Parallel NFS (pNFS) Flexible File Layout Version 2

6.2.1. Implementation Notes for Synthetic uids/gids

The selection method for the synthetic uids and gids to be used for fencing in loosely coupled storage devices is strictly an implementation issue. That is, an administrator might restrict a range of such ids available to the Lightweight Directory Access Protocol (LDAP) 'uid' field [RFC4519]. The administrator might also be able to choose an id that would never be used to grant access. Then, when the metadata server had a request to access a file, a SETATTR would be sent to the storage device to set the owner and group of the data file. The user and group might be selected in a round-robin fashion from the range of available ids.¶

Those ids would be sent back as ffv2ds_user and ffv2ds_group to the client, who would present them as the RPC credentials to the storage device. When the client is done accessing the file and the metadata server knows that no other client is accessing the file, it can reset the owner and group to restrict access to the data file.¶

When the metadata server wants to fence off a client, it changes the synthetic uid and/or gid to the restricted ids. Note that using a restricted id ensures that there is a change of owner and at least one id available that never gets allowed access.¶

Under an AUTH_SYS security model, synthetic uids and gids of 0 SHOULD be avoided. These typically either grant super access to files on a storage device or are mapped to an anonymous id. In the first case, even if the data file is fenced, the client might still be able to access the file. In the second case, multiple ids might be mapped to the anonymous ids.¶

6.2.2. Example of using Synthetic uids/gids

The user loghyr creates a file "ompha.c" on the metadata server, which then creates a corresponding data file on the storage device.¶

The metadata server entry may look like:¶

-rw-r--r--    1 loghyr  staff    1697 Dec  4 11:31 ompha.c

On the storage device, the file may be assigned some unpredictable synthetic uid/gid to deny access:¶

-rw-r-----    1 19452   28418    1697 Dec  4 11:31 data_ompha.c

When the file is opened on a client and accessed, the user will try to get a layout for the data file. Since the layout knows nothing about the user (and does not care), it does not matter whether the user loghyr or garbo opens the file. The client has to present an uid of 19452 to get write permission. If it presents any other value for the uid, then it must give a gid of 28418 to get read access.¶

Further, if the metadata server decides to fence the file, it SHOULD change the uid and/or gid such that these values neither match earlier values for that file nor match a predictable change based on an earlier fencing.¶

-rw-r-----    1 19453   28419    1697 Dec  4 11:31 data_ompha.c

The set of synthetic gids on the storage device SHOULD be selected such that there is no mapping in any of the name services used by the storage device, i.e., each group SHOULD have no members.¶

If the layout segment has an iomode of LAYOUTIOMODE4_READ, then the metadata server SHOULD return a synthetic uid that is not set on the storage device. Only the synthetic gid would be valid.¶

The client is thus solely responsible for enforcing file permissions in a loosely coupled model. To allow loghyr write access, it will send an RPC to the storage device with a credential of 1066:1067. To allow garbo read access, it will send an RPC to the storage device with a credential of 1067:1067. The value of the uid does not matter as long as it is not the synthetic uid granted when getting the layout.¶

While pushing the enforcement of permission checking onto the client may seem to weaken security, the client may already be responsible for enforcing permissions before modifications are sent to a server. With cached writes, the client is always responsible for tracking who is modifying a file and making sure to not coalesce requests from multiple users into one request.¶

6.3.1. Loosely Coupled Locking Model

When locking-related operations are requested, they are primarily dealt with by the metadata server, which generates the appropriate stateids. When an NFSv4 version is used as the data access protocol, the metadata server may make stateid-related requests of the storage devices. However, it is not required to do so, and the resulting stateids are known only to the metadata server and the storage device.¶

Given this basic structure, locking-related operations are handled as follows:¶

• OPENs are dealt with by the metadata server. Stateids are selected by the metadata server and associated with the client ID describing the client's connection to the metadata server. The metadata server may need to interact with the storage device to locate the file to be opened, but no locking-related functionality need be used on the storage device.¶

• OPEN_DOWNGRADE and CLOSE only require local execution on the metadata server.¶

• Advisory byte-range locks can be implemented locally on the metadata server. As in the case of OPENs, the stateids associated with byte-range locks are assigned by the metadata server and only used on the metadata server.¶

• Delegations are assigned by the metadata server that initiates recalls when conflicting OPENs are processed. No storage device involvement is required.¶

• TEST_STATEID and FREE_STATEID are processed locally on the metadata server, without storage device involvement.¶

All I/O operations to the storage device are done using the anonymous stateid. Thus, the storage device has no information about the openowner and lockowner responsible for issuing a particular I/O operation. As a result:¶

• Mandatory byte-range locking cannot be supported because the storage device has no way of distinguishing I/O done on behalf of the lock owner from those done by others.¶

• Enforcement of share reservations is the responsibility of the client. Even though I/O is done using the anonymous stateid, the client MUST ensure that it has a valid stateid associated with the openowner.¶

In the event that a stateid is revoked, the metadata server is responsible for preventing client access, since it has no way of being sure that the client is aware that the stateid in question has been revoked.¶

As the client never receives a stateid generated by a storage device, there is no client lease on the storage device and no prospect of lease expiration, even when access is via NFSv4 protocols. Clients will have leases on the metadata server. In dealing with lease expiration, the metadata server may need to use fencing to prevent revoked stateids from being relied upon by a client unaware of the fact that they have been revoked.¶

6.3.2. Tightly Coupled Locking Model

When locking-related operations are requested, they are primarily dealt with by the metadata server, which generates the appropriate stateids. These stateids MUST be made known to the storage device using control protocol facilities. For flex files v2 deployments in which the storage devices are NFSv4.2 servers, those facilities are provided by the TRUST_STATEID, REVOKE_STATEID, and BULK_REVOKE_STATEID operations defined in Section 6.4.¶

The metadata server and a storage device establish that they can use TRUST_STATEID via a two-part handshake, both parts of which MUST succeed before the metadata server may issue TRUST_STATEID against that storage device for production traffic:¶

1. Capability probe. At control-session setup the metadata server sends a TRUST_STATEID against the anonymous stateid (see Section 6.4.1). A storage device that supports tight coupling MUST reject the probe with NFS4ERR_INVAL; a storage device that does not support tight coupling returns NFS4ERR_NOTSUPP and the metadata server falls back to loose coupling. The metadata server records the result per storage device in ffdv_tightly_coupled.¶

2. Control-session gating. The metadata server presents EXCHGID4_FLAG_USE_PNFS_MDS at EXCHANGE_ID when it opens the control session to the storage device (see Section 6.4.2). The storage device MUST reject any incoming TRUST_STATEID, REVOKE_STATEID, or BULK_REVOKE_STATEID that does not arrive on such a session with NFS4ERR_PERM. This is the authorization mechanism that distinguishes the metadata server from ordinary pNFS clients, which connect with EXCHGID4_FLAG_USE_PNFS_DS or EXCHGID4_FLAG_USE_NON_PNFS and are therefore structurally unable to invoke these operations.¶

Given this basic structure, locking-related operations are handled as follows:¶

• OPENs are dealt with primarily on the metadata server. Stateids are selected by the metadata server and associated with the client ID describing the client's connection to the metadata server. The metadata server needs to interact with the storage device to locate the file to be opened and to make the storage device aware of the association between the metadata-server-chosen stateid and the client and openowner that it represents. OPEN_DOWNGRADE and CLOSE are executed initially on the metadata server, but the state change MUST be propagated to the storage device.¶

• Advisory byte-range locks can be implemented locally on the metadata server. As in the case of OPENs, the stateids associated with byte-range locks are assigned by the metadata server and are available for use on the metadata server. Because I/O operations are allowed to present lock stateids, the metadata server needs the ability to make the storage device aware of the association between the metadata-server-chosen stateid and the corresponding open stateid it is associated with.¶

• Mandatory byte-range locks can be supported when both the metadata server and the storage devices have the appropriate support. As in the case of advisory byte-range locks, these are assigned by the metadata server and are available for use on the metadata server. To enable mandatory lock enforcement on the storage device, the metadata server needs the ability to make the storage device aware of the association between the metadata-server-chosen stateid and the client, openowner, and lock (i.e., lockowner, byte-range, and lock-type) that it represents. Because I/O operations are allowed to present lock stateids, this information needs to be propagated to all storage devices to which I/O might be directed rather than only to storage device that contain the locked region.¶

• Delegations are assigned by the metadata server that initiates recalls when conflicting OPENs are processed. Because I/O operations are allowed to present delegation stateids, the metadata server requires the ability:¶

  1. to make the storage device aware of the association between the metadata-server-chosen stateid and the filehandle and delegation type it represents¶

  2. to break such an association.¶

• TEST_STATEID is processed locally on the metadata server, without storage device involvement.¶

• FREE_STATEID is processed on the metadata server, but the metadata server requires the ability to propagate the request to the corresponding storage devices.¶

Because the client will possess and use stateids valid on the storage device, there will be a client lease on the storage device, and the possibility of lease expiration does exist. The best approach for the storage device is to retain these locks as a courtesy. However, if it does not do so, control protocol facilities need to provide the means to synchronize lock state between the metadata server and storage device.¶

Clients will also have leases on the metadata server that are subject to expiration. In dealing with lease expiration, the metadata server would be expected to use control protocol facilities enabling it to invalidate revoked stateids on the storage device. In the event the client is not responsive, the metadata server may need to use fencing to prevent revoked stateids from being acted upon by the storage device.¶

6.4.1. Capability Discovery

A storage device indicates support for tight coupling implicitly, by processing TRUST_STATEID rather than returning NFS4ERR_NOTSUPP. The metadata server probes each storage device during control-session setup:¶

SEQUENCE + PUTROOTFH + TRUST_STATEID(
    tsa_layout_stateid = ANONYMOUS_STATEID,
    tsa_iomode         = LAYOUTIOMODE4_READ,
    tsa_expire         = 0,
    tsa_principal      = "")

The anonymous stateid is used deliberately: a correctly implemented storage device MUST reject it (see Section 25.12), so the probe cannot accidentally register garbage in the trust table. The metadata server interprets the probe response as follows:¶

• NFS4ERR_NOTSUPP: tight coupling is not supported on this storage device. The metadata server falls back to loose coupling (anonymous stateid plus fencing) and sets ffdv_tightly_coupled to false for this storage device.¶

• NFS4ERR_INVAL: tight coupling is supported. The anonymous stateid was correctly rejected. The metadata server records the capability and sets ffdv_tightly_coupled to true for this storage device.¶

• NFS4_OK: the storage device accepted an anonymous stateid into its trust table. This is a storage device bug. The metadata server SHOULD log the anomaly. It MAY treat the capability as confirmed to avoid downgrading to loose coupling, but it MUST immediately issue REVOKE_STATEID to remove the bogus entry.¶

The capability is recorded per storage device, not per file. Partial support across a mirror set is permitted: each ff_device_versions4 entry returned by GETDEVICEINFO carries its own ffdv_tightly_coupled flag, set independently.¶

6.4.2. Control Session

The metadata server establishes an NFSv4.2 session to each tight-coupling-capable storage device at startup. On this session the metadata server acts as the storage device's client and presents EXCHGID4_FLAG_USE_NON_PNFS in its EXCHANGE_ID args.¶

The storage device MUST verify that any incoming TRUST_STATEID, REVOKE_STATEID, or BULK_REVOKE_STATEID compound arrives on a session whose owning client presented EXCHGID4_FLAG_USE_PNFS_MDS in its EXCHANGE_ID args. Requests that arrive on any other session MUST be rejected with NFS4ERR_PERM. This is the sole access control on these operations; a pNFS client connecting to the storage device does not present EXCHGID4_FLAG_USE_PNFS_MDS and therefore cannot invoke them.¶

The EXCHGID4_FLAG_USE_PNFS_MDS check replaces any path- or filehandle-level gating. TRUST_STATEID operates on a filehandle that may be any file on the storage device, and the metadata server is the sole authority that can legitimately speak this protocol.¶

Because the EXCHGID4_FLAG_USE_PNFS_MDS check relies on the owning client's self-declaration at EXCHANGE_ID time, the storage device cannot by itself distinguish a legitimate metadata server from any other host that sets the flag. Deployments are therefore responsible for constraining who can establish a control session in the first place. Two mechanisms are RECOMMENDED:¶

1. The control session SHOULD use RPCSEC_GSS with a machine principal that the storage device has been configured to accept as a metadata server. The storage device validates the principal before accepting EXCHANGE_ID with EXCHGID4_FLAG_USE_PNFS_MDS.¶

2. Alternatively, the control session SHOULD run over a network path isolated from pNFS clients (for example, a dedicated management VLAN or mutual TLS ([RFC9289]) with an allowlisted client certificate), such that only configured metadata servers can reach the storage device on that path.¶

Deploying neither mechanism reduces the authorization strength of TRUST_STATEID and the revocation operations to "any host that can reach the storage device can invoke them"; a strict deployment MUST apply at least one of the above.¶

6.4.3. Flow at LAYOUTGET

For each new or refreshed layout segment, the metadata server:¶

1. chooses the layout stateid (as it would without tight coupling);¶

2. identifies the tight-coupling-capable storage devices in the mirror set (those for which ffdv_tightly_coupled is true);¶

3. fans out TRUST_STATEID to each such storage device, specifying the layout stateid, the layout iomode, a tsa_expire derived from the metadata server's lease (see Section 6.4.6), and the client's authenticated identity in tsa_principal;¶

4. waits for all fan-outs to complete (or reach their per-storage- device timeout) before returning the layout.¶

If every storage device in the mirror set rejects the TRUST_STATEID fan-out, the metadata server MUST NOT return the layout; instead it returns NFS4ERR_LAYOUTTRYLATER. If some storage devices accept and others reject, the metadata server MAY return a layout covering only the accepting storage devices, subject to the mirror-set rules for minimum acceptable coverage. A storage device that returns NFS4ERR_DELAY is retried until either success or the metadata server's LAYOUTGET-response budget is exhausted. If a storage device returns NFS4ERR_NOTSUPP at this time (having accepted the probe earlier), the metadata server MUST clear ffdv_tightly_coupled for this storage device, fall back to loose coupling, and re-issue the layout accordingly.¶

6.4.4. Principal Binding and the Kerberos Gap

Flex files v1 has a known gap: a client authenticated to the metadata server with Kerberos has no way to present the same authenticated identity to the storage device, because v1 layouts carry only ffds_user / ffds_group (POSIX uid/gid for AUTH_SYS). A strict Kerberos deployment on v1 must either allow AUTH_SYS from the metadata server's subnet or accept that the v1 data path is not Kerberos-protected.¶

The tsa_principal field in TRUST_STATEID closes that gap. When a client authenticates to the metadata server as a Kerberos principal (e.g., alice@REALM), the metadata server passes that principal name to each storage device in tsa_principal. The storage device then enforces a two-part check on each CHUNK operation that presents the layout stateid:¶

a. the stateid is in the trust table and has not expired; and¶

b. the caller's authenticated identity (the RPCSEC_GSS display name on the CHUNK compound) matches tsa_principal.¶

Both conditions MUST hold. On principal mismatch the storage device MUST return NFS4ERR_ACCESS -- the semantics are "you do not have an authorized layout for this file", which matches the existing fencing error and avoids the confusion of NFS4ERR_WRONGSEC (which directs the client to re-authenticate with a different flavor) or NFS4ERR_BAD_STATEID (which directs the client to return the layout).¶

The metadata server MUST populate tsa_principal with the RPCSEC_GSS display name of the authenticated client when the client authenticated to the metadata server via RPCSEC_GSS. The metadata server MUST set tsa_principal to the empty string only for AUTH_SYS and TLS clients (for which there is no server- verified per-user identity). Setting tsa_principal to the empty string for an RPCSEC_GSS client disables the principal check on the storage device and silently re-opens the flex files v1 Kerberos gap; it is a metadata server bug, not a protocol option.¶

If tsa_principal is the empty string, no principal check applies. This is the expected setting for AUTH_SYS and TLS clients:¶

• AUTH_SYS clients have no server-verified identity. The storage device's stateid check and the AUTH_SYS uid/gid on the data file together constitute the authorization. In a tightly coupled deployment the data file's owner/group need not match the metadata file's, since ffv2ds_user and ffv2ds_group are ignored (see Section 8.8).¶

• TLS clients have transport-layer authentication via mutual TLS ([RFC9289]). The TLS layer authenticates the client machine; the stateid check confirms the metadata server authorized that machine to access this file. The machine-level authentication is handled beneath the RPC layer and is not reflected in tsa_principal. Opportunistic TLS (STARTTLS without certificate verification) provides encryption but not authentication, and therefore has the same authorization properties as plain AUTH_SYS.¶

6.4.5. Client-Detected Trust Gap

A window exists between a successful TRUST_STATEID fan-out and the client's first I/O to the storage device. A transient failure may cause the storage device to forget or reject the entry before the client's first CHUNK_WRITE arrives. The client cannot distinguish this case from legitimate revocation; both surface as NFS4ERR_BAD_STATEID on the storage device.¶

The recovery path:¶

1. The client sends LAYOUTERROR(layout_stateid, device_id, NFS4ERR_BAD_STATEID) to the metadata server.¶

2. The metadata server retries TRUST_STATEID against the reporting storage device. If the retry succeeds, the metadata server returns NFS4_OK for LAYOUTERROR. The client retries the original I/O.¶

3. If the retry fails -- the storage device is unreachable or returns a hard error -- the metadata server issues CB_LAYOUTRECALL for that device and the client returns the layout segment covering that storage device. The client is expected to re-request via LAYOUTGET.¶

This is the same LAYOUTERROR path used for NFS4ERR_ACCESS or NFS4ERR_PERM in the fencing model (see Section 6.2), with the metadata server's action being "retry TRUST_STATEID" instead of "rotate uid/gid".¶

6.4.6. Lease and Renewal

tsa_expire in a TRUST_STATEID request is a wall-clock expiry instant expressed as an nfstime4. The metadata server MUST set tsa_expire to the current wall-clock time plus the metadata server's client lease period.¶

The metadata server MUST re-issue TRUST_STATEID for an entry before tsa_expire while the corresponding layout is outstanding. The RECOMMENDED trigger is: when an entry is within half the lease period of its tsa_expire, re-issue TRUST_STATEID with a refreshed tsa_expire. Renewing on every SEQUENCE that keeps the layout stateid alive is correct but produces metadata-server-to-storage-device traffic proportional to the client's SEQUENCE rate, which is undesirable in steady state.¶

If an entry expires on the storage device before the metadata server renews it -- for example, because the metadata server is partitioned from the storage device for longer than the lease period -- the storage device MUST return NFS4ERR_BAD_STATEID to the client on the next CHUNK operation. The client returns the layout to the metadata server and re-requests. This is the same recovery path as the trust gap described above.¶

6.4.7. Storage Device Crash Recovery

The trust table is volatile. The storage device MUST NOT persist trust entries across restarts; a storage device restart therefore empties the trust table.¶

The client detects a storage device restart via NFS4ERR_BADSESSION or NFS4ERR_STALE_CLIENTID on its data server session. The client returns the affected layout segment to the metadata server via LAYOUTRETURN and re-requests via LAYOUTGET. The metadata server then fans out fresh TRUST_STATEID operations to the recovered storage device.¶

Planned storage device restarts (software upgrade, etc.) SHOULD drain in-flight CHUNK operations before shutting down.¶

6.4.8. Metadata Server Crash Recovery

When the metadata server restarts, its control sessions to the storage devices are lost. Trust entries remain on the storage devices until tsa_expire, but the metadata server is no longer renewing them; the entries are effectively orphaned until the metadata server completes grace.¶

When the metadata server reconnects to a storage device with a new boot epoch -- that is, the EXCHANGE_ID returns a new server owner on the storage device's view of the metadata server -- the storage device SHOULD mark all trust entries established under the prior metadata-server epoch as pending-revalidation. While an entry is pending-revalidation:¶

• I/O that presents the entry's stateid MUST receive NFS4ERR_DELAY, not NFS4ERR_BAD_STATEID. NFS4ERR_DELAY tells the client to retry with the same stateid -- the metadata server is recovering and may yet revalidate the entry. NFS4ERR_BAD_STATEID would instead cause the client to return the layout immediately, producing a thundering herd against the metadata server during grace.¶

• An entry remains pending-revalidation until the metadata server either re-issues TRUST_STATEID for it (which transitions it back to trusted) or until the entry's tsa_expire elapses (which removes it).¶

The metadata server's recovery sequence is:¶

1. Reconnect to each storage device and establish a fresh control session.¶

2. Optionally issue BULK_REVOKE_STATEID with an all-zeros clientid to each storage device. This clears the prior trust table eagerly; skipping this step is correct, because orphan entries expire via tsa_expire.¶

3. Enter grace and accept RECLAIM operations from clients. For each reclaimed layout, fan out TRUST_STATEID to the relevant storage devices.¶

4. Exit grace. Clients that did not reclaim in time have their state revoked; the metadata server issues REVOKE_STATEID or BULK_REVOKE_STATEID on their behalf.¶

Metadata servers SHOULD persist the set of outstanding TRUST_STATEID entries (clientid, layout stateid, storage device address, tsa_expire) to stable storage. With this persistence the metadata server can re-issue TRUST_STATEID for all known entries immediately upon reconnecting to each storage device, before clients begin reclaiming. This shrinks the window during which the storage device returns NFS4ERR_DELAY for client I/O. Persistence is a latency optimization, not a correctness requirement: the re-layout path handles recovery in all cases.¶

6.4.9. Backward Compatibility

• NFSv3 storage devices are unchanged. They are always treated as loosely coupled; TRUST_STATEID does not exist on NFSv3 servers.¶

• NFSv4.2 storage devices for which the TRUST_STATEID probe returns NFS4ERR_NOTSUPP are treated as loosely coupled; fencing is the only revocation mechanism, the same as for NFSv3.¶

• NFSv4.2 storage devices for which the probe returns NFS4ERR_INVAL support tight coupling; the metadata server uses TRUST_STATEID at LAYOUTGET and REVOKE_STATEID or BULK_REVOKE_STATEID for revocation instead of fencing.¶

A single deployment MAY contain a mix of tight-coupled and loose-coupled storage devices; each is negotiated independently via the probe.¶

8.1.1. Encoding Type Interoperability

The data servers do not interpret erasure-coded data -- they store and return opaque chunks. The NFS wire protocol likewise does not depend on the encoding mathematics. However, a client that writes data using one encoding type MUST be able to read it back, and a different client implementation MUST be able to read data written by the first client if both claim to support the same encoding type.¶

This interoperability requirement means that each registered encoding type MUST fully specify the encoding and decoding mathematics such that two independent implementations produce byte-identical encoded output for the same input. The specification of a new encoding type MUST include one of the following:¶

1. A complete mathematical specification of the encoding and decoding algorithms, including all parameters (e.g., field polynomial, matrix construction, element size) sufficient for an independent implementation to produce interoperable results.¶

2. A reference to a published patent or pending patent application that contains the algorithm specification. Implementors can then evaluate the licensing terms and decide whether to support the encoding type.¶

3. A declaration that the encoding type is a proprietary implementation. In this case, the encoding type name SHOULD include an organizational prefix (e.g., FFV2_ENCODING_ACME_FOOBAR) to signal that interoperability is limited to implementations licensed by that organization.¶

Option 1 is RECOMMENDED for encoding types intended for broad interoperability. Options 2 and 3 allow vendors to register encoding types for use within their own ecosystems while preserving the encoding type namespace.¶

The rationale for this requirement is that erasure coding moves computation from the server to the client. If the client cannot determine how data was encoded, it cannot decode it. Unlike layout types (where the server controls the storage format), encoding types require client-side agreement on the mathematics.¶

8.2.1. ffv2_flags4

   /// const FFV2_FLAGS_NO_LAYOUTCOMMIT  = FF_FLAGS_NO_LAYOUTCOMMIT;
   /// const FFV2_FLAGS_NO_IO_THRU_MDS   = FF_FLAGS_NO_IO_THRU_MDS;
   /// const FFV2_FLAGS_NO_READ_IO       = FF_FLAGS_NO_READ_IO;
   /// const FFV2_FLAGS_WRITE_ONE_MIRROR =
   ///     FF_FLAGS_WRITE_ONE_MIRROR;
   /// const FFV2_FLAGS_ONLY_ONE_WRITER  = 0x00000010;
   ///
   /// typedef uint32_t            ffv2_flags4;

The ffv2_flags4 in Figure 10 is a bitmap that allows the metadata server to inform the client of particular conditions that may result from more or less tight coupling of the storage devices.¶

Each flag below describes both the semantics when set and the normative requirement it places on the client. When a flag is not set, the client MUST follow the default behavior described for its unset state.¶

FFV2_FLAGS_NO_LAYOUTCOMMIT:

When set, the client MAY omit the LAYOUTCOMMIT to the metadata server. When unset, the client MUST send LAYOUTCOMMIT per [RFC8881] Section 18.42.¶

FFV2_FLAGS_NO_IO_THRU_MDS:

When set, the client MUST NOT proxy I/O operations through the metadata server, even after detecting a network disconnect to a storage device. When unset, the client MAY retry failed I/O via the metadata server.¶

FFV2_FLAGS_NO_READ_IO:

When set, the client MUST NOT issue READ against layouts of iomode LAYOUTIOMODE4_RW, and MUST instead request a separate layout of iomode LAYOUTIOMODE4_READ for any read I/O. When unset, the client MAY issue READ against either iomode.¶

FFV2_FLAGS_WRITE_ONE_MIRROR:

When set, the client MAY update only one mirror of each layout segment (see Section 11.1) and rely on the metadata server or a peer data server to propagate the update to the remaining mirrors. When unset, the client MUST update all mirrors.¶

FFV2_FLAGS_ONLY_ONE_WRITER:

When set, the client is the exclusive writer for the layout and MAY issue CHUNK_WRITE without setting cwa_guard, retaining the ability to use CHUNK_ROLLBACK in the event of a write hole caused by overwriting. When unset, the client MUST set cwa_guard on every CHUNK_WRITE so that chunk_guard4 CAS can prevent collisions across concurrent writers.¶

8.11.1. Codec Negotiation

Because the coding-type registry is expected to grow over time (new erasure codes are added, older ones fall out of favour, vendors register private codes; see Section 28), neither clients nor metadata servers are required to implement every registered codec. The protocol uses ffv2_layouthint4 as the negotiation surface:¶

Client-side advertisement:

A client that wishes to influence codec selection SHOULD send the set of codecs it actually implements in fflh_supported_types. A client MUST NOT claim support for a codec it cannot encode or decode: a false advertisement produces silent data unavailability when the resulting layout is issued.¶

Metadata-server selection:

The metadata server SHOULD select a codec from the client's fflh_supported_types list when the server's policy permits. The server MAY override the hint when its policy dictates a specific codec (for example, per-export objectives); in that case the server issues a layout with the policy-dictated codec and the client MUST either honour it or fail its I/O with NFS4ERR_CODING_NOT_SUPPORTED.¶

Fallback when no overlap exists:

If the server's policy cannot be satisfied by any codec the client supports, the server returns NFS4ERR_CODING_NOT_SUPPORTED on the LAYOUTGET. The client MAY retry with a different (possibly empty) fflh_supported _types list to learn the server's codec repertoire through the errors returned, and MAY fall back to I/O via the metadata server if no mutually-supported codec exists (see Section 6.2 for the MDS-I/O fallback).¶

Runtime codec change:

If a metadata server changes its codec policy after layouts have been issued (for example, a deployment upgrade that retires an older codec), the metadata server MUST recall the affected layouts via CB_LAYOUTRECALL and may re-issue new layouts with the new codec. Clients that do not support the new codec LAYOUTRETURN with NFS4ERR_CODING_NOT_SUPPORTED, and the server either grants a layout using a mutually- supported codec or the client falls back to I/O via the metadata server.¶

This mechanism deliberately avoids a separate capability-bit handshake at EXCHANGE_ID. ffv2_layouthint4 already provides per-request negotiation surface; adding a session-level capability set would duplicate it and would complicate codec upgrades without additional value, because a client that genuinely upgrades its codec set at runtime can simply update the fflh_supported_types on its next LAYOUTGET.¶

Note: In Figure 18 ffv2_coding_type_data4 is an enumerated union with the payload of each arm being defined by the protection type. ffm_client_id tells the client which id to use when interacting with the data servers.¶

The ffv2_layout4 structure (see Figure 18) specifies a layout in that portion of the data file described in the current layout segment. It is either a single instance or a set of mirrored copies of that portion of the data file. When mirroring is in effect, it protects against loss of data in layout segments.¶

While not explicitly shown in Figure 18, each layout4 element returned in the logr_layout array of LAYOUTGET4res (see Section 18.43.2 of [RFC8881]) describes a layout segment. Hence, each ffv2_layout4 also describes a layout segment. It is possible that the file is concatenated from more than one layout segment. Each layout segment MAY represent different striping parameters.¶

The ffm_striping_unit_size field (inside each ffv2_mirror4) is the stripe unit size in use for that mirror. The number of stripes is given by the number of elements in ffs_data_servers within each ffv2_stripes4. If the number of stripes is one, then the value for ffm_striping_unit_size MUST default to zero. The mapping scheme (sparse or dense) is selected per mirror by ffm_striping and is detailed in Section 9. Note that there is an assumption here that both the stripe unit size and the number of stripes are the same across all mirrors.¶

The ffl_mirrors field represents an array of state information for each mirrored copy of the current layout segment. Each element is described by a ffv2_mirror4 type.¶

ffv2ds_deviceid provides the deviceid of the storage device holding the data file.¶

ffv2ds_file_info is an array of ffv2_file_info4 structures, each pairing a filehandle (fffi_fh_vers) with a stateid (fffi_stateid). There MUST be exactly as many elements in ffv2ds_file_info as there are in ffda_versions. Each element of the array corresponds to a particular combination of ffdv_version, ffdv_minorversion, and ffdv_tightly_coupled provided for the device. The array allows for server implementations that have different filehandles and stateids for different combinations of version, minor version, and coupling strength. See Section 8.14 for how to handle versioning issues between the client and storage devices.¶

For tight coupling, fffi_stateid provides the stateid to be used by the client to access the file. The metadata server registers fffi_stateid with each tight-coupling-capable storage device via TRUST_STATEID (see Section 6.4) before returning the layout; the storage device validates subsequent CHUNK operations against its trust table.¶

For loose coupling and an NFSv4 storage device, the client MUST use the anonymous stateid to perform I/O on the storage device, because the metadata server stateid has no meaning to a storage device that is not participating in the control protocol. In this case the metadata server MUST set fffi_stateid to the anonymous stateid.¶

For an NFSv3 storage device (ffdv_version = 3), the tight-coupling model does not apply: Section 7.1 requires ffdv_tightly_coupled to be FALSE whenever ffdv_version equals 3, because NFSv3 has no wire encoding for stateids. The corresponding fffi_stateid element in the ffv2ds_file_info array MUST therefore be the anonymous stateid and is unused; an NFSv3 data server uses the synthetic-uid fencing model (see Section 6.2) rather than a stateid-based trust table.¶

This specification of the fffi_stateid restricts both models for NFSv4.x storage protocols:¶

loosely couple

the stateid has to be an anonymous stateid¶

tightly couple

the stateid has to be a global stateid¶

By pairing each fffi_fh_vers with its own fffi_stateid inside ffv2_file_info4, the v2 layout addresses the v1 limitation where a singleton stateid was shared across all filehandles. Each open file on the storage device can now have its own stateid, eliminating the ambiguity present in the v1 structure.¶

For loosely coupled storage devices, ffv2ds_user and ffv2ds_group provide the synthetic user and group to be used in the RPC credentials that the client presents to the storage device to access the data files. For tightly coupled storage devices, the user and group on the storage device will be the same as on the metadata server; that is, if ffdv_tightly_coupled (see Section 7.1) is set, then the client MUST ignore both ffv2ds_user and ffv2ds_group.¶

The allowed values for both ffv2ds_user and ffv2ds_group are specified as owner and owner_group, respectively, in Section 5.9 of [RFC8881]. For NFSv3 compatibility, user and group strings that consist of decimal numeric values with no leading zeros can be given a special interpretation by clients and servers that choose to provide such support. The receiver may treat such a user or group string as representing the same user as would be represented by an NFSv3 uid or gid having the corresponding numeric value. Note that if using Kerberos for security, the expectation is that these values will be a name@domain string.¶

ffv2ds_efficiency describes the metadata server's evaluation as to the effectiveness of each mirror. Note that this is per layout and not per device as the metric may change due to perceived load, availability to the metadata server, etc. Higher values denote higher perceived utility. The way the client can select the best mirror to access is discussed in Section 11.1.1.¶

8.11.2. Error Codes from LAYOUTGET

[RFC8881] provides little guidance as to how the client is to proceed with a LAYOUTGET that returns an error of either NFS4ERR_LAYOUTTRYLATER, NFS4ERR_LAYOUTUNAVAILABLE, and NFS4ERR_DELAY. Within the context of this document:¶

NFS4ERR_LAYOUTUNAVAILABLE

there is no layout available and the I/O is to go to the metadata server. Note that it is possible to have had a layout before a recall and not after.¶

NFS4ERR_LAYOUTTRYLATER

there is some issue preventing the layout from being granted. If the client already has an appropriate layout, it should continue with I/O to the storage devices.¶

NFS4ERR_DELAY

there is some issue preventing the layout from being granted. If the client already has an appropriate layout, it should not continue with I/O to the storage devices.¶

8.11.3. Client Interactions with FF_FLAGS_NO_IO_THRU_MDS

Even if the metadata server provides the FF_FLAGS_NO_IO_THRU_MDS flag, the client can still perform I/O to the metadata server. The flag functions as a hint. The flag indicates to the client that the metadata server prefers to separate the metadata I/O from the data I/ O, most likely for performance reasons.¶

11.1.1. Selecting a Mirror

When the metadata server grants a layout to a client, it MAY let the client know how fast it expects each mirror to be once the request arrives at the storage devices via the ffv2ds_efficiency member. While the algorithms to calculate that value are left to the metadata server implementations, factors that could contribute to that calculation include speed of the storage device, physical memory available to the device, operating system version, current load, etc.¶

However, what should not be involved in that calculation is a perceived network distance between the client and the storage device. The client is better situated for making that determination based on past interaction with the storage device over the different available network interfaces between the two; that is, the metadata server might not know about a transient outage between the client and storage device because it has no presence on the given subnet.¶

As such, it is the client that decides which mirror to access for reading the file. The requirements for writing to mirrored layout segments are presented below.¶

11.1.2. Writing to Mirrors

11.1.3. Metadata Server Resilvering of the File

The metadata server may elect to create a new mirror of the layout segments at any time. This might be to resilver a copy on a storage device that was down for servicing, to provide a copy of the layout segments on storage with different storage performance characteristics, etc. As the client will not be aware of the new mirror and the metadata server will not be aware of updates that the client is making to the layout segments, the metadata server MUST recall the writable layout segment(s) that it is resilvering. If the client issues a LAYOUTGET for a writable layout segment that is in the process of being resilvered, then the metadata server can deny that request with an NFS4ERR_LAYOUTUNAVAILABLE. The client would then have to perform the I/O through the metadata server.¶

11.2.1. Encoding a Data Block

                 +-------------+
                 | data block  |
                 +-------+-----+
                         |
                         |
   +---------------------+-------------------------------+
   |            Erasure Encoding (Transform Forward)     |
   +---+----------------------+---------------------+----+
       |                      |                     |
       |                      |                     |
   +---+------------+     +---+------------+     +--+-------------+
   | HEADER         | ... | HEADER         | ... | HEADER         |
   +----------------+     +----------------+     +----------------+
   | guard:         | ... | guard:         | ... | guard:         |
   |   gen_id   : 3 | ... |   gen_id   : 3 | ... |   gen_id   : 3 |
   |   client_id: 6 | ... |   client_id: 6 | ... |   client_id: 6 |
   | payload_id : 0 | ... | payload_id : M | ... | payload_id : 5 |
   | crc32   :      | ... | crc32   :      | ... | crc32   :      |
   +----------------+     +----------------+     +----------------+
   | CHUNK          | ... | CHUNK          | ... | CHUNK          |
   +----------------+     +----------------+     +----------------+
   | data: ....     | ... | data: ....     | ... | data: ....     |
   +----------------+     +----------------+     +----------------+
     Data Server 1          Data Server N          Data Server 6

Each data block of the file resident in the client's cache of the file will be encoded into N different payloads to be sent to the data servers as shown in Figure 23. As CHUNK_WRITE (see Section 25.10) can encode multiple write_chunk4 into a single transaction, a more accurate description of a CHUNK_WRITE is in Figure 24.¶

  +------------------------------------+
  | CHUNK_WRITEargs                    |
  +------------------------------------+
  | cwa_stateid: 0                     |
  | cwa_offset: 1                      |
  | cwa_stable: FILE_SYNC4             |
  | cwa_payload_id: 0                  |
  | cwa_owner:                         |
  |            co_guard:               |
  |                cg_gen_id   : 3     |
  |                cg_client_id: 6     |
  | cwa_chunk_size  :  1048            |
  | cwa_crc32s:                        |
  |         [0]:  0x32ef89             |
  |         [1]:  0x56fa89             |
  |         [2]:  0x7693af             |
  | cwa_chunks  :  ......              |
  +------------------------------------+

This describes a 3 block write of data from an offset of 1 block in the file. As each block shares the cwa_owner, it is only presented once. I.e., the data server will be able to construct the header for the i'th chunk from the cwa_chunks from the cwa_payload_id, the cwa_owner, and the i'th crc32 from the cw_crc32s. The cwa_chunks are sent together as a byte stream to increase performance.¶

Assuming that there were no issues, Figure 25 illustrates the results. The payload sequence id is implicit in the CHUNK_WRITEargs.¶

  +-------------------------------+
  | CHUNK_WRITEresok              |
  +-------------------------------+
  | cwr_count: 3                  |
  | cwr_committed: FILE_SYNC4     |
  | cwr_writeverf: 0xf1234abc     |
  | cwr_owners[0]:                |
  |        co_chunk_id: 1         |
  |        co_guard:              |
  |            cg_gen_id   : 3    |
  |            cg_client_id: 6    |
  | cwr_owners[1]:                |
  |        co_chunk_id: 2         |
  |        co_guard:              |
  |            cg_gen_id   : 3    |
  |            cg_client_id: 6    |
  | cwr_owners[2]:                |
  |        co_chunk_id: 3         |
  |        co_guard:              |
  |            cg_gen_id   : 3    |
  |            cg_client_id: 6    |
  +-------------------------------+

  +---+----------------+
  | HEADER             |
  +--------------------+
  | guard:             |
  |   gen_id   : 7     |
  |   client_id: 6     |
  | payload_id : 0     |
  | crc32   : 0        |
  +--------------------+
  | CHUNK              |
  +--------------------+
  | data:  ....        |
  +--------------------+
        Data Server 1

  +------------------------------------+
  | CHUNK_WRITEargs                    |
  +------------------------------------+
  | cwa_stateid: 0                     |
  | cwa_offset: 1                      |
  | cwa_stable: FILE_SYNC4             |
  | cwa_payload_id: 0                  |
  | cwa_owner:                         |
  |            co_guard:               |
  |                cg_gen_id   : 7     |
  |                cg_client_id: 6     |
  | cwa_chunk_size  :  1048            |
  | cwa_crc32s:                        |
  |         [0]:  0x21de8              |
  | cwa_chunks  :  ......              |
  +------------------------------------+

11.2.2. Decoding a Data Block

    Data Server 1          Data Server N          Data Server 6
  +----------------+     +----------------+     +----------------+
  | HEADER         | ... | HEADER         | ... | HEADER         |
  +----------------+     +----------------+     +----------------+
  | guard:         | ... | guard:         | ... | guard:         |
  |   gen_id   : 3 | ... |   gen_id   : 3 | ... |   gen_id   : 3 |
  |   client_id: 6 | ... |   client_id: 6 | ... |   client_id: 6 |
  | payload_id : 0 | ... | payload_id : M | ... | payload_id : 5 |
  | crc32   :      | ... | crc32   :      | ... | crc32   :      |
  +----------------+     +----------------+     +----------------+
  | CHUNK          | ... | CHUNK          | ... | CHUNK          |
  +----------------+     +----------------+     +----------------+
  | data: ....     | ... | data: ....     | ... | data: ....     |
  +---+------------+     +--+-------------+     +-+--------------+
      |                     |                     |
      |                     |                     |
  +---+---------------------+---------------------+-----+
  |            Erasure Decoding (Transform Reverse)     |
  +---------------------+-------------------------------+
                        |
                        |
                +-------+-----+
                | data block  |
                +-------------+

When reading chunks via a CHUNK_READ operation, the client will decode them into data blocks as shown in Figure 28.¶

At this time, the client could detect issues in the integrity of the data. The handling and repair are out of the scope of this document and MUST be addressed in the document describing each erasure coding type.¶

  +------------------------------------+
  | CHUNK_READresok                    |
  +------------------------------------+
  | crr_eof: false                     |
  | crr_chunks[0]:                     |
  |        cr_crc: 0x21de8             |
  |        cr_owner:                   |
  |            co_guard:               |
  |                cg_gen_id   : 7     |
  |                cg_client_id: 6     |
  |        cr_chunk  :  ......         |
  +------------------------------------+

  +---+----------------+
  | HEADER             |
  +--------------------+
  | guard:             |
  |   gen_id   : 7     |
  |   client_id: 6     |
  | payload_id  : 0    |
  | crc32    : 0       |
  +--------------------+
  | CHUNK              |
  +--------------------+
  | data:  ....        |
  +--------------------+
       Data Server 1

11.2.3. Write Modes

There are two basic writing modes for erasure coding and they depend on the metadata server using FFV2_FLAGS_ONLY_ONE_WRITER in the ffl_flags in the ffv2_layout4 (see Figure 18) to inform the client whether it is the only writer to the file or not. If it is the only writer, then CHUNK_WRITE with the cwa_guard not set can be used to write chunks. In this scenario, there is no write contention, but write holes can occur as the client overwrites old data. Thus the client does not need guarded writes, but it does need the ability to rollback writes. If it is not the only writer, then CHUNK_WRITE with the cwa_guard set MUST be used to write chunks. In this scenario, the write holes can also be caused by multiple clients writing to the same chunk. Thus the client needs guarded writes to prevent over writes and it does need the ability to rollback writes.¶

In both modes, clients MUST NOT overwrite payloads which already contain inconsistency. This directly follows from Section 11.2.7 and MUST be handled as discussed there. Once consistency in the payload has been detected, the client can use those chunks as a basis for read/modify/update.¶

CHUNK_WRITE is a two pass operation in cooperation with CHUNK_FINALIZE (Section 25.3) and CHUNK_ROLLBACK (Section 25.8). It writes to the data file and the data server is responsible for retaining a copy of the old header and chunk. A subsequent CHUNK_READ would return the new chunk. However, until either the CHUNK_FINALIZE or CHUNK_ROLLBACK is presented, a subsequent CHUNK_WRITE MUST result in the locking of the chunk, as if a CHUNK_LOCK (Section 25.5) had been performed on the chunk. As such, further CHUNK_WRITES by any client MUST be denied until the chunk is unlocked by CHUNK_UNLOCK (Section 25.9).¶

If the CHUNK_WRITE results in a consistent data block, then the client will send a CHUNK_FINALIZE in a subsequent compound to inform the data server that the chunk is consistent and can be overwritten by another CHUNK_WRITE.¶

If the CHUNK_WRITE results in an inconsistent data block, or if the data server returns NFS4ERR_CHUNK_LOCKED, the client reports the condition to the metadata server via LAYOUTERROR with an error code of NFS4ERR_PAYLOAD_NOT_CONSISTENT.¶

11.2.4. Selecting the Repair Client

The repair topology involves three actors communicating along distinct paths, as shown in Figure 31.¶

     +------------+              +----------------+
     | Reporting  |              |                |
     | client     | ----(1)----> |    Metadata    |
     | (detects   | LAYOUTERROR  |    server      |
     |  error)    |              |                |
     +------------+              +----------------+
                                   |        ^  ^
                                   | (2a)   |  |
                                   |        |  |
                           +-------+--+  (2b) (3)
                           |          |  |   |
                 CB_CHUNK_REPAIR      |   |  |
                 (RACE or SCRUB)      |   |  |
                                   |   |   |  |
                                   v   |   |  |
     +-------------+           +--------+-------------+
     |  Repair     | ----(4)-> |                      |
     |  client     |  CHUNK_   |    Data servers      |
     |  (selected  |  LOCK_    |    (mirror set for   |
     |   by MDS)   |  ADOPT,   |    affected ranges)  |
     |             |  CHUNK_   |                      |
     |             |  WRITE_   +----------------------+
     |             |  REPAIR,
     |             |  CHUNK_
     |             |  FINALIZE,
     |             |  CHUNK_
     |             |  COMMIT,
     |             |  CHUNK_
     |             |  REPAIRED
     +-------------+

     (1) Reporter LAYOUTERRORs the MDS.
     (2a) MDS selects a repair client (may be same as reporter).
     (2b) MDS escrows the chunk lock and issues CB_CHUNK_REPAIR.
     (3)  Repair client adopts the lock and drives the repair.
     (4)  Repair client issues CHUNK_* ops against the mirror set.

The metadata server is the authority that selects which client (or, in a tightly coupled deployment, which data server) repairs an inconsistent payload. This is analogous to the way the metadata server assigns per-mirror priority via ffv2ds_efficiency (see Section 11.1.1): the protocol does not prescribe the selection algorithm, and each deployment MAY tune its policy.¶

Implementations MAY consider factors such as:¶

• Whether a client holds an active write layout on the affected payload (the client most likely to hold surviving shards in cache).¶

• Whether a client has previously reported consistent shards to the metadata server via LAYOUTSTATS or a prior LAYOUTERROR.¶

• Whether the layout exposes a data server carrying FFV2_DS_FLAGS_REPAIR as a target for reconstructed shards.¶

• Network proximity, observed latency, or recent client load -- the same class of information that informs ffv2ds_efficiency.¶

The selection algorithm is not normative. What is normative is that every client MUST be prepared to:¶

1. Receive a repair request for a payload that the client does not have an outstanding write layout on, and did not write; and¶

2. Continue its own workload after reporting NFS4ERR_PAYLOAD_NOT_CONSISTENT without itself being selected to repair the payload it reported.¶

The metadata server signals the selected client via the CB_CHUNK_REPAIR callback (Section 26.1), which identifies the file, the affected ranges (each with its own triggering nfsstat4), and a wall-clock deadline. A client that receives CB_CHUNK_REPAIR for a file for which it does not already hold a layout MUST acquire a layout via LAYOUTGET before attempting the repair.¶

Operational expectations for CB_CHUNK_REPAIR: CB_CHUNK_REPAIR is an exceptional path, triggered only by concurrent-writer races or data-server failures. It is not a steady-state operation and its frequency is a function of racing-writer and data-server-failure rates in the deployment rather than of normal client workload. Implementations SHOULD treat the CB_CHUNK_REPAIR handler as rare-path code and avoid over-optimising it. Implementations SHOULD, however, provision enough client-side compute to handle a repair transaction without stalling their foreground I/O, because foreground throughput during repair is the externally observable cost of this callback.¶

11.2.5. Repair Protocol: Normative vs. Informative

The selection algorithm is non-normative and deployment-tunable. The externally-observable state transitions of the repair flow are normative. The line between the two is drawn at what another party on the wire -- the metadata server, another client, a reader -- can observe. What no other party can see (client-internal ordering, retry policy, whether to CHUNK_READ first to confirm the failure) is left to implementations.¶

The following requirements are normative. An implementation that violates any of these can leak inconsistency or write-holes into the cluster:¶

1. Final state flat. Every shard in every range identified in a CB_CHUNK_REPAIR MUST reach either the COMMITTED state (repaired) or the EMPTY state (rolled back). No shard is left in PENDING or FINALIZED indefinitely.¶

2. Lock before write. The repair client MUST adopt the lock on every affected range via CHUNK_LOCK with CHUNK_LOCK_FLAGS_ADOPT (Section 25.5) before issuing any CHUNK_WRITE_REPAIR, CHUNK_ROLLBACK, or CHUNK_WRITE on a chunk in that range. The lock on the affected chunks is held continuously from the failure that triggered CB_CHUNK_REPAIR through the adoption; at no point is the range unlocked.¶

3. Clear the errored state. On the reconstruction path, the repair client MUST issue CHUNK_REPAIRED (Section 25.7) after CHUNK_COMMIT. Without it, readers continue to see holes regardless of on-disk state.¶

4. Release locks explicitly. CHUNK_ROLLBACK does not release chunk locks. On the rollback path the client MUST issue CHUNK_UNLOCK (Section 25.9) on each affected chunk. A client that walks away without either completing CHUNK_REPAIRED or issuing CHUNK_UNLOCK holds the locks until lease expiry, blocking progress for other writers.¶

5. Deadline honored. The client MUST drive every range to its final flat state before ccra_deadline, or MUST respond to the CB_CHUNK_REPAIR with NFS4ERR_DELAY (requesting an extension), NFS4ERR_CODING_NOT_SUPPORTED (declining), or NFS4ERR_PAYLOAD_LOST (declaring the data unrecoverable). A deadline that elapses without any of these leaves the metadata server free to re-select; the client MUST NOT continue repair-related CHUNK operations after the deadline without first re-verifying its layout and the chunk lock state.¶

6. Terminal return codes. NFS4ERR_CODING_NOT_SUPPORTED MUST mean "decline; select another client." NFS4ERR_PAYLOAD_LOST MUST mean "the data is not recoverable; do not retry." The metadata server relies on these to decide whether to re-issue.¶

The following aspects are informative / implementation-defined:¶

• Choice between the reconstruction path (CHUNK_WRITE_REPAIR) and the rollback path (CHUNK_ROLLBACK) on a given range. The protocol MUST support both; the client MAY use either based on its local state and whether reconstruction is feasible from surviving shards.¶

• Ordering among multiple affected ranges in a single CB_CHUNK_REPAIR (parallel or serial).¶

• Whether to issue CHUNK_READ to confirm the failure mode before reconstructing.¶

• Retry policy on transient CHUNK_WRITE_REPAIR errors below the deadline cutoff.¶

• How the repair status is surfaced to local filesystem API callers.¶

11.2.6. Carrying Out the Repair

With the normative framing above, the reconstruction path is:¶

1. CHUNK_LOCK with CHUNK_LOCK_FLAGS_ADOPT on each affected range (Section 25.5).¶

2. CHUNK_WRITE_REPAIR (Section 25.11) with the reconstructed data for each inconsistent shard. The client's chunk_owner4 on this and all subsequent operations is the one it presented in the CHUNK_LOCK ADOPT above; prior owners' generation ids are now historical.¶

3. CHUNK_FINALIZE (Section 25.3) and CHUNK_COMMIT (Section 25.1) to persist the repaired shards.¶

4. CHUNK_REPAIRED (Section 25.7) to clear the errored state.¶

The rollback path, when reconstruction is not possible:¶

1. CHUNK_LOCK with CHUNK_LOCK_FLAGS_ADOPT on each affected range.¶

2. CHUNK_ROLLBACK (Section 25.8) on each affected shard to restore the previously committed content.¶

3. CHUNK_UNLOCK (Section 25.9) on each shard.¶

In both paths, the repair client SHOULD target reconstructed shards according to the following fallback order: first, any data server in the layout carrying FFV2_DS_FLAGS_REPAIR; then the data server that reported the failure (the one carrying the failing shard at the range identified by ccr_offset and ccr_count in the CB_CHUNK_REPAIR argument); then, if both of the above are unreachable, a data server carrying FFV2_DS_FLAGS_SPARE. If none of the above are available, the client MUST return NFS4ERR_PAYLOAD_LOST on the CB_CHUNK_REPAIR response.¶

11.2.7. Reading Chunks

The client reads chunks from the data file via CHUNK_READ. The number of chunks in the payload that need to be consistent depend on both the Erasure Coding Type and the level of protection selected. If the client has enough consistent chunks in the payload, then it can proceed to use them to build a data block. If it does not have enough consistent chunks in the payload, then it can either decide to return a LAYOUTERROR of NFS4ERR_PAYLOAD_NOT_CONSISTENT to the metadata server or it can retry the CHUNK_READ until there are enough consistent chunks in the payload.¶

As another client might be writing to the chunks as they are being read, it is entirely possible to read the chunks while they are not consistent. As such, it might even be the non-consistent chunks which contain the new data and a better action than building the data block is to retry the CHUNK_READ to see if new chunks are overwritten.¶

11.2.8. Whole File Repair

Whole-file repair is the case in which too many data servers have failed, or too many chunks have been lost, for the per-range repair flow defined in Section 11.2.4 to reconstruct the file in place. In this case the metadata server MUST either:¶

1. Construct a new layout backed by replacement data servers and drive the reconstruction via the Data Mover mechanism (a designated data server acts as the source of truth for client I/O during the transition, pushing reconstructed content to the replacement data servers in the background). The Data Mover mechanism also covers the non-repair cases where a file's layout must change while remaining available to clients -- policy- driven layout transitions, data server maintenance evacuation, administrative ingest, TLS coverage transition, and filehandle-backend migration.¶

2. If the metadata server has no data-mover-capable data server available, or the surviving shards are insufficient to reconstruct any portion of the file, terminate the affected byte ranges with NFS4ERR_PAYLOAD_LOST (see Section 21.1.5).¶

The Data Mover mechanism is work in progress and is specified in a companion document. The current design is maintained at https://github.com/ietf-wg-nfsv4/flexfiles-v2-data-mover. Once the mechanism is submitted as an Internet-Draft, this section will be updated with a normative reference to that draft.¶

Implementations that do not support the Data Mover mechanism can still perform recovery for cases where per-range repair suffices, using CB_CHUNK_REPAIR (Section 26.1) and the repair client selection rules in Section 11.2.4. Such implementations will surface NFS4ERR_PAYLOAD_LOST on any failure that exceeds per-range repair's reach, including the multi-data- server failure scenarios the Data Mover mechanism is intended to handle.¶

11.4.1. Overview

Reed-Solomon (RS) codes are Maximum Distance Separable (MDS) codes: for a (k+m, k) code, any k of the k+m encoded shards suffice to recover the original data. The code tolerates the simultaneous loss of up to m shards. [Plank97] is a tutorial treatment of RS coding in RAID-like systems and is the recommended background reading for implementers unfamiliar with the construction used here.¶

11.4.2. Galois Field Arithmetic

All RS operations are performed over GF(2^8), the Galois field with 256 elements. Each element is represented as a byte.¶

Irreducible Polynomial

The field is constructed using the irreducible polynomial x^8 + x^4 + x^3 + x^2 + 1 (0x11d in hexadecimal). The primitive element (generator) is g = 2, which has multiplicative order 255.¶

Addition

Addition in GF(2^8) is bitwise XOR.¶

Multiplication

Multiplication uses log/antilog tables. For non-zero elements a and b: a * b = exp(log(a) + log(b)), where the exp table is doubled to 512 entries to avoid modular reduction on the index sum.¶

These are the classical constructions from Berlekamp (1968) and Peterson & Weldon (1972). The log/antilog table approach for GF(2^8) multiplication predates all known patents on SIMD-accelerated GF arithmetic. Implementors considering SIMD acceleration of GF(2^8) operations should be aware of US Patent 8,683,296 (StreamScale), which covers certain SIMD-based GF multiplication techniques.¶

11.4.3. Encoding Matrix

The encoding process uses a (k+m) x k Vandermonde matrix, normalized so that its top k rows form the identity matrix:¶

1. Construct a (k+m) x k Vandermonde matrix V where V[i][j] = j^i in GF(2^8).¶

2. Extract the top k x k sub-matrix T from V.¶

3. Compute T_inv = T^(-1) using Gaussian elimination in GF(2^8).¶

4. Multiply: E = V * T_inv. The result has an identity block on top (rows 0 through k-1) and the parity generation matrix P on the bottom (rows k through k+m-1).¶

The identity block makes the code systematic: data shards pass through unchanged, and only the parity sub-matrix P is needed during encoding.¶

11.4.4. Encoding

Given k data shards, each of shard_len bytes, encoding produces m parity shards, each also shard_len bytes:¶

For each byte position j in [0, shard_len):
  For each parity shard i in [0, m):
    parity[i][j] = sum over s in [0, k) of P[i][s] * data[s][j]

where the sum and product are in GF(2^8). All shards (data and parity) are the same size.¶

11.4.5. Decoding

When one or more shards are lost (up to m), reconstruction proceeds by matrix inversion:¶

1. Select k available shards (from the k+m total).¶

2. Form a k x k sub-matrix S of the encoding matrix E by selecting the rows corresponding to the available shards.¶

3. Compute S_inv = S^(-1) using Gaussian elimination in GF(2^8).¶

4. Multiply S_inv by the vector of available shard data at each byte position to recover the original k data shards.¶

5. If any parity shards are also missing, regenerate them by re-encoding from the recovered data shards.¶

The reconstruction cost is dominated by the matrix inversion, which is O(k^2) in GF(2^8) multiplications.¶

11.4.6. RS Interoperability Requirements

For two implementations of FFV2_ENCODING_RS_VANDERMONDE to interoperate, they MUST agree on all of the following parameters. Any deviation produces a different encoding matrix and renders data unrecoverable by a different implementation.¶

• Irreducible polynomial: x^8 + x^4 + x^3 + x^2 + 1 (0x11d)¶

• Primitive element: g = 2¶

• Vandermonde evaluation points: V[i][j] = j^i in GF(2^8)¶

• Matrix normalization: E = V * (V[0..k-1])^(-1)¶

These four parameters fully determine the encoding matrix for any (k, m) configuration.¶

11.4.7. RS Shard Sizes

All RS shards (data and parity) are exactly shard_len bytes. This simplifies the CHUNK operation protocol: chunk_size is exactly the shard size for all mirrors.¶

11.5.1. Overview

The Mojette Transform is an erasure coding technique based on discrete geometry rather than algebraic field operations. It computes 1D projections of a 2D grid along selected directions. Given enough projections, the original grid can be reconstructed exactly.¶

The transform operates on unsigned integer elements using modular addition. The element size is an implementation choice: 128-bit elements leverage SSE SIMD instructions; 64-bit elements are compatible with NEON and AVX2 vector widths. No Galois field operations are required.¶

11.5.2. Grid Structure

Data is arranged as a P x Q grid of unsigned integer elements, where P is the number of columns and Q is the number of rows. For k data shards of S bytes each with W-byte elements:¶

P = S / W       (columns per row)
Q = k           (rows = data shards)

11.5.3. Directions

A direction is a pair of coprime integers (p_i, q_i). Implementations SHOULD use q_i = 1 for all directions [PARREIN]. For n = k + m total shards, n directions are generated with non-zero p values symmetric around zero:¶

• For n = 4: p = {-2, -1, 1, 2}¶

• For n = 6: p = {-3, -2, -1, 1, 2, 3}¶

11.5.4. Forward Transform (Encoding)

For each direction (p_i, q_i), the forward transform computes a 1D projection. Each bin sums the grid elements along a discrete line:¶

Projection(b, p, q) = SUM over all (row, col) where
                       col * p - row * q + offset = b
                       of Grid[row][col]

The number of bins B in a projection is:¶

B(p, q, P, Q) = |p| * (Q - 1) + |q| * (P - 1) + 1

For q = 1, this simplifies to:¶

B = abs(p) * (Q - 1) + P

The byte size of the projection is B * W.¶

11.5.5. Katz Reconstruction Criterion

Reconstruction is possible if and only if the Katz criterion [KATZ] holds:¶

SUM(i=1..n) |q_i| >= Q    OR    SUM(i=1..n) |p_i| >= P

When all q_i = 1, the q-sum simplifies to n >= Q.¶

11.5.6. Inverse Transform (Decoding)

The inverse uses the corner-peeling algorithm:¶

1. Count how many unknown elements contribute to each bin.¶

2. Find any bin with exactly one contributor (singleton).¶

3. Recover the element, subtract from all projections.¶

4. Repeat until all elements are recovered.¶

The algorithm is O(n * P * Q).¶

11.5.7. Systematic Mojette

In the systematic form (FFV2_ENCODING_MOJETTE_SYSTEMATIC), the first k shards are the original data rows and the remaining m shards are projections. Healthy reads require no decoding.¶

Reconstruction of missing data rows proceeds via the corner-peeling algorithm of [NORMAND]:¶

1. Load available parity projections.¶

2. Subtract contributions of present data rows (residual).¶

3. Corner-peel the residual to recover missing rows.¶

Reconstruction cost is O(m * k) -- a fundamental advantage over RS at wide geometries (k >= 8).¶

11.5.8. Non-Systematic Mojette

In the non-systematic form (FFV2_ENCODING_MOJETTE_NON_SYSTEMATIC), all k + m shards are projections. Every read requires the full inverse transform. This provides constant performance regardless of failure count, but at higher baseline read cost than systematic.¶

11.5.9. Mojette Shard Sizes

Unlike RS, Mojette parity shard sizes vary by direction:¶

When using CHUNK operations, the chunk_size is a nominal stride; the last chunk in a parity shard MAY be shorter than the stride.¶

13.2.1. Session and Identity Plumbing

Required for all protection modes:¶

• SEQUENCE, PUTFH, GETFH, PUTROOTFH ([RFC8881] Sections 18.46, 18.19, 18.8, 18.21).¶

• EXCHANGE_ID, CREATE_SESSION, DESTROY_SESSION, BIND_CONN_TO_SESSION, DESTROY_CLIENTID ([RFC8881] Sections 18.35, 18.36, 18.37, 18.34, 18.50).¶

• RECLAIM_COMPLETE ([RFC8881] Section 18.51).¶

• SECINFO, SECINFO_NO_NAME ([RFC8881] Sections 18.29, 18.45): discovery of acceptable security flavours on the data server.¶

These operations are baseline NFSv4.2 session plumbing and are supported on data files as on any NFSv4.2 file.¶

13.2.2. GETATTR on a Data File

GETATTR MAY be issued by a client against a data file. The primary use case is repair: a repair client selected by CB_CHUNK_REPAIR (Section 26.1) may need to query the per-server file size or allocation state when reconstructing a payload, and the data mover described informally in Section 12.2 similarly benefits from attribute queries on surviving mirrors. Diagnostic use is also permitted.¶

Clients MUST NOT treat GETATTR values returned by a data server as authoritative for any file attribute (size, timestamps, owner, mode, ACL, and so on). The metadata server is the sole authority for file attributes. Values returned by a data server reflect the per-server data file instance only and MAY diverge from the metadata server's view, particularly during a write layout's lifetime or during a Data Mover transition. A client that uses a data-server GETATTR result to determine the file's visible size will observe inconsistencies.¶

13.2.3. SETATTR on a Data File

Clients MUST NOT issue SETATTR against a data file. A data server MUST reject a client SETATTR with NFS4ERR_NOTSUPP.¶

Attribute changes on data files MUST be reconciled with the metadata server's view and cannot be applied unilaterally by a client. A client that wants to truncate, change the mode, change ownership, or otherwise modify attributes on a file MUST issue SETATTR to the metadata server for the file's MDS handle; the metadata server fans the change out to the data files as a control-plane operation.¶

This rule explicitly covers truncate (SETATTR with size in the bitmap): a client MUST NOT truncate a data file directly. Similarly, a client MUST NOT issue DEALLOCATE against a data file; see the next subsection.¶

13.2.4. Mirrored Data Files (FFV2_CODING_MIRRORED)

For a mirror whose ffm_coding_type_data is FFV2_CODING_MIRRORED (see Section 8.8), client operations on the data file follow the same pattern as the File Layout Type in [RFC8881] Section 13.6 and the Flex Files v1 Layout Type in [RFC8435]:¶

Required:¶

• READ ([RFC8881] Section 18.22).¶

• WRITE ([RFC8881] Section 18.32).¶

• COMMIT ([RFC8881] Section 18.3).¶

Optional (the client MAY send, and the data server MAY support):¶

• READ_PLUS ([RFC7862] Section 15.10): hole-aware reads.¶

• SEEK ([RFC7862] Section 15.11): hole and data detection.¶

• ALLOCATE ([RFC7862] Section 15.1): space reservation hint.¶

The client MUST NOT send:¶

• DEALLOCATE ([RFC7862] Section 15.4): hole punching is a metadata-server responsibility; the client issues DEALLOCATE on the metadata-server filehandle, and the metadata server fans out to the data servers as a control-plane operation.¶

13.2.5. Erasure-Coded Data Files (FFV2ENCODING*)

For a mirror whose ffm_coding_type_data is any of the erasure- coding types defined in this document (FFV2ENCODING_MOJETTE_SYSTEMATIC, FFV2_ENCODING_MOJETTE_NON_SYSTEMATIC, FFV2_ENCODING_RS_VANDERMONDE), client operations use the CHUNK* operations rather than READ / WRITE / COMMIT.¶

Required for all erasure-coded clients:¶

• CHUNK_WRITE (Section 25.10).¶

• CHUNK_READ (Section 25.6).¶

• CHUNK_FINALIZE (Section 25.3).¶

• CHUNK_COMMIT (Section 25.1).¶

• CHUNK_HEADER_READ (Section 25.4).¶

• CHUNK_LOCK (Section 25.5) and CHUNK_UNLOCK (Section 25.9).¶

• CHUNK_ROLLBACK (Section 25.8).¶

Required for clients that participate in repair:¶

• CHUNK_ERROR (Section 25.2).¶

• CHUNK_REPAIRED (Section 25.7).¶

• CHUNK_WRITE_REPAIR (Section 25.11).¶

Clients MUST NOT send:¶

• READ, WRITE, COMMIT against an erasure-coded data file. A data server MUST reject these with NFS4ERR_NOTSUPP and MAY log the client for operator attention; this case is almost always a client bug in which the client did not inspect the mirror's ffm_coding_type_data before issuing I/O.¶

• READ_PLUS, SEEK, ALLOCATE, DEALLOCATE against an erasure- coded data file. Chunk-level allocation is a metadata-server responsibility.¶

13.2.6. Operations That MUST NOT Be Sent to a Data File

Clients MUST NOT send the following operations to a data server on a data file, regardless of protection mode. A data server MUST return NFS4ERR_NOTSUPP:¶

• OPEN, CLOSE, OPEN_DOWNGRADE, OPEN_CONFIRM ([RFC8881] Sections 18.16, 18.2, 18.18, 18.20). Opens occur on the metadata server; the stateid obtained there is used on the data path.¶

• LOCK, LOCKU, LOCKT, RELEASE_LOCKOWNER ([RFC8881] Sections 18.10, 18.11, 18.13, 18.24). Byte-range locks on data files are not supported; erasure-coded files use CHUNK_LOCK, and mirrored files rely on metadata-server coordination.¶

• DELEGPURGE, DELEGRETURN, WANT_DELEGATION ([RFC8881] Sections 18.5, 18.6 and [RFC7862] Section 15.3). Delegations are issued by the metadata server.¶

• Any operation whose purpose is to manipulate the file's namespace: RENAME, LINK, SYMLINK, CREATE (at the file- creation use, not MDS runway creation), REMOVE. Namespace operations belong on the metadata server.¶

• Any ACL-scoped SETATTR or GETATTR bit (FATTR4_ACL, FATTR4_DACL, FATTR4_SACL). Access control on data files is delegated to the metadata server.¶

• CLONE, COPY, COPY_NOTIFY, OFFLOAD_CANCEL, OFFLOAD_STATUS ([RFC7862] Sections 15.13, 15.2, 15.3, 15.8, 15.9). File-level data migration is a metadata-server responsibility.¶

• LAYOUTGET, LAYOUTCOMMIT, LAYOUTRETURN, LAYOUTSTATS, LAYOUTERROR, GETDEVICEINFO, GETDEVICELIST ([RFC8881] Sections 18.43, 18.42, 18.44, [RFC7862] Sections 15.7, 15.6, [RFC8881] Sections 18.40, 18.41). Layout operations belong on the metadata server.¶

• TRUST_STATEID, REVOKE_STATEID, BULK_REVOKE_STATEID (Section 25.12, Section 25.13, Section 25.14). These are MDS-to-DS control-plane operations; a data server rejects them with NFS4ERR_PERM when received on a client session (see Section 6.4.2).¶

14.1.1. ff_ioerr4

   /// struct ffv2_ioerr4 {
   ///         offset4        ffie_offset;
   ///         length4        ffie_length;
   ///         stateid4       ffie_stateid;
   ///         device_error4  ffie_errors<>;
   /// };
   ///

Recall that [RFC7862] defines device_error4 as in Figure 36:¶

   struct device_error4 {
           deviceid4       de_deviceid;
           nfsstat4        de_status;
           nfs_opnum4      de_opnum;
   };

The ff_ioerr4 structure is used to return error indications for data files that generated errors during data transfers. These are hints to the metadata server that there are problems with that file. For each error, ffie_errors.de_deviceid, ffie_offset, and ffie_length represent the storage device and byte range within the file in which the error occurred; ffie_errors represents the operation and type of error. The use of device_error4 is described in Section 15.6 of [RFC7862].¶

Even though the storage device might be accessed via NFSv3 and reports back NFSv3 errors to the client, the client is responsible for mapping these to appropriate NFSv4 status codes as de_status. Likewise, the NFSv3 operations need to be mapped to equivalent NFSv4 operations.¶

14.2.1. ff_io_latency4

   /// struct ffv2_io_latency4 {
   ///         uint64_t       ffil_ops_requested;
   ///         uint64_t       ffil_bytes_requested;
   ///         uint64_t       ffil_ops_completed;
   ///         uint64_t       ffil_bytes_completed;
   ///         uint64_t       ffil_bytes_not_delivered;
   ///         nfstime4       ffil_total_busy_time;
   ///         nfstime4       ffil_aggregate_completion_time;
   /// };
   ///

Both operation counts and bytes transferred are kept in the ff_io_latency4 (see Figure 37. As seen in ff_layoutupdate4 (see Section 14.2.2), READ and WRITE operations are aggregated separately. READ operations are used for the ff_io_latency4 ffl_read. Both WRITE and COMMIT operations are used for the ff_io_latency4 ffl_write. "Requested" counters track what the client is attempting to do, and "completed" counters track what was done. There is no requirement that the client only report completed results that have matching requested results from the reported period.¶

ffil_bytes_not_delivered is used to track the aggregate number of bytes requested but not fulfilled due to error conditions. ffil_total_busy_time is the aggregate time spent with outstanding RPC calls. ffil_aggregate_completion_time is the sum of all round-trip times for completed RPC calls.¶

In Section 3.3.1 of [RFC8881], the nfstime4 is defined as the number of seconds and nanoseconds since midnight or zero hour January 1, 1970 Coordinated Universal Time (UTC). The use of nfstime4 in ff_io_latency4 is to store time since the start of the first I/O from the client after receiving the layout. In other words, these are to be decoded as duration and not as a date and time.¶

Note that LAYOUTSTATS are cumulative, i.e., not reset each time the operation is sent. If two LAYOUTSTATS operations for the same file and layout stateid originate from the same NFS client and are processed at the same time by the metadata server, then the one containing the larger values contains the most recent time series data.¶

14.2.2. ff_layoutupdate4

   /// struct ffv2_layoutupdate4 {
   ///         netaddr4         ffl_addr;
   ///         nfs_fh4          ffl_fhandle;
   ///         ffv2_io_latency4 ffl_read;
   ///         ffv2_io_latency4 ffl_write;
   ///         nfstime4         ffl_duration;
   ///         bool             ffl_local;
   /// };
   ///

ffl_addr differentiates which network address the client is connected to on the storage device. In the case of multipathing, ffl_fhandle indicates which read-only copy was selected. ffl_read and ffl_write convey the latencies for both READ and WRITE operations, respectively. ffl_duration is used to indicate the time period over which the statistics were collected. If true, ffl_local indicates that the I/O was serviced by the client's cache. This flag allows the client to inform the metadata server about "hot" access to a file it would not normally be allowed to report on.¶

14.2.3. ff_iostats4

   /// struct ffv2_iostats4 {
   ///         offset4            ffis_offset;
   ///         length4            ffis_length;
   ///         stateid4           ffis_stateid;
   ///         io_info4           ffis_read;
   ///         io_info4           ffis_write;
   ///         deviceid4          ffis_deviceid;
   ///         ffv2_layoutupdate4 ffis_layoutupdate;
   /// };
   ///

[RFC7862] defines io_info4 as in Figure 39.¶

   struct io_info4 {
           uint64_t        ii_count;
           uint64_t        ii_bytes;
   };

With pNFS, data transfers are performed directly between the pNFS client and the storage devices. Therefore, the metadata server has no direct knowledge of the I/O operations being done and thus cannot create on its own statistical information about client I/O to optimize the data storage location. ff_iostats4 MAY be used by the client to report I/O statistics back to the metadata server upon returning the layout.¶

Since it is not feasible for the client to report every I/O that used the layout, the client MAY identify "hot" byte ranges for which to report I/O statistics. The definition and/or configuration mechanism of what is considered "hot" and the size of the reported byte range are out of the scope of this document. For client implementation, providing reasonable default values and an optional run-time management interface to control these parameters is suggested. For example, a client can define the default byte-range resolution to be 1 MB in size and the thresholds for reporting to be 1 MB/second or 10 I/O operations per second.¶

For each byte range, ffis_offset and ffis_length represent the starting offset of the range and the range length in bytes. ffis_read.ii_count, ffis_read.ii_bytes, ffis_write.ii_count, and ffis_write.ii_bytes represent the number of contiguous READ and WRITE I/Os and the respective aggregate number of bytes transferred within the reported byte range.¶

The combination of ffis_deviceid and ffl_addr uniquely identifies both the storage path and the network route to it. Finally, ffl_fhandle allows the metadata server to differentiate between multiple read-only copies of the file on the same storage device.¶

21.1.1. NFS4ERR_CODING_NOT_SUPPORTED (Error Code 10097)

The client requested a ffv2_coding_type4 which the metadata server does not support. I.e., if the client sends a layout_hint requesting an erasure coding type that the metadata server does not support, this error code can be returned. The client might have to send the layout_hint several times to determine the overlapping set of supported erasure coding types.¶

21.1.2. NFS4ERR_PAYLOAD_NOT_CONSISTENT (Error Code 10098)

The client encountered a payload in which the blocks were inconsistent and stays inconsistent. As the client can not tell if another client is actively writing, it informs the metadata server of this error via LAYOUTERROR. The metadata server can then arrange for repair of the file.¶

21.1.3. NFS4ERR_CHUNK_LOCKED (Error Code 10099)

The client tried an operation on a chunk which resulted in the data server reporting that the chunk was locked. The client will then inform the metadata server of this error via LAYOUTERROR. The metadata server can then arrange for repair of the file.¶

21.1.4. NFS4ERR_CHUNK_GUARDED (Error Code 10100)

The client tried a guarded CHUNK_WRITE on a chunk which did not match the guard on the chunk in the data file. As such, the CHUNK_WRITE was rejected and the client should refresh the chunk it has cached.¶

21.1.5. NFS4ERR_PAYLOAD_LOST (Error Code 10101)

Returned by a repair client on the CB_CHUNK_REPAIR response (ccrr_status) to indicate that the identified ranges cannot be repaired and the underlying data is no longer recoverable. Causes include: too few surviving shards to meet the reconstruction threshold (Katz criterion for Mojette, any k-of-(k+m) subset for Reed-Solomon Vandermonde), inability to roll back to a previously committed payload because that payload is also lost, or exhaustion of all FFV2_DS_FLAGS_SPARE and FFV2_DS_FLAGS_REPAIR data servers available in the layout.¶

On receipt, the metadata server MUST NOT retry the repair by selecting a different client -- the payload is damaged and the metadata server transitions the affected file or byte range into an implementation-defined damaged state. Operator notification and restore-from-snapshot are out of scope for this specification.¶

NFS4ERR_PAYLOAD_LOST is distinct from NFS4ERR_DELAY (transient; metadata server MAY extend the deadline or re-select) and from NFS4ERR_IO (per-operation failure; metadata server MAY retry or re-select). Only NFS4ERR_PAYLOAD_LOST is terminal.¶

24.1.1. Metadata-Server Assignment Rules for cg_client_id

To uphold the uniqueness contract, the metadata server MUST follow these rules when assigning cg_client_id (that is, when populating ffm_client_id at layout-grant time):¶

• Two clients holding concurrent write layouts on the same file MUST receive distinct cg_client_id values. A client that holds only a read layout need not be assigned a distinct value.¶

• The reserved sentinel CHUNK_GUARD_CLIENT_ID_MDS (0xFFFFFFFF) MUST NOT be assigned to any client.¶

• A cg_client_id MAY be reused by the metadata server after the prior holder's layout has been fully returned (via LAYOUTRETURN or revocation). The metadata server SHOULD avoid reusing a cg_client_id within a single lease period to simplify diagnosis of stale writes.¶

• cg_client_id values do not persist across metadata-server restart. Clients reclaiming layouts during the grace period receive freshly assigned values; the protocol does not rely on any pre-restart assignment surviving.¶

24.1.2. Data-Server Collision Handling

A (cg_gen_id, cg_client_id) pair that the uniqueness contract would otherwise render unique can nonetheless collide if a client and the metadata server disagree about which cg_client_id the client currently holds, or if a client presents a spoofed cg_client_id. The data server enforces the contract locally:¶

• If the data server receives a CHUNK_WRITE whose chunk_guard4 has the same (cg_gen_id, cg_client_id) as a chunk already in PENDING, FINALIZED, or COMMITTED state AND the presented payload differs from the retained payload, the data server MUST reject the write with NFS4ERR_CHUNK_GUARDED and SHOULD report the collision to the metadata server via LAYOUTERROR. This situation is a protocol violation on one side of the conversation; the metadata server resolves it by revoking the offending client's layout and selecting a repair client under Section 11.2.4.¶

• If a client presents CHUNK_GUARD_CLIENT_ID_MDS as cg_client_id in any client-originated operation, the data server MUST reject the operation with NFS4ERR_INVAL (see Section 24.1.3).¶

• A cg_client_id that does not match any layout the data server has been told about (via TRUST_STATEID) MUST be rejected. Unknown cg_client_id values are treated as stale layouts; the data server returns the error specified in Section 6.4 for unknown stateids.¶

24.1.3. Reserved cg_client_id Value: CHUNK_GUARD_CLIENT_ID_MDS

The value CHUNK_GUARD_CLIENT_ID_MDS (0xFFFFFFFF) is reserved. It denotes that the chunk lock is held by the metadata server itself, in escrow during a repair coordination sequence (see Section 11.2.4). The data server produces a chunk_guard4 with this cg_client_id when the metadata server revokes the prior holder's stateid while that holder still holds chunk locks; the locks MUST NOT be dropped and are transferred to the MDS-escrow owner instead.¶

The metadata server does not originate CHUNK_LOCK or CHUNK_WRITE traffic on its own session. Clients MUST NOT present CHUNK_GUARD_CLIENT_ID_MDS as the cg_client_id of any client-originated chunk_guard4 or chunk_owner4. A data server that receives such a value from a client MUST reject the operation with NFS4ERR_INVAL.¶

The MDS-escrow owner is released only by a CHUNK_LOCK from the client selected via CB_CHUNK_REPAIR, carrying CHUNK_LOCK_FLAGS_ADOPT. See Section 25.5.¶

25.1.1. ARGUMENTS

   /// struct CHUNK_COMMIT4args {
   ///     /* CURRENT_FH: file */
   ///     offset4         cca_offset;
   ///     count4          cca_count;
   ///     chunk_owner4    cca_chunks<>;
   /// };

25.1.2. RESULTS

   /// struct CHUNK_COMMIT4resok {
   ///     verifier4       ccr_writeverf;
   ///     nfsstat4        ccr_status<>;
   /// };

   /// union CHUNK_COMMIT4res switch (nfsstat4 ccr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_COMMIT4resok   ccr_resok4;
   ///     default:
   ///         void;
   /// };

25.1.3. DESCRIPTION

CHUNK_COMMIT is COMMIT (see Section 18.3 of [RFC8881]) with additional semantics over the chunk_owner activating the blocks. As such, all of the normal semantics of COMMIT directly apply.¶

The main difference between the two operations is that CHUNK_COMMIT works on blocks and not a raw data stream. As such cca_offset is the starting block offset in the file and not the byte offset in the file. Some erasure coding types can have different block sizes depending on the block type. Further, cca_count is a count of blocks to activate and not bytes to activate.¶

Further, while it may appear that the combination of cca_offset and cca_count are redundant to cca_chunks, the purpose of cca_chunks is to allow the data server to differentiate between potentially multiple pending blocks.¶

25.2.1. ARGUMENTS

   /// struct CHUNK_ERROR4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        cea_stateid;
   ///     offset4         cea_offset;
   ///     count4          cea_count;
   ///     nfsstat4        cea_error;
   ///     chunk_owner4    cea_owner;
   /// };

25.2.2. RESULTS

   /// struct CHUNK_ERROR4res {
   ///     nfsstat4        cer_status;
   /// };

25.2.3. DESCRIPTION

CHUNK_ERROR allows a client to report that one or more chunks at the specified block range are in error. The cea_offset is the starting block offset and cea_count is the number of blocks affected. The cea_error indicates the type of error detected (e.g., NFS4ERR_PAYLOAD_NOT_CONSISTENT for a CRC mismatch).¶

The data server records the error state for the affected blocks. Once marked as errored, the blocks are not returned by CHUNK_READ until they are repaired via CHUNK_WRITE_REPAIR (Section 25.11) and the repair is confirmed via CHUNK_REPAIRED (Section 25.7).¶

The client SHOULD report errors via CHUNK_ERROR before reporting them to the metadata server via LAYOUTERROR. This allows the data server to prevent other clients from reading corrupt data while the metadata server coordinates repair.¶

25.3.1. ARGUMENTS

   /// struct CHUNK_FINALIZE4args {
   ///     /* CURRENT_FH: file */
   ///     offset4         cfa_offset;
   ///     count4          cfa_count;
   ///     chunk_owner4    cfa_chunks<>;
   /// };

25.3.2. RESULTS

   /// struct CHUNK_FINALIZE4resok {
   ///     verifier4       cfr_writeverf;
   ///     nfsstat4        cfr_status<>;
   /// };

   /// union CHUNK_FINALIZE4res switch (nfsstat4 cfr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_FINALIZE4resok   cfr_resok4;
   ///     default:
   ///         void;
   /// };

25.3.3. DESCRIPTION

CHUNK_FINALIZE transitions blocks from the PENDING state (set by CHUNK_WRITE) to the FINALIZED state. A finalized block is visible to the owning client for reads and is eligible for CHUNK_COMMIT.¶

The cfa_offset is the starting block offset and cfa_count is the number of blocks to finalize. The cfa_chunks array lists the chunk_owner4 entries whose blocks are to be finalized. Each owner's blocks at the specified offsets MUST be in the PENDING state; if not, the corresponding entry in the per-owner status array ccr_status is set to NFS4ERR_INVAL.¶

CHUNK_FINALIZE serves as the CRC validation checkpoint: the data server SHOULD have validated the CRC32 of each block at CHUNK_WRITE time. After CHUNK_FINALIZE, the block metadata (CRC, owner, state) is persisted to stable storage so that it survives data server restarts.¶

Blocks that have been finalized but not yet committed MAY be rolled back via CHUNK_ROLLBACK (Section 25.8).¶

25.4.1. ARGUMENTS

   /// struct CHUNK_HEADER_READ4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4    chra_stateid;
   ///     offset4     chra_offset;
   ///     count4      chra_count;
   /// };

25.4.2. RESULTS

   /// struct CHUNK_HEADER_READ4resok {
   ///     bool            chrr_eof;
   ///     nfsstat4        chrr_status<>;
   ///     bool            chrr_locked<>;
   ///     chunk_owner4    chrr_chunks<>;
   /// };

   /// union CHUNK_HEADER_READ4res switch (nfsstat4 chrr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_HEADER_READ4resok     chrr_resok4;
   ///     default:
   ///         void;
   /// };

25.4.3. DESCRIPTION

CHUNK_HEADER_READ differs from CHUNK_READ in that it only reads chunk headers in the desired data range.¶

25.5.1. ARGUMENTS

   /// const CHUNK_LOCK_FLAGS_ADOPT  = 0x00000001;
   ///
   /// struct CHUNK_LOCK4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        cla_stateid;
   ///     offset4         cla_offset;
   ///     count4          cla_count;
   ///     uint32_t        cla_flags;
   ///     chunk_owner4    cla_owner;
   /// };

25.5.2. RESULTS

   /// union CHUNK_LOCK4res switch (nfsstat4 clr_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     case NFS4ERR_CHUNK_LOCKED:
   ///         chunk_owner4    clr_owner;
   ///     default:
   ///         void;
   /// };

25.5.3. DESCRIPTION

CHUNK_LOCK acquires an exclusive lock on the block range specified by cla_offset and cla_count. While locked, other clients' CHUNK_WRITE operations to the same block range will fail with NFS4ERR_CHUNK_LOCKED. The lock is associated with the chunk_owner4 in cla_owner.¶

If the blocks are already locked by a different owner and cla_flags does not include CHUNK_LOCK_FLAGS_ADOPT, the operation returns NFS4ERR_CHUNK_LOCKED with the clr_owner field identifying the current lock holder.¶

CHUNK_LOCK is used in the multiple writer mode (Section 11.2.6.3) to coordinate concurrent access to the same block range, and in the repair flow (Section 11.2.4) to transfer lock ownership to a repair client.¶

The lock is released by CHUNK_UNLOCK (Section 25.9) or implicitly when the client's lease expires.¶

25.6.1. ARGUMENTS

   /// struct CHUNK_READ4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4    cra_stateid;
   ///     offset4     cra_offset;
   ///     count4      cra_count;
   /// };

25.6.2. RESULTS

   /// struct read_chunk4 {
   ///     uint32_t        cr_crc;
   ///     uint32_t        cr_effective_len;
   ///     chunk_owner4    cr_owner;
   ///     uint32_t        cr_payload_id;
   ///     bool            cr_locked;
   ///     nfsstat4        cr_status;
   ///     opaque          cr_chunk<>;
   /// };

   /// struct CHUNK_READ4resok {
   ///     bool        crr_eof;
   ///     read_chunk4 crr_chunks<>;
   /// };

   /// union CHUNK_READ4res switch (nfsstat4 crr_status) {
   ///     case NFS4_OK:
   ///          CHUNK_READ4resok     crr_resok4;
   ///     default:
   ///          void;
   /// };

25.6.3. DESCRIPTION

CHUNK_READ is READ (see Section 18.22 of [RFC8881]) with additional semantics over the chunk_owner. As such, all of the normal semantics of READ directly apply.¶

The main difference between the two operations is that CHUNK_READ works on blocks and not a raw data stream. As such cra_offset is the starting block offset in the file and not the byte offset in the file. Some erasure coding types can have different block sizes depending on the block type. Further, cra_count is a count of blocks to read and not bytes to read.¶

When reading a set of blocks across the data servers, it can be the case that some data servers do not have any data at that location. In that case, the server either returns crr_eof if the cra_offset exceeds the number of blocks that the data server is aware or it returns an empty block for that block.¶

For example, in Figure 73, the client asks for 4 blocks starting with the 3rd block in the file. The second data server responds as in Figure 74. The client would read this as there is valid data for blocks 2 and 4, there is a hole at block 3, and there is no data for block 5. The data server MUST calculate a valid cr_crc for block 3 based on the generated fields.¶

        Data Server 2
  +--------------------------------+
  | CHUNK_READ4args                |
  +--------------------------------+
  | cra_stateid: 0                 |
  | cra_offset: 2                  |
  | cra_count: 4                   |
  +----------+---------------------+

        Data Server 2
  +--------------------------------+
  | CHUNK_READ4resok               |
  +--------------------------------+
  | crr_eof: true                  |
  | crr_chunks[0]:                 |
  |     cr_crc: 0x3faddace         |
  |     cr_owner:                  |
  |         co_chunk_id: 2         |
  |         co_guard:              |
  |             cg_gen_id   : 3    |
  |             cg_client_id: 6    |
  |     cr_payload_id: 1           |
  |     cr_chunk: ....             |
  | crr_chunks[0]:                 |
  |     cr_crc: 0xdeade4e5         |
  |     cr_owner:                  |
  |         co_chunk_id: 3         |
  |         co_guard:              |
  |             cg_gen_id   : 0    |
  |             cg_client_id: 0    |
  |     cr_payload_id: 1           |
  |     cr_chunk: 0000...00000     |
  | crr_chunks[0]:                 |
  |     cr_crc: 0x7778abcd         |
  |     cr_owner:                  |
  |         co_chunk_id: 4         |
  |         co_guard:              |
  |             cg_gen_id   : 3    |
  |             cg_client_id: 6    |
  |     cr_payload_id: 1           |
  |     cr_chunk: ....             |
  +--------------------------------+

25.7.1. ARGUMENTS

   /// struct CHUNK_REPAIRED4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        cra_stateid;
   ///     offset4         cra_offset;
   ///     count4          cra_count;
   ///     chunk_owner4    cra_owner;
   /// };

25.7.2. RESULTS

   /// union CHUNK_REPAIRED4res switch (nfsstat4 crr_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     default:
   ///         void;
   /// };

25.7.3. DESCRIPTION

CHUNK_REPAIRED signals that blocks previously marked as errored (via CHUNK_ERROR, Section 25.2) have been repaired. The repair client writes replacement data via CHUNK_WRITE_REPAIR (Section 25.11), then calls CHUNK_REPAIRED to clear the error state and make the blocks available for normal reads.¶

The cra_offset and cra_count identify the repaired block range. The cra_owner identifies the repair client that performed the repair. The data server verifies that the blocks were previously in error and that the repair data has been written and finalized.¶

If the blocks are not in the errored state, the operation returns NFS4ERR_INVAL.¶

25.8.1. ARGUMENTS

   /// struct CHUNK_ROLLBACK4args {
   ///     /* CURRENT_FH: file */
   ///     offset4         cra_offset;
   ///     count4          cra_count;
   ///     chunk_owner4    cra_chunks<>;
   /// };

25.8.2. RESULTS

   /// struct CHUNK_ROLLBACK4resok {
   ///     verifier4       crr_writeverf;
   /// };

   /// union CHUNK_ROLLBACK4res switch (nfsstat4 crr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_ROLLBACK4resok   crr_resok4;
   ///     default:
   ///         void;
   /// };

25.8.3. DESCRIPTION

CHUNK_ROLLBACK reverts blocks from the PENDING or FINALIZED state back to their previous state, effectively undoing a CHUNK_WRITE that has not yet been committed via CHUNK_COMMIT.¶

The cra_offset is the starting block offset and cra_count is the number of blocks to roll back. The cra_chunks array lists the chunk_owner4 entries whose blocks are to be rolled back. Each owner's blocks at the specified offsets MUST be in the PENDING or FINALIZED state; blocks that have already been committed via CHUNK_COMMIT cannot be rolled back.¶

CHUNK_ROLLBACK is used in two scenarios:¶

1. A client discovers an encoding error after CHUNK_WRITE and before CHUNK_COMMIT, and needs to undo the write to try again.¶

2. A repair client needs to undo a repair attempt that was found to be incorrect before committing it.¶

The data server deletes the pending chunk data and restores the block metadata to EMPTY. If the block was in the FINALIZED state, the persisted metadata is also removed.¶

25.9.1. ARGUMENTS

   /// struct CHUNK_UNLOCK4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        cua_stateid;
   ///     offset4         cua_offset;
   ///     count4          cua_count;
   ///     chunk_owner4    cua_owner;
   /// };

25.9.2. RESULTS

   /// union CHUNK_UNLOCK4res switch (nfsstat4 cur_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     default:
   ///         void;
   /// };

25.9.3. DESCRIPTION

CHUNK_UNLOCK releases the exclusive lock on the block range previously acquired by CHUNK_LOCK (Section 25.5). The cua_owner MUST match the owner that acquired the lock; otherwise the operation returns NFS4ERR_INVAL.¶

If the blocks are not locked, the operation returns NFS4_OK (idempotent).¶

A client SHOULD release chunk locks promptly after completing its write or repair operation. Chunk locks are also released implicitly when the client's lease expires.¶

25.10.1. ARGUMENTS

   /// union write_chunk_guard4 switch (bool cwg_check) {
   ///     case TRUE:
   ///         chunk_guard4   cwg_guard;
   ///     case FALSE:
   ///         void;
   /// };

   /// const CHUNK_WRITE_FLAGS_ACTIVATE_IF_EMPTY = 0x00000001;
   ///
   /// struct CHUNK_WRITE4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4           cwa_stateid;
   ///     offset4            cwa_offset;
   ///     stable_how4        cwa_stable;
   ///     chunk_owner4       cwa_owner;
   ///     uint32_t           cwa_payload_id;
   ///     uint32_t           cwa_flags;
   ///     write_chunk_guard4 cwa_guard;
   ///     uint32_t           cwa_chunk_size;
   ///     uint32_t           cwa_crc32s<>;
   ///     opaque             cwa_chunks<>;
   /// };

25.10.2. RESULTS

   /// struct CHUNK_WRITE4resok {
   ///     count4          cwr_count;
   ///     stable_how4     cwr_committed;
   ///     verifier4       cwr_writeverf;
   ///     nfsstat4        cwr_block_status<>;
   ///     bool            cwr_block_activated<>;
   ///     chunk_owner4    cwr_owners<>;
   /// };

   /// union CHUNK_WRITE4res switch (nfsstat4 cwr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_WRITE4resok    cwr_resok4;
   ///     default:
   ///         void;
   /// };

25.10.3. DESCRIPTION

CHUNK_WRITE is WRITE (see Section 18.32 of [RFC8881]) with additional semantics over the chunk_owner and the activation of blocks. As such, all of the normal semantics of WRITE directly apply.¶

The main difference between the two operations is that CHUNK_WRITE works on blocks and not a raw data stream. As such cwa_offset is the starting block offset in the file and not the byte offset in the file. Some erasure coding types can have different block sizes depending on the block type. Further, cwr_count is a count of written blocks and not written bytes.¶

If cwa_stable is FILE_SYNC4, the data server MUST commit the written header and block data plus all file system metadata to stable storage before returning results. This corresponds to the NFSv2 protocol semantics. Any other behavior constitutes a protocol violation. If cwa_stable is DATA_SYNC4, then the data server MUST commit all of the header and block data to stable storage and enough of the metadata to retrieve the data before returning. The data server implementer is free to implement DATA_SYNC4 in the same fashion as FILE_SYNC4, but with a possible performance drop. If cwa_stable is UNSTABLE4, the data server is free to commit any part of the header and block data and the metadata to stable storage, including all or none, before returning a reply to the client. There is no guarantee whether or when any uncommitted data will subsequently be committed to stable storage. The only guarantees made by the data server are that it will not destroy any data without changing the value of writeverf and that it will not commit the data and metadata at a level less than that requested by the client.¶

The activation of header and block data interacts with the co_activated for each of the written blocks. If the data is not committed to stable storage then the co_activated field MUST NOT be set to true. Once the data is committed to stable storage, then the data server can set the block's co_activated if one of these conditions apply:¶

• it is the first write to that block and the CHUNK_WRITE_FLAGS_ACTIVATE_IF_EMPTY flag is set¶

• the CHUNK_COMMIT is issued later for that block.¶

There are subtle interactions with write holes caused by racing clients. One client could win the race in each case, but because it used a cwa_stable of UNSTABLE4, the subsequent writes from the second client with a cwa_stable of FILE_SYNC4 can be awarded the co_activated being set to true for each of the blocks in the payload.¶

Finally, the interaction of cwa_stable can cause a client to mistakenly believe that by the time it gets the response of co_activated of false, that the blocks are not activated. A subsequent CHUNK_READ or HEADER_READ might show that the co_activated is true without any interaction by the client via CHUNK_COMMIT.¶

25.11.1. ARGUMENTS

   /// struct CHUNK_WRITE_REPAIR4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4           cwra_stateid;
   ///     offset4            cwra_offset;
   ///     stable_how4        cwra_stable;
   ///     chunk_owner4       cwra_owner;
   ///     uint32_t           cwra_payload_id;
   ///     uint32_t           cwra_chunk_size;
   ///     uint32_t           cwra_crc32s<>;
   ///     opaque             cwra_chunks<>;
   /// };

25.11.2. RESULTS

   /// struct CHUNK_WRITE_REPAIR4resok {
   ///     count4          cwrr_count;
   ///     stable_how4     cwrr_committed;
   ///     verifier4       cwrr_writeverf;
   ///     nfsstat4        cwrr_status<>;
   /// };

   /// union CHUNK_WRITE_REPAIR4res switch (nfsstat4 cwrr_status) {
   ///     case NFS4_OK:
   ///         CHUNK_WRITE_REPAIR4resok   cwrr_resok4;
   ///     default:
   ///         void;
   /// };

25.11.3. DESCRIPTION

CHUNK_WRITE_REPAIR has the same semantics as CHUNK_WRITE (Section 25.10) but is used specifically for writing reconstructed chunk data to a replacement data server during repair operations.¶

The repair workflow is:¶

1. The repair client reads surviving chunks from the remaining data servers via CHUNK_READ.¶

2. The client reconstructs the missing chunks using the erasure coding algorithm (RS matrix inversion or Mojette corner-peeling).¶

3. The client acquires a CHUNK_LOCK (Section 25.5) on the target data server to prevent concurrent writes during repair.¶

4. The client writes the reconstructed data via CHUNK_WRITE_REPAIR.¶

5. The client calls CHUNK_FINALIZE and CHUNK_COMMIT to persist the repair.¶

6. The client calls CHUNK_REPAIRED (Section 25.7) to clear the error state.¶

7. The client releases the lock via CHUNK_UNLOCK (Section 25.9).¶

CHUNK_WRITE_REPAIR is distinguished from CHUNK_WRITE to allow the data server to apply different policies to repair writes (e.g., bypassing guard checks, logging repair activity, or prioritizing repair I/O). The CRC32 validation on the repair data follows the same rules as CHUNK_WRITE.¶

The target blocks SHOULD be in the errored state (set by CHUNK_ERROR) or EMPTY. If the blocks are in the COMMITTED state with valid data, the data server MAY reject the repair to prevent overwriting good data.¶

25.12.1. ARGUMENTS

   /// struct TRUST_STATEID4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        tsa_layout_stateid;
   ///     layoutiomode4   tsa_iomode;
   ///     nfstime4        tsa_expire;
   ///     utf8str_cs      tsa_principal;
   /// };

25.12.2. RESULTS

   /// union TRUST_STATEID4res switch (nfsstat4 tsr_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     default:
   ///         void;
   /// };

25.12.3. DESCRIPTION

TRUST_STATEID registers a layout stateid with the data server so that subsequent CHUNK operations presenting that stateid can be validated against the data server's per-file trust table. It is the mechanism by which tight coupling (see Section 6.4) is established between the metadata server and the data server for a particular layout.¶

TRUST_STATEID operates on the current filehandle; a PUTFH naming the data server's file MUST precede it in the same compound.¶

tsa_layout_stateid is the stateid the metadata server issued in the LAYOUTGET that produced this layout. It MUST NOT be a special stateid (anonymous, invalid, read-bypass, or current). The sole exception is the capability probe described in Section 6.4.1: when the metadata server sends TRUST_STATEID with tsa_layout_stateid set to the anonymous stateid against the root filehandle, the data server MUST reject the request with NFS4ERR_INVAL. That rejection is the positive response to the probe.¶

tsa_iomode is the iomode of the layout (LAYOUTIOMODE4_READ or LAYOUTIOMODE4_RW). The data server MAY enforce this against the CHUNK operation presented: a READ-iomode trust entry does not authorize CHUNK_WRITE.¶

tsa_expire is the absolute wall-clock time at which the trust entry becomes invalid if not renewed. See Section 6.4.6. The data server MUST reject a TRUST_STATEID whose tsa_expire has tv_nseconds >= 10^9 with NFS4ERR_INVAL.¶

tsa_principal is the client's authenticated identity as verified by the metadata server at LAYOUTGET time. For RPCSEC_GSS clients this is the GSS display name (e.g., "alice@REALM"). For AUTH_SYS and TLS clients, tsa_principal MUST be the empty string, indicating that no principal binding is enforced on subsequent CHUNK operations. See Section 6.4.4.¶

If the data server receives TRUST_STATEID on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS at EXCHANGE_ID, the data server MUST return NFS4ERR_PERM. The data server MUST NOT process TRUST_STATEID on a regular client session.¶

If a trust entry already exists for the same tsa_layout_stateid on the same current filehandle, TRUST_STATEID atomically updates tsa_expire and tsa_principal; this is the renewal path (see Section 6.4.6).¶

At registration time, the data server tags the new trust entry with the identity of the metadata server -- derived from the clientid of the owning client of the control session on which TRUST_STATEID arrived. This tag is consulted by REVOKE_STATEID and BULK_REVOKE_STATEID to ensure that revocation only affects entries registered by the same metadata server (see Section 25.14). In a multi-metadata-server deployment sharing a single data server, each metadata server registers and revokes only its own entries; the tag is opaque to pNFS clients and is not carried on the wire.¶

25.12.4. RESPONSE CODES

• NFS4_OK: the trust entry is registered (or updated).¶

• NFS4ERR_BADXDR: arguments could not be decoded.¶

• NFS4ERR_BAD_STATEID: tsa_layout_stateid was a special stateid other than the anonymous stateid on the root filehandle.¶

• NFS4ERR_DELAY: the data server is temporarily unable to process the request; the metadata server SHOULD retry.¶

• NFS4ERR_INVAL: tsa_layout_stateid was the anonymous stateid and the current filehandle is not the root filehandle; tsa_expire is malformed; or the current filehandle is a directory (except in the capability-probe case).¶

• NFS4ERR_NOFILEHANDLE: no current filehandle is set.¶

• NFS4ERR_NOTSUPP: the data server does not implement TRUST_STATEID. This is the capability-probe response (see Section 6.4.1).¶

• NFS4ERR_PERM: the request arrived on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS.¶

• NFS4ERR_SERVERFAULT: the data server failed while processing the request.¶

25.13.1. ARGUMENTS

   /// struct REVOKE_STATEID4args {
   ///     /* CURRENT_FH: file */
   ///     stateid4        rsa_layout_stateid;
   /// };

25.13.2. RESULTS

   /// union REVOKE_STATEID4res switch (nfsstat4 rsr_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     default:
   ///         void;
   /// };

25.13.3. DESCRIPTION

REVOKE_STATEID invalidates a single trust entry on the data server. Subsequent CHUNK operations that present the revoked stateid MUST fail with NFS4ERR_BAD_STATEID.¶

The metadata server calls REVOKE_STATEID in any of the following situations:¶

• CB_LAYOUTRECALL timeout: the client did not return the layout within the recall timeout. REVOKE_STATEID terminates the client's ability to issue further I/O to the data server without waiting for tsa_expire.¶

• LAYOUTERROR with NFS4ERR_ACCESS or NFS4ERR_PERM: the data server rejected the client's I/O; the trust entry is stale and must be removed. This mirrors the fencing case in the loose-coupled model.¶

• Explicit LAYOUTRETURN: the client returned the layout cleanly. The metadata server MAY issue REVOKE_STATEID at this time or MAY rely on tsa_expire; either is correct.¶

REVOKE_STATEID operates on the current filehandle; a PUTFH naming the data server's file MUST precede it in the same compound. The filehandle and rsa_layout_stateid together identify the trust entry to revoke.¶

In-flight CHUNK operations that arrived before REVOKE_STATEID completes MAY be allowed to finish. The data server MUST NOT process new CHUNK operations presenting rsa_layout_stateid after REVOKE_STATEID returns.¶

Lock state (see Section 25.5) held by the revoked stateid is NOT released as part of REVOKE_STATEID; the data server MUST transfer each held lock to the MDS-escrow owner (see Section 24.1.3). Dropping a chunk lock during revocation would permit a write hole and is prohibited; the repair coordination sequence in Section 11.2.4 assumes that locks held by a revoked writer remain held until a repair client adopts them via CHUNK_LOCK with CHUNK_LOCK_FLAGS_ADOPT.¶

If the data server receives REVOKE_STATEID on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS at EXCHANGE_ID, the data server MUST return NFS4ERR_PERM.¶

REVOKE_STATEID is scoped to the issuing metadata server's entries (see the tagging rule in Section 25.12). The data server MUST NOT remove an entry that was registered by a different metadata server, even if rsa_layout_stateid happens to match. In a multi-metadata-server deployment, one metadata server therefore cannot revoke another metadata server's entries.¶

REVOKE_STATEID is idempotent: revoking a stateid that has no matching trust entry (either no entry exists, or the entry was registered by a different metadata server) returns NFS4_OK. The metadata server therefore does not need to track precisely which entries are currently live on which data server in order to revoke safely.¶

25.13.4. RESPONSE CODES

• NFS4_OK: the trust entry was removed, or no matching entry existed (idempotent).¶

• NFS4ERR_BADXDR: arguments could not be decoded.¶

• NFS4ERR_BAD_STATEID: rsa_layout_stateid was a special stateid.¶

• NFS4ERR_DELAY: the data server is temporarily unable to process the request.¶

• NFS4ERR_INVAL: rsa_layout_stateid was the anonymous stateid.¶

• NFS4ERR_NOFILEHANDLE: no current filehandle is set.¶

• NFS4ERR_NOTSUPP: the data server does not implement REVOKE_STATEID.¶

• NFS4ERR_PERM: the request arrived on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS.¶

• NFS4ERR_SERVERFAULT: the data server failed while processing the request.¶

25.14.1. ARGUMENTS

   /// struct BULK_REVOKE_STATEID4args {
   ///     clientid4       brsa_clientid;
   /// };

25.14.2. RESULTS

   /// union BULK_REVOKE_STATEID4res switch (nfsstat4 brsr_status) {
   ///     case NFS4_OK:
   ///         void;
   ///     default:
   ///         void;
   /// };

25.14.3. DESCRIPTION

BULK_REVOKE_STATEID removes every trust entry on the data server that was registered on behalf of the named client. The data server applies this as a scan over its trust table.¶

The metadata server calls BULK_REVOKE_STATEID in any of the following situations:¶

• Client lease expiry: when a client's lease on the metadata server expires, the metadata server revokes all of that client's layouts. A single BULK_REVOKE_STATEID replaces the N per-file REVOKE_STATEID compounds that per-entry revocation would require.¶

• CB_LAYOUTRECALL with LAYOUTRECALL4_ALL: the metadata server is recalling all layouts for a client. BULK_REVOKE_STATEID is the data-server-side complement.¶

• Metadata server restart cleanup: after the metadata server reconnects to a data server, it MAY issue BULK_REVOKE_STATEID(brsa_clientid = all-zeros) to clear the prior trust table before re-issuing TRUST_STATEID as clients reclaim. See Section 6.4.8.¶

BULK_REVOKE_STATEID is scoped to the issuing metadata server's entries (see the tagging rule in Section 25.12). The data server MUST NOT affect entries registered by a different metadata server. Consequently, in a multi-metadata-server deployment sharing a single data server, one metadata server cannot clear another metadata server's entries via BULK_REVOKE_STATEID.¶

The special value with all fields of brsa_clientid set to zero means "revoke every entry owned by the issuing metadata server, regardless of which pNFS client registered it". The data server MUST interpret this value as a clear of the issuing metadata server's entries only, and MUST NOT treat it either as "the pNFS client whose clientid happens to be zero" or as a global table clear across metadata servers.¶

BULK_REVOKE_STATEID does not operate on the current filehandle; no PUTFH is required in the compound.¶

If the data server receives BULK_REVOKE_STATEID on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS at EXCHANGE_ID, the data server MUST return NFS4ERR_PERM.¶

Like REVOKE_STATEID, BULK_REVOKE_STATEID is idempotent (no error is returned if there are no matching entries) and preserves chunk locks held under any revoked stateid by transferring them to the MDS-escrow owner (see Section 24.1.3), rather than dropping them.¶

25.14.4. RESPONSE CODES

• NFS4_OK: the matching entries were removed, or there were none (idempotent).¶

• NFS4ERR_BADXDR: arguments could not be decoded.¶

• NFS4ERR_DELAY: the data server is temporarily unable to process the request.¶

• NFS4ERR_NOTSUPP: the data server does not implement BULK_REVOKE_STATEID.¶

• NFS4ERR_PERM: the request arrived on a session whose owning client did not present EXCHGID4_FLAG_USE_PNFS_MDS.¶

• NFS4ERR_SERVERFAULT: the data server failed while processing the request.¶

26.1.1. ARGUMENTS

   /// enum cb_chunk_repair_reason4 {
   ///     CB_REPAIR_REASON_RACE  = 1,
   ///     CB_REPAIR_REASON_SCRUB = 2
   /// };
   ///
   /// struct cb_chunk_range4 {
   ///     offset4         ccr_offset;
   ///     count4          ccr_count;
   ///     nfsstat4        ccr_error;
   /// };
   ///
   /// struct CB_CHUNK_REPAIR4args {
   ///     nfs_fh4                     ccra_fh;
   ///     stateid4                    ccra_layout_stateid;
   ///     nfstime4                    ccra_deadline;
   ///     cb_chunk_repair_reason4     ccra_reason;
   ///     cb_chunk_range4             ccra_ranges<>;
   /// };

26.1.2. RESULTS

   /// struct CB_CHUNK_REPAIR4res {
   ///     nfsstat4           ccrr_status;
   /// };

26.1.3. DESCRIPTION

CB_CHUNK_REPAIR is sent by the metadata server to request that a selected client repair one or more inconsistent chunk ranges. Selection follows the rules in Section 11.2.4; those rules are normative for how the client MUST respond on receipt of this callback.¶

The ccra_fh identifies the file whose chunks are inconsistent. The callback compound carries the filehandle directly; there is no preceding PUTFH in callback compounds.¶

The ccra_layout_stateid carries the recipient client's current layout stateid for the file if one is held. A client that does not hold a layout on ccra_fh MUST ignore ccra_layout_stateid (it will be the anonymous stateid) and MUST acquire one via LAYOUTGET before issuing any CHUNK operation on the ranges.¶

The ccra_deadline is a wall-clock nfstime4 (seconds and nanoseconds since the epoch, as defined in Section 3.3.1 of [RFC8881]) by which the client is expected to have driven every range to completion (CHUNK_REPAIRED on the reconstruction path, or CHUNK_UNLOCK on the rollback path). Missing the deadline does not corrupt state -- the metadata server MAY re-select another repair client after the deadline elapses -- but a client that has missed the deadline MUST re-verify its layout and the chunk lock state before continuing any repair-related CHUNK operation.¶

The ccra_reason distinguishes the two flows that cause the metadata server to issue a repair callback:¶

CB_REPAIR_REASON_RACE:

A live-race repair. A client (not necessarily the recipient of this callback) detected a chunk-level inconsistency at write or read time and reported it via LAYOUTERROR. The metadata server is driving repair synchronously because the affected chunk is on the critical path of some I/O. The recipient SHOULD prioritise the callback over background work.¶

CB_REPAIR_REASON_SCRUB:

A background scrub. The metadata server has detected stale or inconsistent payloads during a scheduled integrity sweep and is opportunistically driving repair. No client is currently blocked on these ranges. The recipient MAY schedule the callback at lower priority than CB_REPAIR_REASON_RACE, and MAY return NFS4ERR_DELAY to defer repair to a more convenient time; the metadata server will retry.¶

The two reasons share all other semantics: the same ccra_ranges encoding, the same response codes, the same deadline contract. Only the priority / retry behaviour differs.¶

The ccra_ranges array lists every chunk range the metadata server requests the client to repair. Each entry carries its own ccr_error describing the failure mode the client is being asked to remedy. The repair strategy depends on the error code; see Section 11.2.4 for the normative and guidance split.¶

The metadata server SHOULD keep each CB_CHUNK_REPAIR compound within the back-channel maximum (ca_maxrequestsize) negotiated in CREATE_SESSION (see Section 18.36.3 of [RFC8881]). If the set of affected ranges would exceed that maximum, the metadata server MAY issue multiple CB_CHUNK_REPAIR callbacks to the same client. Each callback is independent; the client drives each to completion before the deadline on that callback's ranges.¶

The fact that a range appears in ccra_ranges implies the data server holds a chunk lock on the range (the failure occurred in or around a PENDING or FINALIZED state that established the lock). The repair client MUST use CHUNK_LOCK with CHUNK_LOCK_FLAGS_ADOPT (Section 25.5) to take ownership of the lock before issuing CHUNK_WRITE_REPAIR, CHUNK_ROLLBACK, or CHUNK_WRITE on any chunk in a requested range.¶

26.1.4. Response Codes

The ccrr_status value returned by the client has the following normative meanings to the metadata server:¶

NFS4_OK

The client has accepted the request and driven every range in this callback to completion (CHUNK_REPAIRED or CHUNK_UNLOCK on every affected chunk). The metadata server clears the repair queue entry.¶

NFS4ERR_DELAY

The client has accepted the request but requires more time. The metadata server MAY extend the deadline by issuing a new CB_CHUNK_REPAIR with a later ccra_deadline, or MAY re-select another client. The client continues to hold any locks it has adopted until the original or extended deadline.¶

NFS4ERR_CODING_NOT_SUPPORTED

The client does not implement the encoding type of the layout and cannot reconstruct. The metadata server MUST NOT retry with the same client and SHOULD select a different client.¶

NFS4ERR_PAYLOAD_LOST

The client has concluded that the identified ranges cannot be repaired -- there are not enough surviving shards to reconstruct and rollback is also impossible. The metadata server MUST NOT retry the repair and transitions the affected ranges into an implementation-defined damaged state. See Section 21.1.5.¶

All other error codes listed in Table 8 are treated by the metadata server as retriable: the metadata server MAY issue a subsequent CB_CHUNK_REPAIR to the same or a different client. If the client becomes unreachable (no response within the deadline), the metadata server re-selects per Section 11.2.4.¶

27.5.1. Loosely Coupled

RPCSEC_GSS version 3 (RPCSEC_GSSv3) [RFC7861] contains facilities that would allow it to be used to authorize the client to the storage device on behalf of the metadata server. Doing so would require that each of the metadata server, storage device, and client would need to implement RPCSEC_GSSv3 using an RPC-application-defined structured privilege assertion in a manner described in Section 4.9.1 of [RFC7862]. The specifics necessary to do so are not described in this document. This is principally because any such specification would require extensive implementation work on a wide range of storage devices, which would be unlikely to result in a widely usable specification for a considerable time.¶

As a result, the layout type described in this document will not provide support for use of RPCSEC_GSS together with the loosely coupled model. However, future layout types could be specified, which would allow such support, either through the use of RPCSEC_GSSv3 or in other ways.¶

27.5.2. Tightly Coupled

With tight coupling, the principal used to access the metadata file is exactly the same as used to access the data file. The storage device can use the control protocol to validate any RPC credentials. As a result, there are no security issues related to using RPCSEC_GSS with a tightly coupled system. For example, if Kerberos V5 Generic Security Service Application Program Interface (GSS-API) [RFC4121] is used as the security mechanism, then the storage device could use a control protocol to validate the RPC credentials to the metadata server.¶