93. \f[]
  94. .fi
  95. .PP
  96. The above line will use all points in /mnt prefixed with \f[I]disk\f[]
  97. and the directory \f[I]cdrom\f[].
  98. .PP
  99. In /etc/fstab it\[aq]d look like the following:
  100. .IP
  101. .nf
  102. \f[C]
  103. #\ <file\ system>\ \ \ \ \ \ \ \ <mount\ point>\ \ <type>\ \ \ \ \ \ \ \ \ <options>\ \ \ \ \ \ \ \ \ \ \ \ \ <dump>\ \ <pass>
  104. /mnt/disk*:/mnt/cdrom\ \ /media/drives\ \ fuse.mergerfs\ \ defaults,allow_other\ \ 0\ \ \ \ \ \ \ 0
  105. \f[]
  106. .fi
  107. .PP
  108. \f[B]NOTE:\f[] the globbing is done at mount or xattr update time.
  109. If a new directory is added matching the glob after the fact it will not
  110. be included.
  111. .SH POLICIES
  112. .PP
  113. Filesystem calls are broken up into 3 categories: \f[B]action\f[],
  114. \f[B]create\f[], \f[B]search\f[].
  115. There are also some calls which have no policy attached due to state
  116. being kept between calls.
  117. These categories can be assigned a policy which dictates how
  118. \f[B]mergerfs\f[] behaves.
  119. Any policy can be assigned to a category though some aren\[aq]t terribly
  120. practical.
  121. For instance: \f[B]rand\f[] (Random) may be useful for \f[B]create\f[]
  122. but could lead to very odd behavior if used for \f[B]search\f[].
  123. .SS Functional classifications
  124. .PP
  125. .TS
  126. tab(@);
  127. l l.
  128. T{
  129. Category
  130. T}@T{
  131. FUSE Functions
  132. T}
  133. _
  134. T{
  135. action
  136. T}@T{
  137. chmod, chown, link, removexattr, rename, rmdir, setxattr, truncate,
  138. unlink, utimens
  139. T}
  140. T{
  141. create
  142. T}@T{
  143. create, mkdir, mknod, symlink
  144. T}
  145. T{
  146. search
  147. T}@T{
  148. access, getattr, getxattr, ioctl, listxattr, open, readlink
  149. T}
  150. T{
  151. N/A
  152. T}@T{
  153. fallocate, fgetattr, fsync, ftruncate, ioctl, read, readdir, release,
  154. statfs, write
  155. T}
  156. .TE
  157. .PP
  158. \f[B]ioctl\f[] behaves differently if its acting on a directory.
  159. It\[aq]ll use the \f[B]getattr\f[] policy to find and open the directory
  160. before issuing the \f[B]ioctl\f[].
  161. In other cases where something may be searched (to confirm a directory
  162. exists across all source mounts) then \f[B]getattr\f[] will be used.
  163. .SS Policy descriptions
  164. .PP
  165. .TS
  166. tab(@);
  167. l l.
  168. T{
  169. Policy
  170. T}@T{
  171. Description
  172. T}
  173. _
  174. T{
  175. ff (first found)
  176. T}@T{
  177. Given the order of the drives act on the first one found (regardless if
  178. stat would return EACCES).
  179. T}
  180. T{
  181. ffwp (first found w/ permissions)
  182. T}@T{
  183. Given the order of the drives act on the first one found which you have
  184. access (stat does not error with EACCES).
  185. T}
  186. T{
  187. newest (newest file)
  188. T}@T{
  189. If multiple files exist return the one with the most recent mtime.
  190. T}
  191. T{
  192. mfs (most free space)
  193. T}@T{
  194. Use the drive with the most free space available.
  195. T}
  196. T{
  197. epmfs (existing path, most free space)
  198. T}@T{
  199. If the path exists on multiple drives use the one with the most free
  200. space and is greater than \f[B]minfreespace\f[].
  201. If no drive has at least \f[B]minfreespace\f[] then fallback to
  202. \f[B]mfs\f[].
  203. T}
  204. T{
  205. fwfs (first with free space)
  206. T}@T{
  207. Pick the first drive which has at least \f[B]minfreespace\f[].
  208. T}
  209. T{
  210. lfs (least free space)
  211. T}@T{
  212. Pick the drive with least available space but more than
  213. \f[B]minfreespace\f[].
  214. T}
  215. T{
  216. rand (random)
  217. T}@T{
  218. Pick an existing drive at random.
  219. T}
  220. T{
  221. all
  222. T}@T{
  223. Applies action to all found.
  224. For searches it will behave like first found \f[B]ff\f[].
  225. T}
  226. T{
  227. enosys, einval, enotsup, exdev, erofs
  228. T}@T{
  229. Exclusively return \f[C]\-1\f[] with \f[C]errno\f[] set to the
  230. respective value.
  231. Useful for debugging other applications\[aq] behavior to errors.
  232. T}
  233. .TE
  234. .SS Defaults
  235. .PP
  236. .TS
  237. tab(@);
  238. l l.
  239. T{
  240. Category
  241. T}@T{
  242. Policy
  243. T}
  244. _
  245. T{
  246. action
  247. T}@T{
  248. all
  249. T}
  250. T{
  251. create
  252. T}@T{
  253. epmfs
  254. T}
  255. T{
  256. search
  257. T}@T{
  258. ff
  259. T}
  260. .TE
  261. .SS rename
  262. .PP
  263. rename (http://man7.org/linux/man-pages/man2/rename.2.html) is a tricky
  264. function in a merged system.
  265. Normally if a rename can\[aq]t be done atomically due to the from and to
  266. paths existing on different mount points it will return \f[C]\-1\f[]
  267. with \f[C]errno\ =\ EXDEV\f[].
  268. The atomic rename is most critical for replacing files in place
  269. atomically (such as securing writing to a temp file and then replacing a
  270. target).
  271. The problem is that by merging multiple paths you can have N instances
  272. of the source and destinations on different drives.
  273. Meaning that if you just renamed each source locally you could end up
  274. with the destination files not overwriten / replaced.
  275. To address this mergerfs works in the following way.
  276. If the source and destination exist in different directories it will
  277. immediately return \f[C]EXDEV\f[].
  278. Generally it\[aq]s not expected for cross directory renames to work so
  279. it should be fine for most instances (mv,rsync,etc.).
  280. If they do belong to the same directory it then runs the \f[C]rename\f[]
  281. policy to get the files to rename.
  282. It iterates through and renames each file while keeping track of those
  283. paths which have not been renamed.
  284. If all the renames succeed it will then \f[C]unlink\f[] or
  285. \f[C]rmdir\f[] the other paths to clean up any preexisting target files.
  286. This allows the new file to be found without the file itself ever
  287. disappearing.
  288. There may still be some issues with this behavior.
  289. Particularly on error.
  290. At the moment however this seems the best policy.
  291. .SS readdir
  292. .PP
  293. readdir (http://linux.die.net/man/3/readdir) is very different from most
  294. functions in this realm.
  295. It certainly could have it\[aq]s own set of policies to tweak its
  296. behavior.
  297. At this time it provides a simple \f[B]first found\f[] merging of
  298. directories and file found.
  299. That is: only the first file or directory found for a directory is
  300. returned.
  301. Given how FUSE works though the data representing the returned entry
  302. comes from \f[B]getattr\f[].
  303. .PP
  304. It could be extended to offer the ability to see all files found.
  305. Perhaps concatenating \f[B]#\f[] and a number to the name.
  306. But to really be useful you\[aq]d need to be able to access them which
  307. would complicate file lookup.
  308. .SS statvfs
  309. .PP
  310. statvfs (http://linux.die.net/man/2/statvfs) normalizes the source
  311. drives based on the fragment size and sums the number of adjusted blocks
  312. and inodes.
  313. This means you will see the combined space of all sources.
  314. Total, used, and free.
  315. The sources however are dedupped based on the drive so multiple points
  316. on the same drive will not result in double counting it\[aq]s space.
  317. .PP
  318. \f[B]NOTE:\f[] Since we can not (easily) replicate the atomicity of an
  319. \f[B]mkdir\f[] or \f[B]mknod\f[] without side effects those calls will
  320. first do a scan to see if the file exists and then attempts a create.
  321. This means there is a slight race condition.
  322. Worse case you\[aq]d end up with the directory or file on more than one
  323. mount.
  324. .SH BUILDING
  325. .PP
  326. \f[B]NOTE:\f[] Prebuilt packages can be found at:
  327. https://github.com/trapexit/mergerfs/releases
  328. .PP
  329. First get the code from github (http://github.com/trapexit/mergerfs).
  330. .IP
  331. .nf
  332. \f[C]
  333. $\ git\ clone\ https://github.com/trapexit/mergerfs.git
  334. $\ #\ or
  335. $\ wget\ https://github.com/trapexit/mergerfs/archive/master.zip
  336. \f[]
  337. .fi
  338. .SS Debian / Ubuntu
  339. .IP
  340. .nf
  341. \f[C]
  342. $\ sudo\ apt\-get\ install\ g++\ pkg\-config\ git\ git\-buildpackage\ pandoc\ debhelper\ libfuse\-dev\ libattr1\-dev
  343. $\ cd\ mergerfs
  344. $\ make\ deb
  345. $\ sudo\ dpkg\ \-i\ ../mergerfs_version_arch.deb
  346. \f[]
  347. .fi
  348. .SS Fedora
  349. .IP
  350. .nf
  351. \f[C]
  352. $\ su\ \-
  353. #\ dnf\ install\ rpm\-build\ fuse\-devel\ libattr\-devel\ pandoc\ gcc\-c++\ git\ make\ which
  354. #\ cd\ mergerfs
  355. #\ make\ rpm
  356. #\ rpm\ \-i\ rpmbuild/RPMS/<arch>/mergerfs\-<verion>.<arch>.rpm
  357. \f[]
  358. .fi
  359. .SS Generically
  360. .PP
  361. Have pkg\-config, pandoc, libfuse, libattr1 installed.
  362. .IP
  363. .nf
  364. \f[C]
  365. $\ cd\ mergerfs
  366. $\ make
  367. $\ make\ man
  368. $\ sudo\ make\ install
  369. \f[]
  370. .fi
  371. .SH RUNTIME
  372. .SS \&.mergerfs pseudo file
  373. .IP
  374. .nf
  375. \f[C]
  376. <mountpoint>/.mergerfs
  377. \f[]
  378. .fi
  379. .PP
  380. There is a pseudo file available at the mount point which allows for the
  381. runtime modification of certain \f[B]mergerfs\f[] options.
  382. The file will not show up in \f[B]readdir\f[] but can be
  383. \f[B]stat\f[]\[aq]ed and manipulated via
  384. {list,get,set}xattrs (http://linux.die.net/man/2/listxattr) calls.
  385. .PP
  386. Even if xattrs are disabled the
  387. {list,get,set}xattrs (http://linux.die.net/man/2/listxattr) calls will
  388. still work.
  389. .SS Keys
  390. .PP
  391. Use \f[C]xattr\ \-l\ /mount/point/.mergerfs\f[] to see all supported
  392. keys.
  393. .SS Example
  394. .IP
  395. .nf
  396. \f[C]
  397. [trapexit:/tmp/mount]\ $\ xattr\ \-l\ .mergerfs
  398. user.mergerfs.srcmounts:\ /tmp/a:/tmp/b
  399. user.mergerfs.minfreespace:\ 4294967295
  400. user.mergerfs.moveonenospc:\ false
  401. user.mergerfs.policies:\ all,einval,enosys,enotsup,epmfs,erofs,exdev,ff,ffwp,fwfs,lfs,mfs,newest,rand
  402. user.mergerfs.version:\ x.y.z
  403. user.mergerfs.category.action:\ all
  404. user.mergerfs.category.create:\ epmfs
  405. user.mergerfs.category.search:\ ff
  406. user.mergerfs.func.access:\ ff
  407. user.mergerfs.func.chmod:\ all
  408. user.mergerfs.func.chown:\ all
  409. user.mergerfs.func.create:\ epmfs
  410. user.mergerfs.func.getattr:\ ff
  411. user.mergerfs.func.getxattr:\ ff
  412. user.mergerfs.func.link:\ all
  413. user.mergerfs.func.listxattr:\ ff
  414. user.mergerfs.func.mkdir:\ epmfs
  415. user.mergerfs.func.mknod:\ epmfs
  416. user.mergerfs.func.open:\ ff
  417. user.mergerfs.func.readlink:\ ff
  418. user.mergerfs.func.removexattr:\ all
  419. user.mergerfs.func.rename:\ all
  420. user.mergerfs.func.rmdir:\ all
  421. user.mergerfs.func.setxattr:\ all
  422. user.mergerfs.func.symlink:\ epmfs
  423. user.mergerfs.func.truncate:\ all
  424. user.mergerfs.func.unlink:\ all
  425. user.mergerfs.func.utimens:\ all
  426. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.category.search\ .mergerfs
  427. ff
  428. [trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.category.search\ ffwp\ .mergerfs
  429. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.category.search\ .mergerfs
  430. ffwp
  431. [trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ +/tmp/c\ .mergerfs
  432. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
  433. /tmp/a:/tmp/b:/tmp/c
  434. [trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ =/tmp/c\ .mergerfs
  435. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
  436. /tmp/c
  437. [trapexit:/tmp/mount]\ $\ xattr\ \-w\ user.mergerfs.srcmounts\ \[aq]+</tmp/a:/tmp/b\[aq]\ .mergerfs
  438. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.srcmounts\ .mergerfs
  439. /tmp/a:/tmp/b:/tmp/c
  440. \f[]
  441. .fi
  442. .SS user.mergerfs.srcmounts
  443. .PP
  444. For \f[B]user.mergerfs.srcmounts\f[] there are several instructions
  445. available for manipulating the list.
  446. The value provided is just as the value used at mount time.
  447. A colon (\[aq]:\[aq]) delimited list of full path globs.
  448. .PP
  449. .TS
  450. tab(@);
  451. l l.
  452. T{
  453. Instruction
  454. T}@T{
  455. Description
  456. T}
  457. _
  458. T{
  459. [list]
  460. T}@T{
  461. set
  462. T}
  463. T{
  464. +<[list]
  465. T}@T{
  466. prepend
  467. T}
  468. T{
  469. +>[list]
  470. T}@T{
  471. append
  472. T}
  473. T{
  474. \-[list]
  475. T}@T{
  476. remove all values provided
  477. T}
  478. T{
  479. \-<
  480. T}@T{
  481. remove first in list
  482. T}
  483. T{
  484. \->
  485. T}@T{
  486. remove last in list
  487. T}
  488. .TE
  489. .SS minfreespace
  490. .PP
  491. Input: interger with an optional suffix.
  492. \f[B]K\f[], \f[B]M\f[], or \f[B]G\f[].
  493. Output: value in bytes
  494. .SS moveonenospc
  495. .PP
  496. Input: \f[B]true\f[] and \f[B]false\f[] Ouput: \f[B]true\f[] or
  497. \f[B]false\f[]
  498. .SS categories / funcs
  499. .PP
  500. Input: short policy string as described elsewhere in this document
  501. Output: the policy string except for categories where its funcs have
  502. multiple types.
  503. In that case it will be a comma separated list.
  504. .SS mergerfs file xattrs
  505. .PP
  506. While they won\[aq]t show up when using
  507. listxattr (http://linux.die.net/man/2/listxattr) \f[B]mergerfs\f[]
  508. offers a number of special xattrs to query information about the files
  509. served.
  510. To access the values you will need to issue a
  511. getxattr (http://linux.die.net/man/2/getxattr) for one of the following:
  512. .IP \[bu] 2
  513. \f[B]user.mergerfs.basepath:\f[] the base mount point for the file given
  514. the current search policy
  515. .IP \[bu] 2
  516. \f[B]user.mergerfs.relpath:\f[] the relative path of the file from the
  517. perspective of the mount point
  518. .IP \[bu] 2
  519. \f[B]user.mergerfs.fullpath:\f[] the full path of the original file
  520. given the search policy
  521. .IP \[bu] 2
  522. \f[B]user.mergerfs.allpaths:\f[] a NUL (\[aq]\[aq]) separated list of
  523. full paths to all files found
  524. .IP
  525. .nf
  526. \f[C]
  527. [trapexit:/tmp/mount]\ $\ ls
  528. A\ B\ C
  529. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.fullpath\ A
  530. /mnt/a/full/path/to/A
  531. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.basepath\ A
  532. /mnt/a
  533. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.relpath\ A
  534. /full/path/to/A
  535. [trapexit:/tmp/mount]\ $\ xattr\ \-p\ user.mergerfs.allpaths\ A\ |\ tr\ \[aq]\\0\[aq]\ \[aq]\\n\[aq]
  536. /mnt/a/full/path/to/A
  537. /mnt/b/full/path/to/A
  538. \f[]
  539. .fi
  540. .SH TOOLING
  541. .IP \[bu] 2
  542. /usr/sbin/fsck.mergerfs: Provides permissions and ownership auditing and
  543. the ability to fix them.
  544. .SH TIPS / NOTES
  545. .IP \[bu] 2
  546. If you don\[aq]t see some directories / files you expect in a merged
  547. point be sure the user has permission to all the underlying directories.
  548. If \f[C]/drive0/a\f[] has is owned by \f[C]root:root\f[] with ACLs set
  549. to \f[C]0700\f[] and \f[C]/drive1/a\f[] is \f[C]root:root\f[] and
  550. \f[C]0755\f[] you\[aq]ll see only \f[C]/drive1/a\f[].
  551. Use \f[C]fsck.mergerfs\f[] to audit the drive for out of sync
  552. permissions.
  553. .IP \[bu] 2
  554. Since POSIX gives you only error or success on calls its difficult to
  555. determine the proper behavior when applying the behavior to multiple
  556. targets.
  557. Generally if something succeeds when reading it returns the data it can.
  558. If something fails when making an action we continue on and return the
  559. last error.
  560. .IP \[bu] 2
  561. The recommended options are \f[B]defaults,allow_other\f[].
  562. The \f[B]allow_other\f[] is to allow users who are not the one which
  563. executed mergerfs access to the mountpoint.
  564. \f[B]defaults\f[] is described above and should offer the best
  565. performance.
  566. It\[aq]s possible that if you\[aq]re running on an older platform the
  567. \f[B]splice\f[] features aren\[aq]t available and could error.
  568. In that case simply use the other options manually.
  569. .IP \[bu] 2
  570. If write performance is valued more than read it may be useful to enable
  571. \f[B]direct_io\f[].
  572. .IP \[bu] 2
  573. Remember that some policies mixed with some functions may result in
  574. strange behaviors.
  575. Not that some of these behaviors and race conditions couldn\[aq]t happen
  576. outside \f[B]mergerfs\f[] but that they are far more likely to occur on
  577. account of attempt to merge together multiple sources of data which
  578. could be out of sync due to the different policies.
  579. .IP \[bu] 2
  580. An example: Kodi (http://kodi.tv) and Plex (http://plex.tv) can
  581. apparently use directory mtime (http://linux.die.net/man/2/stat) to more
  582. efficiently determine whether or not to scan for new content rather than
  583. simply performing a full scan.
  584. If using the current default \f[B]getattr\f[] policy of \f[B]ff\f[] its
  585. possible \f[B]Kodi\f[] will miss an update on account of it returning
  586. the first directory found\[aq]s \f[B]stat\f[] info and its a later
  587. directory on another mount which had the \f[B]mtime\f[] recently
  588. updated.
  589. To fix this you will want to set \f[B]func.getattr=newest\f[].
  590. Remember though that this is just \f[B]stat\f[].
  591. If the file is later \f[B]open\f[]\[aq]ed or \f[B]unlink\f[]\[aq]ed and
  592. the policy is different for those then a completely different file or
  593. directory could be acted on.
  594. .IP \[bu] 2
  595. Due to previously mentioned issues its generally best to set
  596. \f[B]category\f[] wide policies rather than individual
  597. \f[B]func\f[]\[aq]s.
  598. This will help limit the confusion of tools such as
  599. rsync (http://linux.die.net/man/1/rsync).
  600. .SH Known Issues / Bugs
  601. .SS Samba
  602. .IP \[bu] 2
  603. Moving files or directories between directories on a SMB share fail with
  604. IO errors.
  605. .RS 2
  606. .PP
  607. Workaround: Copy the file/directory and then remove the original rather
  608. than move.
  609. .PP
  610. This isn\[aq]t an issue with Samba but some SMB clients.
  611. GVFS\-fuse v1.20.3 and prior (found in Ubuntu 14.04 among others) failed
  612. to handle certain error codes correctly.
  613. Particularly \f[B]STATUS_NOT_SAME_DEVICE\f[] which comes from the
  614. \f[B]EXDEV\f[] which is returned by \f[B]rename\f[] when the call is
  615. crossing mountpoints.
  616. When a program gets an \f[B]EXDEV\f[] it needs to explicitly take an
  617. alternate action to accomplish it\[aq]s goal.
  618. In the case of \f[B]mv\f[] or similar it tries \f[B]rename\f[] and on
  619. \f[B]EXDEV\f[] falls back to a manual copying of data between the two
  620. locations and unlinking the source.
  621. In these older versions of GVFS\-fuse if it received \f[B]EXDEV\f[] it
  622. would translate that into \f[B]EIO\f[].
  623. This would cause \f[B]mv\f[] or most any application attempting to move
  624. files around on that SMB share to fail with a IO error.
  625. .PP
  626. GVFS\-fuse v1.22.0 (https://bugzilla.gnome.org/show_bug.cgi?id=734568)
  627. and above fixed this issue but a large number of systems use the older
  628. release.
  629. On Ubuntu the version can be checked by issuing
  630. \f[C]apt\-cache\ showpkg\ gvfs\-fuse\f[].
  631. Most distros released in 2015 seem to have the updated release and will
  632. work fine but older systems may not.
  633. Upgrading gvfs\-fuse or the distro in general will address the problem.
  634. .PP
  635. In Apple\[aq]s MacOSX 10.9 they replaced Samba (client and server) with
  636. their own product.
  637. It appears their new client does not handle \f[B]EXDEV\f[] either and
  638. responds similar to older release of gvfs on Linux.
  639. .RE
  640. .SS Supplemental groups
  641. .IP \[bu] 2
  642. Due to the overhead of
  643. getgroups/setgroups (http://linux.die.net/man/2/setgroups) mergerfs
  644. utilizes a cache.
  645. This cache is opportunistic and per thread.
  646. Each thread will query the supplemental groups for a user when that
  647. particular thread needs to change credentials and will keep that data
  648. for the lifetime of the mount or thread.
  649. This means that if a user is added to a group it may not be picked up
  650. without the restart of mergerfs.
  651. However, since the high level FUSE API\[aq]s (at least the standard
  652. version) thread pool dynamically grows and shrinks it\[aq]s possible
  653. that over time a thread will be killed and later a new thread with no
  654. cache will start and query the new data.
  655. .RS 2
  656. .PP
  657. The gid cache uses fixed storage to simplify the design and be
  658. compatible with older systems which may not have C++11 compilers (as the
  659. original design required).
  660. There is enough storage for 256 users\[aq] supplemental groups.
  661. Each user is allowed upto 32 supplemental groups.
  662. Linux >= 2.6.3 allows upto 65535 groups per user but most other *nixs
  663. allow far less.
  664. NFS allowing only 16.
  665. The system does handle overflow gracefully.
  666. If the user has more than 32 supplemental groups only the first 32 will
  667. be used.
  668. If more than 256 users are using the system when an uncached user is
  669. found it will evict an existing user\[aq]s cache at random.
  670. So long as there aren\[aq]t more than 256 active users this should be
  671. fine.
  672. If either value is too low for your needs you will have to modify
  673. \f[C]gidcache.hpp\f[] to increase the values.
  674. Note that doing so will increase the memory needed by each thread.
  675. .RE
  676. .SH FAQ
  677. .PP
  678. \f[I]It\[aq]s mentioned that there are some security issues with mhddfs.
  679. What are they? How does mergerfs address them?\f[]
  680. .PP
  681. mhddfs (https://github.com/trapexit/mhddfs) tries to handle being run as
  682. \f[B]root\f[] by calling
  683. getuid() (https://github.com/trapexit/mhddfs/blob/cae96e6251dd91e2bdc24800b4a18a74044f6672/src/main.c#L319)
  684. and if it returns \f[B]0\f[] then it will
  685. chown (http://linux.die.net/man/1/chown) the file.
  686. Not only is that a race condition but it doesn\[aq]t handle many other
  687. situations.
  688. Rather than attempting to simulate POSIX ACL behaviors the proper
  689. behavior is to use seteuid (http://linux.die.net/man/2/seteuid) and
  690. setegid (http://linux.die.net/man/2/setegid), become the user making the
  691. original call and perform the action as them.
  692. This is how mergerfs (https://github.com/trapexit/mergerfs) handles
  693. things.
  694. .PP
  695. If you are familiar with POSIX standards you\[aq]ll know that this
  696. behavior poses a problem.
  697. \f[B]seteuid\f[] and \f[B]setegid\f[] affect the whole process and
  698. \f[B]libfuse\f[] is multithreaded by default.
  699. We\[aq]d need to lock access to \f[B]seteuid\f[] and \f[B]setegid\f[]
  700. with a mutex so that the several threads aren\[aq]t stepping on one
  701. another and files end up with weird permissions and ownership.
  702. This however wouldn\[aq]t scale well.
  703. With lots of calls the contention on that mutex would be extremely high.
  704. Thankfully on Linux and OSX we have a better solution.
  705. .PP
  706. OSX has a non\-portable pthread
  707. extension (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html)
  708. for per\-thread user and group impersonation.
  709. .PP
  710. Linux does not support
  711. pthread_setugid_np (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/pthread_setugid_np.2.html)
  712. but user and group IDs are a per\-thread attribute though documentation
  713. on that fact or how to manipulate them is not well distributed.
  714. From the \f[B]4.00\f[] release of the Linux man\-pages project for
  715. setuid (http://man7.org/linux/man-pages/man2/setuid.2.html)
  716. .RS
  717. .PP
  718. At the kernel level, user IDs and group IDs are a per\-thread attribute.
  719. However, POSIX requires that all threads in a process share the same
  720. credentials.
  721. The NPTL threading implementation handles the POSIX requirements by
  722. providing wrapper functions for the various system calls that change
  723. process UIDs and GIDs.
  724. These wrapper functions (including the one for setuid()) employ a
  725. signal\-based technique to ensure that when one thread changes
  726. credentials, all of the other threads in the process also change their
  727. credentials.
  728. For details, see nptl(7).
  729. .RE
  730. .PP
  731. Turns out the setreuid syscalls apply only to the thread.
  732. GLIBC hides this away using RT signals to inform all threads to change
  733. credentials.
  734. Taking after \f[B]Samba\f[] mergerfs uses
  735. \f[B]syscall(SYS_setreuid,...)\f[] to set the callers credentials for
  736. that thread only.
  737. Jumping back to \f[B]root\f[] as necessary should escalated privileges
  738. be needed (for instance: to clone paths).
  739. .PP
  740. For non\-Linux systems mergerfs uses a read\-write lock and changes
  741. credentials only when necessary.
  742. If multiple threads are to be user X then only the first one will need
  743. to change the processes credentials.
  744. So long as the other threads need to be user X they will take a readlock
  745. allow multiple threads to share the credentials.
  746. Once a request comes in to run as user Y that thread will attempt a
  747. write lock and change to Y\[aq]s credentials when it can.
  748. If the ability to give writers priority is supported then that flag will
  749. be used so threads trying to change credentials don\[aq]t starve.
  750. This isn\[aq]t the best solution but should work reasonably well.
  751. As new platforms are supported if they offer per thread credentials
  752. those APIs will be adopted.
  753. .SH AUTHORS
  754. Antonio SJ Musumeci <trapexit@spawn.link>.