mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
git-annex/Annex/NumCopies.hs

407 lines
14 KiB
Haskell
Raw Normal View History

refactor
2015-04-30 18:02:56 +00:00
{- git-annex numcopies configuration and checking
reorg
2014-01-21 22:08:56 +00:00
-
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
- Copyright 2014-2024 Joey Hess <id@joeyh.name>
reorg
2014-01-21 22:08:56 +00:00
-
update licenses from GPL to AGPL This does not change the overall license of the git-annex program, which was already AGPL due to a number of sources files being AGPL already. Legally speaking, I'm adding a new license under which these files are now available; I already released their current contents under the GPL license. Now they're dual licensed GPL and AGPL. However, I intend for all my future changes to these files to only be released under the AGPL license, and I won't be tracking the dual licensing status, so I'm simply changing the license statement to say it's AGPL. (In some cases, others wrote parts of the code of a file and released it under the GPL; but in all cases I have contributed a significant portion of the code in each file and it's that code that is getting the AGPL license; the GPL license of other contributors allows combining with AGPL code.)
2019-03-13 19:48:14 +00:00
- Licensed under the GNU AGPL version 3 or higher.
reorg
2014-01-21 22:08:56 +00:00
-}
filter out control characters in all other Messages This does, as a side effect, make long notes in json output not be indented. The indentation is only needed to offset them underneath the display of the file they apply to, so that's ok. Sponsored-by: Brock Spratlen on Patreon
2023-04-10 21:03:41 +00:00
{-# LANGUAGE ScopedTypeVariables, DeriveDataTypeable, OverloadedStrings #-}
content locking during drop working for local git remotes Only ssh remotes lack locking now
2015-10-09 17:07:03 +00:00
refactor
2015-04-30 18:02:56 +00:00
module Annex.NumCopies (
reorg
2014-01-21 22:08:56 +00:00
module Types.NumCopies,
module Logs.NumCopies,
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
getFileNumMinCopies,
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
getSafestNumMinCopies,
getSafestNumMinCopies',
reorg
2014-01-21 22:08:56 +00:00
getGlobalFileNumCopies,
getNumCopies,
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
getMinCopies,
reorg
2014-01-21 22:08:56 +00:00
deprecatedNumCopies,
info dir: Added information about repositories that contain files in the specified directory. This is a nearly free feature; it piggybacks on the location log lookups done for the numcopies stats. So, the only extra overhead is updating the map of repository sizes. However, I had to switch to Data.Map.Strict, which needs containers 0.5. If backporting to wheezy, will probably need to revert this commit.
2015-04-12 16:49:11 +00:00
defaultNumCopies,
numCopiesCheck,
numCopiesCheck',
don't count clusters as copies, continued Handled limitCopies, as well as everything using fromNumCopies and fromMinCopies. This should be everything, probably. Note that, git-annex info displays a count of repositories, which still includes cluster. I think that's ok. It would be possible to filter out clusters there, but to the user they're pretty much just another repository. The numcopies displayed by eg `git-annex info .` does not include clusters.
2024-06-16 19:07:48 +00:00
numCopiesCheck'',
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
numCopiesCount,
improve drop proof code
2015-10-09 15:09:46 +00:00
verifyEnoughCopiesToDrop,
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
verifiableCopies,
also generate a drop safety proof for move --from remote
2015-10-09 20:16:03 +00:00
UnVerifiedCopy(..),
reorg
2014-01-21 22:08:56 +00:00
) where
remove 163 lines of code without changing anything except imports
2016-01-20 20:36:33 +00:00
import Annex.Common
reorg
2014-01-21 22:08:56 +00:00
import qualified Annex
toward SafeDropProof expiry checking Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
2024-07-04 16:23:46 +00:00
import Annex.SafeDropProof
reorg
2014-01-21 22:08:56 +00:00
import Types.NumCopies
import Logs.NumCopies
import Logs.Trust
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
import Logs.Cluster
reorg
2014-01-21 22:08:56 +00:00
import Annex.CheckAttr
import qualified Remote
finish and use lockContent interface
2015-10-09 16:36:04 +00:00
import qualified Types.Remote as Remote
refactor
2015-04-30 18:02:56 +00:00
import Annex.Content
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
import Annex.UUID
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
import Annex.CatFile
import qualified Database.Keys
reorg
2014-01-21 22:08:56 +00:00
content locking during drop working for local git remotes Only ssh remotes lack locking now
2015-10-09 17:07:03 +00:00
import Control.Exception
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
import qualified Control.Monad.Catch as MC
content locking during drop working for local git remotes Only ssh remotes lack locking now
2015-10-09 17:07:03 +00:00
import Data.Typeable
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
import qualified Data.Set as S
import qualified Data.Map as M
content locking during drop working for local git remotes Only ssh remotes lack locking now
2015-10-09 17:07:03 +00:00
reorg
2014-01-21 22:08:56 +00:00
defaultNumCopies :: NumCopies
prevent numcopies or mincopies being configured to 0 Ignore annex.numcopies set to 0 in gitattributes or git config, or by git-annex numcopies or by --numcopies, since that configuration would make git-annex easily lose data. Same for mincopies. This is a continuation of the work to make data only be able to be lost when --force is used. It earlier led to the --trust option being disabled, and similar reasoning applies here. Most numcopies configs had docs that strongly discouraged setting it to 0 anyway. And I can't imagine a use case for setting to 0. Not that there might not be one, but it's just so far from the intended use case of git-annex, of managing and storing your data, that it does not seem like it makes sense to cater to such a hypothetical use case, where any git-annex drop can lose your data at any time. Using a smart constructor makes sure every place avoids 0. Note that this does mean that NumCopies is for the configured desired values, and not the actual existing number of copies, which of course can be 0. The name configuredNumCopies is used to make that clear. Sponsored-by: Brock Spratlen on Patreon
2022-03-28 19:19:52 +00:00
defaultNumCopies = configuredNumCopies 1
reorg
2014-01-21 22:08:56 +00:00
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
defaultMinCopies :: MinCopies
prevent numcopies or mincopies being configured to 0 Ignore annex.numcopies set to 0 in gitattributes or git config, or by git-annex numcopies or by --numcopies, since that configuration would make git-annex easily lose data. Same for mincopies. This is a continuation of the work to make data only be able to be lost when --force is used. It earlier led to the --trust option being disabled, and similar reasoning applies here. Most numcopies configs had docs that strongly discouraged setting it to 0 anyway. And I can't imagine a use case for setting to 0. Not that there might not be one, but it's just so far from the intended use case of git-annex, of managing and storing your data, that it does not seem like it makes sense to cater to such a hypothetical use case, where any git-annex drop can lose your data at any time. Using a smart constructor makes sure every place avoids 0. Note that this does mean that NumCopies is for the configured desired values, and not the actual existing number of copies, which of course can be 0. The name configuredNumCopies is used to make that clear. Sponsored-by: Brock Spratlen on Patreon
2022-03-28 19:19:52 +00:00
defaultMinCopies = configuredMinCopies 1
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
fromSourcesOr :: v -> [Annex (Maybe v)] -> Annex v
fromSourcesOr v = fromMaybe v <$$> getM id
reorg
2014-01-21 22:08:56 +00:00
{- The git config annex.numcopies is deprecated. -}
deprecatedNumCopies :: Annex (Maybe NumCopies)
deprecatedNumCopies = annexNumCopies <$> Annex.getGitConfig
{- Value forced on the command line by --numcopies. -}
getForcedNumCopies :: Annex (Maybe NumCopies)
move several readonly values to AnnexRead This improves performance to a small extent in several places. Sponsored-by: Tobias Ammann on Patreon
2022-06-28 19:28:14 +00:00
getForcedNumCopies = Annex.getRead Annex.forcenumcopies
reorg
2014-01-21 22:08:56 +00:00
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
{- Value forced on the command line by --mincopies. -}
getForcedMinCopies :: Annex (Maybe MinCopies)
move several readonly values to AnnexRead This improves performance to a small extent in several places. Sponsored-by: Tobias Ammann on Patreon
2022-06-28 19:28:14 +00:00
getForcedMinCopies = Annex.getRead Annex.forcemincopies
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
{- NumCopies value from any of the non-.gitattributes configuration
reorg
2014-01-21 22:08:56 +00:00
- sources. -}
getNumCopies :: Annex NumCopies
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
getNumCopies = fromSourcesOr defaultNumCopies
reorg
2014-01-21 22:08:56 +00:00
[ getForcedNumCopies
, getGlobalNumCopies
, deprecatedNumCopies
]
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
{- MinCopies value from any of the non-.gitattributes configuration
- sources. -}
getMinCopies :: Annex MinCopies
getMinCopies = fromSourcesOr defaultMinCopies
[ getForcedMinCopies
, getGlobalMinCopies
reorg
2014-01-21 22:08:56 +00:00
]
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
{- NumCopies and MinCopies value for a file, from any configuration source,
- including .gitattributes. -}
getFileNumMinCopies :: RawFilePath -> Annex (NumCopies, MinCopies)
getFileNumMinCopies f = do
fnumc <- getForcedNumCopies
fminc <- getForcedMinCopies
case (fnumc, fminc) of
(Just numc, Just minc) -> return (numc, minc)
(Just numc, Nothing) -> do
minc <- fromSourcesOr defaultMinCopies
[ snd <$> getNumMinCopiesAttr f
, getGlobalMinCopies
]
return (numc, minc)
(Nothing, Just minc) -> do
numc <- fromSourcesOr defaultNumCopies
[ fst <$> getNumMinCopiesAttr f
, getGlobalNumCopies
, deprecatedNumCopies
]
return (numc, minc)
(Nothing, Nothing) -> do
let fallbacknum = fromSourcesOr defaultNumCopies
[ getGlobalNumCopies
, deprecatedNumCopies
]
let fallbackmin = fromSourcesOr defaultMinCopies
[ getGlobalMinCopies
]
getNumMinCopiesAttr f >>= \case
(Just numc, Just minc) ->
return (numc, minc)
(Just numc, Nothing) -> (,)
<$> pure numc
<*> fallbackmin
(Nothing, Just minc) -> (,)
<$> fallbacknum
<*> pure minc
(Nothing, Nothing) -> (,)
<$> fallbacknum
<*> fallbackmin
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
{- Gets the highest NumCopies and MinCopies value for all files
- associated with a key. Provide any known associated file;
- the rest are looked up from the database.
-
drop, move, mirror: when two files have the same content, honor the max numcopies and requiredcopies Eg, before with a .gitattributes like: *.2 annex.numcopies=2 *.1 annex.numcopies=1 And foo.1 and foo.2 having the same content and key, git-annex drop foo.1 foo.2 would succeed, leaving just 1 copy, despite foo.2 needing 2 copies. It dropped foo.1 first and then skipped foo.2 since its content was gone. Now that the keys database includes locked files, this longstanding wart can be fixed. Sponsored-by: Noam Kremen on Patreon
2021-06-15 15:38:44 +00:00
- Using this when dropping, rather than getFileNumMinCopies
- avoids dropping one file that has a smaller value violating
- the value set for another file that uses the same content.
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
-}
getSafestNumMinCopies :: AssociatedFile -> Key -> Annex (NumCopies, MinCopies)
getSafestNumMinCopies afile k =
Database.Keys.getAssociatedFilesIncluding afile k
drop, move, mirror: when two files have the same content, honor the max numcopies and requiredcopies Eg, before with a .gitattributes like: *.2 annex.numcopies=2 *.1 annex.numcopies=1 And foo.1 and foo.2 having the same content and key, git-annex drop foo.1 foo.2 would succeed, leaving just 1 copy, despite foo.2 needing 2 copies. It dropped foo.1 first and then skipped foo.2 since its content was gone. Now that the keys database includes locked files, this longstanding wart can be fixed. Sponsored-by: Noam Kremen on Patreon
2021-06-15 15:38:44 +00:00
>>= getSafestNumMinCopies' afile k
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
drop, move, mirror: when two files have the same content, honor the max numcopies and requiredcopies Eg, before with a .gitattributes like: *.2 annex.numcopies=2 *.1 annex.numcopies=1 And foo.1 and foo.2 having the same content and key, git-annex drop foo.1 foo.2 would succeed, leaving just 1 copy, despite foo.2 needing 2 copies. It dropped foo.1 first and then skipped foo.2 since its content was gone. Now that the keys database includes locked files, this longstanding wart can be fixed. Sponsored-by: Noam Kremen on Patreon
2021-06-15 15:38:44 +00:00
getSafestNumMinCopies' :: AssociatedFile -> Key -> [RawFilePath] -> Annex (NumCopies, MinCopies)
getSafestNumMinCopies' afile k fs = do
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
l <- mapM getFileNumMinCopies fs
let l' = zip l fs
(,)
<$> findmax fst l' getNumCopies
<*> findmax snd l' getMinCopies
where
-- Some associated files in the keys database may no longer
-- correspond to files in the repository.
drop, move, mirror: when two files have the same content, honor the max numcopies and requiredcopies Eg, before with a .gitattributes like: *.2 annex.numcopies=2 *.1 annex.numcopies=1 And foo.1 and foo.2 having the same content and key, git-annex drop foo.1 foo.2 would succeed, leaving just 1 copy, despite foo.2 needing 2 copies. It dropped foo.1 first and then skipped foo.2 since its content was gone. Now that the keys database includes locked files, this longstanding wart can be fixed. Sponsored-by: Noam Kremen on Patreon
2021-06-15 15:38:44 +00:00
-- (But the AssociatedFile passed to this is known to be
-- an associated file, which may not be in the keys database
-- yet, so checking it is skipped.)
stillassociated f
| AssociatedFile (Just f) == afile = return True
| otherwise = catKeyFile f >>= \case
Just k' | k' == k -> return True
_ -> return False
verify associated files when checking numcopies Most of this is just refactoring. But, handleDropsFrom did not verify that associated files from the keys db were still accurate, and has now been fixed to. A minor improvement to this would be to avoid calling catKeyFile twice on the same file, when getting the numcopies and mincopies value, in the common case where the same file has the highest value for both. But, it avoids checking every associated file, so it will scale well to lots of dups already. Sponsored-by: Kevin Mueller on Patreon
2021-06-15 15:12:27 +00:00
-- Avoid calling stillassociated on every file; just make sure
-- that the one with the highest value is still associated.
findmax _ [] fallback = fallback
findmax getv l fallback = do
let n = maximum (map (getv . fst) l)
let (maxls, l') = partition (\(x, _) -> getv x == n) l
ifM (anyM stillassociated (map snd maxls))
( return n
, findmax getv l' fallback
)
reorg
2014-01-21 22:08:56 +00:00
{- This is the globally visible numcopies value for a file. So it does
- not include local configuration in the git config or command line
- options. -}
more RawFilePath conversion 451/645
2020-10-30 19:55:59 +00:00
getGlobalFileNumCopies :: RawFilePath -> Annex NumCopies
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
getGlobalFileNumCopies f = fromSourcesOr defaultNumCopies
[ fst <$> getNumMinCopiesAttr f
, getGlobalNumCopies
reorg
2014-01-21 22:08:56 +00:00
]
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
getNumMinCopiesAttr :: RawFilePath -> Annex (Maybe NumCopies, Maybe MinCopies)
getNumMinCopiesAttr file =
checkAttrs ["annex.numcopies", "annex.mincopies"] file >>= \case
(n:m:[]) -> return
prevent numcopies or mincopies being configured to 0 Ignore annex.numcopies set to 0 in gitattributes or git config, or by git-annex numcopies or by --numcopies, since that configuration would make git-annex easily lose data. Same for mincopies. This is a continuation of the work to make data only be able to be lost when --force is used. It earlier led to the --trust option being disabled, and similar reasoning applies here. Most numcopies configs had docs that strongly discouraged setting it to 0 anyway. And I can't imagine a use case for setting to 0. Not that there might not be one, but it's just so far from the intended use case of git-annex, of managing and storing your data, that it does not seem like it makes sense to cater to such a hypothetical use case, where any git-annex drop can lose your data at any time. Using a smart constructor makes sure every place avoids 0. Note that this does mean that NumCopies is for the configured desired values, and not the actual existing number of copies, which of course can be 0. The name configuredNumCopies is used to make that clear. Sponsored-by: Brock Spratlen on Patreon
2022-03-28 19:19:52 +00:00
( configuredNumCopies <$> readish n
, configuredMinCopies <$> readish m
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
)
_ -> error "internal"
reorg
2014-01-21 22:08:56 +00:00
{- Checks if numcopies are satisfied for a file by running a comparison
- between the number of (not untrusted) copies that are
Fix ambigous typos
2023-03-13 22:55:18 +00:00
- believed to exist, and the configured value.
try harder to verify until at least one VerifiedCopyLock is obtained This avoids a failure where eg, we start with RecentlyVerifiedCopies for all remotes, and so didn't do any active verification, which is required. Also, dedup the list of VerifiedCopies when checking if we have enough, in case 2 copies of a UUID slip in.
2015-10-08 22:20:36 +00:00
-
- This is good enough for everything except dropping the file, which
- requires active verification of the copies.
-}
more RawFilePath conversion 451/645
2020-10-30 19:55:59 +00:00
numCopiesCheck :: RawFilePath -> Key -> (Int -> Int -> v) -> Annex v
reorg
2014-01-21 22:08:56 +00:00
numCopiesCheck file key vs = do
have <- trustExclude UnTrusted =<< Remote.keyLocations key
info dir: Added information about repositories that contain files in the specified directory. This is a nearly free feature; it piggybacks on the location log lookups done for the numcopies stats. So, the only extra overhead is updating the map of repository sizes. However, I had to switch to Data.Map.Strict, which needs containers 0.5. If backporting to wheezy, will probably need to revert this commit.
2015-04-12 16:49:11 +00:00
numCopiesCheck' file vs have
more RawFilePath conversion 451/645
2020-10-30 19:55:59 +00:00
numCopiesCheck' :: RawFilePath -> (Int -> Int -> v) -> [UUID] -> Annex v
info dir: Added information about repositories that contain files in the specified directory. This is a nearly free feature; it piggybacks on the location log lookups done for the numcopies stats. So, the only extra overhead is updating the map of repository sizes. However, I had to switch to Data.Map.Strict, which needs containers 0.5. If backporting to wheezy, will probably need to revert this commit.
2015-04-12 16:49:11 +00:00
numCopiesCheck' file vs have = do
don't count clusters as copies, continued Handled limitCopies, as well as everything using fromNumCopies and fromMinCopies. This should be everything, probably. Note that, git-annex info displays a count of repositories, which still includes cluster. I think that's ok. It would be possible to filter out clusters there, but to the user they're pretty much just another repository. The numcopies displayed by eg `git-annex info .` does not include clusters.
2024-06-16 19:07:48 +00:00
needed <- fst <$> getFileNumMinCopies file
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
let nhave = numCopiesCount have
--explain for numcopies checks And closed the todo as completed. Sponsored-by: Dartmouth College's DANDI project
2023-07-31 16:36:13 +00:00
explain (ActionItemTreeFile file) $ Just $ UnquotedString $
"has " ++ show nhave ++ " " ++ pluralCopies nhave ++
", and the configured annex.numcopies is " ++ show needed
don't count clusters as copies, continued Handled limitCopies, as well as everything using fromNumCopies and fromMinCopies. This should be everything, probably. Note that, git-annex info displays a count of repositories, which still includes cluster. I think that's ok. It would be possible to filter out clusters there, but to the user they're pretty much just another repository. The numcopies displayed by eg `git-annex info .` does not include clusters.
2024-06-16 19:07:48 +00:00
return $ numCopiesCheck'' have vs needed
numCopiesCheck'' :: [UUID] -> (Int -> Int -> v) -> NumCopies -> v
numCopiesCheck'' have vs needed =
let nhave = numCopiesCount have
in nhave `vs` fromNumCopies needed
refactor
2015-04-30 18:02:56 +00:00
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
{- When a key is logged as present in a node of the cluster,
- the cluster's UUID will also be in the list, but is not a
- distinct copy.
-}
numCopiesCount :: [UUID] -> Int
numCopiesCount = length . filter (not . isClusterUUID)
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
data UnVerifiedCopy = UnVerifiedRemote Remote | UnVerifiedHere
deriving (Ord, Eq)
Apply codespell -w throughout
2023-03-14 02:39:16 +00:00
{- Verifies that enough copies of a key exist among the listed remotes,
fix local dropping to not require extra locking of copies, but only that the local copy be locked for removal
2015-10-09 19:48:02 +00:00
- to safely drop it, running an action with a proof if so, and
- printing an informative message if not.
toward SafeDropProof expiry checking Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
2024-07-04 16:23:46 +00:00
-
- Note that the proof is checked to still be valid at the current time
- before running the action, but when dropping the key may take some time,
- the proof's time may need to be checked again.
refactor
2015-04-30 18:02:56 +00:00
-}
improve drop proof code
2015-10-09 15:09:46 +00:00
verifyEnoughCopiesToDrop
refactor
2015-04-30 18:02:56 +00:00
:: String -- message to print when there are no known locations
-> Key
dropping from clusters Dropping from a cluster drops from every node of the cluster. Including nodes that the cluster does not think have the content. This is different from GET and CHECKPRESENT, which do trust the cluster's location log. The difference is that removing from a cluster should make 100% the content is gone from every node. So doing extra work is ok. Compare with CHECKPRESENT where checking every node could make it very expensive, and the worst that can happen in a false negative is extra work being done. Extended the P2P protocol with FAILURE-PLUS to handle the case where a drop from one node succeeds, but a drop from another node fails. In that case the entire cluster drop has failed. Note that SUCCESS-PLUS is returned when dropping from a proxied remote that is not a cluster, when the protocol version supports it. This is because P2P.Proxy does not know when it's proxying for a single node cluster vs for a remote that is not a cluster.
2024-06-23 13:28:18 +00:00
-> Maybe UUID -- repo dropping from
fix local dropping to not require extra locking of copies, but only that the local copy be locked for removal
2015-10-09 19:48:02 +00:00
-> Maybe ContentRemovalLock
refactor
2015-04-30 18:02:56 +00:00
-> NumCopies
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
-> MinCopies
import --clean-duplicates: Fix bug that didn't count local or trusted repo's copy of a file as one of the necessary copies to allow removing it from the import location.
2015-06-03 17:15:38 +00:00
-> [UUID] -- repos to skip considering (generally untrusted remotes)
try harder to verify until at least one VerifiedCopyLock is obtained This avoids a failure where eg, we start with RecentlyVerifiedCopies for all remotes, and so didn't do any active verification, which is required. Also, dedup the list of VerifiedCopies when checking if we have enough, in case 2 copies of a UUID slip in.
2015-10-08 22:20:36 +00:00
-> [VerifiedCopy] -- copies already verified to exist
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
-> [UnVerifiedCopy] -- places to check to see if they have copies
also generate a drop safety proof for move --from remote
2015-10-09 20:16:03 +00:00
-> (SafeDropProof -> Annex a) -- action to perform the drop
improve drop proof code
2015-10-09 15:09:46 +00:00
-> Annex a -- action to perform when unable to drop
-> Annex a
dropping from clusters Dropping from a cluster drops from every node of the cluster. Including nodes that the cluster does not think have the content. This is different from GET and CHECKPRESENT, which do trust the cluster's location log. The difference is that removing from a cluster should make 100% the content is gone from every node. So doing extra work is ok. Compare with CHECKPRESENT where checking every node could make it very expensive, and the worst that can happen in a false negative is extra work being done. Extended the P2P protocol with FAILURE-PLUS to handle the case where a drop from one node succeeds, but a drop from another node fails. In that case the entire cluster drop has failed. Note that SUCCESS-PLUS is returned when dropping from a proxied remote that is not a cluster, when the protocol version supports it. This is because P2P.Proxy does not know when it's proxying for a single node cluster vs for a remote that is not a cluster.
2024-06-23 13:28:18 +00:00
verifyEnoughCopiesToDrop nolocmsg key dropfrom removallock neednum needmin skip preverified tocheck dropaction nodropaction =
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
helper [] [] preverified (nub tocheck) []
refactor
2015-04-30 18:02:56 +00:00
where
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
helper bad missing have [] lockunsupported =
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
liftIO (mkSafeDropProof neednum needmin have removallock) >>= \case
toward SafeDropProof expiry checking Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
2024-07-04 16:23:46 +00:00
Right proof -> checkprooftime proof
improve drop proof code
2015-10-09 15:09:46 +00:00
Left stillhave -> do
dropping from clusters Dropping from a cluster drops from every node of the cluster. Including nodes that the cluster does not think have the content. This is different from GET and CHECKPRESENT, which do trust the cluster's location log. The difference is that removing from a cluster should make 100% the content is gone from every node. So doing extra work is ok. Compare with CHECKPRESENT where checking every node could make it very expensive, and the worst that can happen in a false negative is extra work being done. Extended the P2P protocol with FAILURE-PLUS to handle the case where a drop from one node succeeds, but a drop from another node fails. In that case the entire cluster drop has failed. Note that SUCCESS-PLUS is returned when dropping from a proxied remote that is not a cluster, when the protocol version supports it. This is because P2P.Proxy does not know when it's proxying for a single node cluster vs for a remote that is not a cluster.
2024-06-23 13:28:18 +00:00
notEnoughCopies key dropfrom neednum needmin stillhave (skip++missing) bad nolocmsg lockunsupported
improve drop proof code
2015-10-09 15:09:46 +00:00
nodropaction
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
helper bad missing have (c:cs) lockunsupported
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
| isSafeDrop neednum needmin have removallock =
liftIO (mkSafeDropProof neednum needmin have removallock) >>= \case
toward SafeDropProof expiry checking Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
2024-07-04 16:23:46 +00:00
Right proof -> checkprooftime proof
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
Left stillhave -> helper bad missing stillhave (c:cs) lockunsupported
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
| otherwise = case c of
add content retention files This allows lockContentShared to lock content for eg, 10 minutes and if the process then gets terminated before it can unlock, the content will remain locked for that amount of time. The Windows implementation is not yet tested. In P2P.Annex, a duration of 10 minutes is used. This way, when p2pstdio or remotedaemon is serving the P2P protocol, and is asked to LOCKCONTENT, and that process gets killed, the content will not be subject to deletion. This is not a perfect solution to doc/todo/P2P_locking_connection_drop_safety.mdwn yet, but it gets most of the way there, without needing any P2P protocol changes. This is only done in v10 and higher repositories (or on Windows). It might be possible to backport it to v8 or earlier, but it would complicate locking even further, and without a separate lock file, might be hard. I think that by the time this fix reaches a given user, they will probably have been running git-annex 10.x long enough that their v8 repositories will have upgraded to v10 after the 1 year wait. And it's not as if git-annex hasn't already been subject to this problem (though I have not heard of any data loss caused by it) for 6 years already, so waiting another fraction of a year on top of however long it takes this fix to reach users is unlikely to be a problem.
2024-07-03 18:44:38 +00:00
UnVerifiedHere -> lockContentShared key Nothing contverified
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
UnVerifiedRemote r
-- Skip cluster uuids because locking is
-- not supported with them, instead will
-- lock individual nodes.
| isClusterUUID (Remote.uuid r) -> helper bad missing have cs lockunsupported
| otherwise -> checkremote r contverified $
let lockunsupported' = r : lockunsupported
in Remote.hasKey r key >>= \case
Right True -> helper bad missing (mkVerifiedCopy RecentlyVerifiedCopy r : have) cs lockunsupported'
Left _ -> helper (r:bad) missing have cs lockunsupported'
Right False -> helper bad (Remote.uuid r:missing) have cs lockunsupported'
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
where
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
contverified vc = helper bad missing (vc : have) cs lockunsupported
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
checkremote r cont fallback = case Remote.lockContent r of
Just lockcontent -> do
-- The remote's lockContent will throw an exception
-- when it is unable to lock, in which case the
-- fallback should be run.
--
-- On the other hand, the continuation could itself
-- throw an exception (ie, the eventual drop action
-- fails), and in this case we don't want to run the
-- fallback since part of the drop action may have
-- already been performed.
--
-- Differentiate between these two sorts
-- of exceptions by using DropException.
let a = lockcontent key $ \v ->
cont v `catchNonAsync` (throw . DropException)
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
a `MC.catches`
[ MC.Handler (\ (e :: AsyncException) -> throwM e)
, MC.Handler (\ (e :: SomeAsyncException) -> throwM e)
, MC.Handler (\ (DropException e') -> throwM e')
, MC.Handler (\ (_e :: SomeException) -> fallback)
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
]
Nothing -> fallback
toward SafeDropProof expiry checking Added Maybe POSIXTime to SafeDropProof, which gets set when the proof is based on a LockedCopy. If there are several LockedCopies, it uses the closest expiry time. That is not optimal, it may be that the proof expires based on one LockedCopy but another one has not expired. But that seems unlikely to really happen, and anyway the user can just re-run a drop if it fails due to expiry. Pass the SafeDropProof to removeKey, which is responsible for checking it for expiry in situations where that could be a problem. Which really only means in Remote.Git. Made Remote.Git check expiry when dropping from a local remote. Checking expiry when dropping from a P2P remote is not yet implemented. P2P.Protocol.remove has SafeDropProof plumbed through to it for that purpose. Fixing the remaining 2 build warnings should complete this work. Note that the use of a POSIXTime here means that if the clock gets set forward while git-annex is in the middle of a drop, it may say that dropping took too long. That seems ok. Less ok is that if the clock gets turned back a sufficient amount (eg 5 minutes), proof expiry won't be noticed. It might be better to use the Monotonic clock, but that doesn't advance when a laptop is suspended, and while there is the linux Boottime clock, that is not available on other systems. Perhaps a combination of POSIXTime and the Monotonic clock could detect laptop suspension and also detect clock being turned back? There is a potential future flag day where p2pDefaultLockContentRetentionDuration is not assumed, but is probed using the P2P protocol, and peers that don't support it can no longer produce a LockedCopy. Until that happens, when git-annex is communicating with older peers there is a risk of data loss when a ssh connection closes during LOCKCONTENT.
2024-07-04 16:23:46 +00:00
checkprooftime proof =
ifM (liftIO $ checkSafeDropProofEndTime (Just proof))
( dropaction proof
, do
safeDropProofExpired
nodropaction
)
refactor
2015-04-30 18:02:56 +00:00
content locking during drop working for local git remotes Only ssh remotes lack locking now
2015-10-09 17:07:03 +00:00
data DropException = DropException SomeException
deriving (Typeable, Show)
instance Exception DropException
dropping from clusters Dropping from a cluster drops from every node of the cluster. Including nodes that the cluster does not think have the content. This is different from GET and CHECKPRESENT, which do trust the cluster's location log. The difference is that removing from a cluster should make 100% the content is gone from every node. So doing extra work is ok. Compare with CHECKPRESENT where checking every node could make it very expensive, and the worst that can happen in a false negative is extra work being done. Extended the P2P protocol with FAILURE-PLUS to handle the case where a drop from one node succeeds, but a drop from another node fails. In that case the entire cluster drop has failed. Note that SUCCESS-PLUS is returned when dropping from a proxied remote that is not a cluster, when the protocol version supports it. This is because P2P.Proxy does not know when it's proxying for a single node cluster vs for a remote that is not a cluster.
2024-06-23 13:28:18 +00:00
notEnoughCopies :: Key -> Maybe UUID -> NumCopies -> MinCopies -> [VerifiedCopy] -> [UUID] -> [Remote] -> String -> [Remote] -> Annex ()
notEnoughCopies key dropfrom neednum needmin have skip bad nolocmsg lockunsupported = do
refactor
2015-04-30 18:02:56 +00:00
showNote "unsafe"
mincopies This is conceptually very simple, just making a 1 that was hard coded be exposed as a config option. The hard part was plumbing all that, and dealing with complexities like reading it from git attributes at the same time that numcopies is read. Behavior change: When numcopies is set to 0, git-annex used to drop content without requiring any copies. Now to get that (highly unsafe) behavior, mincopies also needs to be set to 0. It seemed better to remove that edge case, than complicate mincopies by ignoring it when numcopies is 0. This commit was sponsored by Denis Dzyubenko on Patreon.
2021-01-06 18:11:08 +00:00
if length have < fromNumCopies neednum
filter out control characters in all other Messages This does, as a side effect, make long notes in json output not be indented. The indentation is only needed to offset them underneath the display of the file they apply to, so that's ok. Sponsored-by: Brock Spratlen on Patreon
2023-04-10 21:03:41 +00:00
then showLongNote $ UnquotedString $
improve message about 1 copy "Could only verify the existence of 0 out of 1 necessary copy" does not sound right, but neither does it with "copies". Kept the "1" rather than "only" or such since numcopies is mentioned. Sponsored-by: Brock Spratlen on Patreon
2023-12-04 15:12:54 +00:00
if fromNumCopies neednum == 1
then "Could not verify the existence of the 1 necessary copy."
else "Could only verify the existence of " ++
show (length have) ++ " out of " ++ show (fromNumCopies neednum) ++
" necessary " ++ pluralCopies (fromNumCopies neednum) ++ "."
improve message when drop failed due to no locked copy
2015-10-09 19:14:25 +00:00
else do
filter out control characters in all other Messages This does, as a side effect, make long notes in json output not be indented. The indentation is only needed to offset them underneath the display of the file they apply to, so that's ok. Sponsored-by: Brock Spratlen on Patreon
2023-04-10 21:03:41 +00:00
showLongNote $ UnquotedString $ "Unable to lock down " ++ show (fromMinCopies needmin) ++
--explain for numcopies checks And closed the todo as completed. Sponsored-by: Dartmouth College's DANDI project
2023-07-31 16:36:13 +00:00
" " ++ pluralCopies (fromMinCopies needmin) ++
improve message Pluralize copies appropriately. This commit was sponsored by Mark Reidenbach on Patreon.
2021-04-27 17:39:56 +00:00
" of file necessary to safely drop it."
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
if null lockunsupported
then showLongNote "(This could have happened because of a concurrent drop, or because a remote has too old a version of git-annex-shell installed.)"
filter out control characters in all other Messages This does, as a side effect, make long notes in json output not be indented. The indentation is only needed to offset them underneath the display of the file they apply to, so that's ok. Sponsored-by: Brock Spratlen on Patreon
2023-04-10 21:03:41 +00:00
else showLongNote $ UnquotedString $ "These remotes do not support locking: "
improve "unable to lock down 1 copy" message This is a fairly hard to understand situation for the user. Listing the remotes should help them understand it a bit better. This commit was sponsored by Ethan Aubin.
2020-06-26 17:00:40 +00:00
++ Remote.listRemoteNames lockunsupported
refactor
2015-04-30 18:02:56 +00:00
Remote.showTriedRemotes bad
dropping from clusters Dropping from a cluster drops from every node of the cluster. Including nodes that the cluster does not think have the content. This is different from GET and CHECKPRESENT, which do trust the cluster's location log. The difference is that removing from a cluster should make 100% the content is gone from every node. So doing extra work is ok. Compare with CHECKPRESENT where checking every node could make it very expensive, and the worst that can happen in a false negative is extra work being done. Extended the P2P protocol with FAILURE-PLUS to handle the case where a drop from one node succeeds, but a drop from another node fails. In that case the entire cluster drop has failed. Note that SUCCESS-PLUS is returned when dropping from a proxied remote that is not a cluster, when the protocol version supports it. This is because P2P.Proxy does not know when it's proxying for a single node cluster vs for a remote that is not a cluster.
2024-06-23 13:28:18 +00:00
-- When dropping from a cluster, don't suggest making the nodes of
-- the cluster available
clusternodes <- case mkClusterUUID =<< dropfrom of
Nothing -> pure []
Just cu -> do
clusters <- getClusters
pure $ maybe [] (map fromClusterNodeUUID . S.toList) $
M.lookup cu (clusterUUIDs clusters)
let excludeset = S.fromList $ map toUUID have++skip++clusternodes
-- Don't suggest making a cluster available when dropping from its
-- node.
let exclude u
| u `S.member` excludeset = pure True
| otherwise = case (dropfrom, mkClusterUUID u) of
(Just dropfrom', Just cu) -> do
clusters <- getClusters
pure $ case M.lookup cu (clusterUUIDs clusters) of
Just nodes ->
ClusterNodeUUID dropfrom'
`S.member` nodes
Nothing -> False
_ -> pure False
Remote.showLocations True key exclude nolocmsg
--explain for numcopies checks And closed the todo as completed. Sponsored-by: Dartmouth College's DANDI project
2023-07-31 16:36:13 +00:00
pluralCopies :: Int -> String
pluralCopies 1 = "copy"
pluralCopies _ = "copies"
refactor
2015-04-30 18:02:56 +00:00
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
{- Finds locations of a key that can be used to get VerifiedCopies,
- in order to allow dropping the key.
-
- Provide a list of UUIDs that the key is being dropped from.
- The returned lists will exclude any of those UUIDs.
-
- The return lists also exclude any repositories that are untrusted,
- since those should not be used for verification.
refactor
2015-04-30 18:02:56 +00:00
-
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
- When dropping from a cluster UUID, its nodes are excluded.
-
- Cluster UUIDs are also excluded since locking a key on a cluster
- is done by locking on individual nodes.
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
-
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
- The UnVerifiedCopy list is cost ordered.
- The VerifiedCopy list contains repositories that are trusted to
- contain the key.
refactor
2015-04-30 18:02:56 +00:00
-}
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
verifiableCopies :: Key -> [UUID] -> Annex ([UnVerifiedCopy], [VerifiedCopy])
verifiableCopies key exclude = do
don't count clusters as copies Since the cluster UUID is inserted into the location log when the location log lists a node as containing content. Also avoid trying to lock content on cluster remotes. The cluster nodes are also proxied, so that content can be locked on individual nodes, and locking content on a cluster as a whole probably won't be implemented. And made git-annex whereis use numcopies machinery for displaying its count, so it won't count cluster UUIDs redundantly to nodes. Other commands, like git-annex info that also display numcopies information already used the numcopies machinery. There is more to be done, fromNumCopies is sometimes used to get a number that is compared with a list of UUIDs. And limitCopies doesn't use numcopies machinery.
2024-06-16 15:34:35 +00:00
locs <- filter (not . isClusterUUID) <$> Remote.keyLocations key
fix --from overriding annex-ignore Make git-annex get/copy/move --from foo override configuration of remote.foo.annex-ignore, as documented. This already worked for remotes supporting hasKeyCheap. For others though, git-annex copy --from foo would silently not do anything, while git-annex copy --to foo would use the annex-ignored remote. Also improved the annex-ignore docs, to reflect that `git-annex get` without --from will skip using annex-ignored remotes, for example. Sponsored-by: Dartmouth College's DANDI project
2023-11-30 19:11:57 +00:00
(remotes, trusteduuids) <- Remote.remoteLocations (Remote.IncludeIgnored False) locs
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
=<< trustGet Trusted
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
clusternodes <- if any isClusterUUID exclude
then do
clusters <- getClusters
pure $ concatMap (getclusternodes clusters) exclude
else pure []
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
untrusteduuids <- trustGet UnTrusted
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
let exclude' = exclude ++ untrusteduuids ++ clusternodes
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
let remotes' = Remote.remotesWithoutUUID remotes (exclude' ++ trusteduuids)
let verified = map (mkVerifiedCopy TrustedCopy) $
filter (`notElem` exclude') trusteduuids
refactor
2015-04-30 18:02:56 +00:00
u <- getUUID
verify local copy of content with locking
2015-10-09 18:57:32 +00:00
let herec = if u `elem` locs && u `notElem` exclude'
then [UnVerifiedHere]
else []
return (herec ++ map UnVerifiedRemote remotes', verified)
avoid using cluster nodes in drop proof when dropping from cluster This is obviously necessary in order for dropping from a cluster to be able to drop from all nodes. It also avoids violating numcopies when a cluster node is a special remote. If it were used in the drop proof, nothing would prevent the cluster from dropping from it.
2024-06-23 10:20:11 +00:00
where
getclusternodes clusters u = case mkClusterUUID u of
Just cu -> maybe [] (map fromClusterNodeUUID . S.toList) $
M.lookup cu (clusterUUIDs clusters)
Nothing -> []
Reference in a new issue Copy permalink