Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r257155, r257582, r259191, r259192, r259193, r259194, r259195, r259196:

r257155:

Make hastctl list command output current queue sizes.

Reviewed by: pjd

r257582 (pjd):

Correct alignment.

r259191:

For memsync replication, hio_countdown is used not only as an
indication when a request can be moved to done queue, but also for
detecting the current state of memsync request.

This approach has problems, e.g. leaking a request if memsynk ack from
the secondary failed, or racy usage of write_complete, which should be
called only once per write request, but for memsync can be entered by
local_send_thread and ggate_send_thread simultaneously.

So the following approach is implemented instead:

1) Use hio_countdown only for counting components we waiting to
complete, i.e. initially it is always 2 for any replication mode.

2) To distinguish between "memsync ack" and "memsync fin" responses
from the secondary, add and use hio_memsyncacked field.

3) write_complete() in component threads is called only before
releasing hio_countdown (i.e. before the hio may be returned to the
done queue).

4) Add and use hio_writecount refcounter to detect when
write_complete() can be called in memsync case.

Reported by: Pete French petefrench ingresso.co.uk
Tested by: Pete French petefrench ingresso.co.uk

r259192:

Add some macros to make the code more readable (no functional chages).

r259193:

Fix compiler warnings.

r259194:

In remote_send_thread, if sending a request fails don't take the
request back from the receive queue -- it might already be processed
by remote_recv_thread, which lead to crashes like below:

(primary) Unable to receive reply header: Connection reset by peer.
(primary) Unable to send request (Connection reset by peer):
WRITE(954662912, 131072).
(primary) Disconnected from kopusha:7772.
(primary) Increasing localcnt to 1.
(primary) Assertion failed: (old > 0), function refcnt_release,
file refcnt.h, line 62.

Taking the request back was not necessary (it would properly be
processed by the remote_recv_thread) and only complicated things.

r259195:

Send wakeup to threads waiting on empty queue before releasing the
lock to decrease spurious wakeups.

Submitted by: davidxu

r259196:

Check remote protocol version only for the first connection (when it
is actually sent by the remote node).

Otherwise it generated confusing "Negotiated protocol version 1" debug
messages when processing the second connection.

MFC r252472:

Make hastctl(1) ('list' command) output a worker pid.

Reviewed by: pjd

Finish MFC of r248291,249741:

Change 'status' command to produce one-line easy-parseable output.

Approved by: trociny

MFC r248286 (pjd):

Removed redundant includes.

Preparation for MFC revs r248291 and r249741:

Add 'list' command, for now the exact equivalent of 'status',
so users of the latter could change their scripts.

This is direct commit to stable, and is temporary.

Requested by: Pete French <petefrench@ingresso.co.uk>
Approved by: trociny
2B cleaned after: 6 weeks

MFC r247281, r247345:

r247281:

Add i/o error counters to hastd(8) and make hastctl(8) display
them. This may be useful for detecting problems with HAST disks.

Discussed with and reviewed by: pjd

r247345:

Fix casting.

MFC r229699, r229744, r229778, r229944, r229945, r229946, r230092, r230395,
r230396, r230436, r230457, r230515, r230976:

r229744 (pjd):

fork(2) returns -1 on failure, not some random negative number.

r229699 (pjd):

Constify argument.

r229778 (uqs):

Spelling fixes for sbin/

r229944 (pjd):

Don't touch pidfiles when running in foreground. Before that change we
would create an empty pidfile on start and check if it changed on SIGHUP.

r229945 (pjd):

For functions that return -1 on failure check exactly for -1 and not for
any negative number.

r229946 (pjd):

- Fix a bug where pidfile was removed in SIGHUP when it hasn't changed in
configuration file.
- Log the fact that pidfile has changed.

r230092 (pjd):

Style cleanups.

r230395 (pjd):

Remove unused token 'port'.

r230396 (pjd):

Remove another unused token.

r230436 (pjd):

Fix minor memory leak.

r230457 (pjd):

Free memory that won't be used in child.

r230515 (pjd):

- Fix documentation to note that /etc/hast.conf is the default configuration
file for hastd(8) and hastctl(8) and not hast.conf.
- In copyright statement correct that this file is documentation, not software.
- Bump date.

r230976 (pjd):

Fix typo in comment.

MFC r225773, r225781, r225782, r225783, r225784, 225785, r225786, r225787,
r225830, r225831, r225832, r225835, r226461, r226462, r226463, r226842,
r226851, r226852, r226854, r226855, r226856, r226857, r226859, r226861,
r228542, r228542, r228543, r228544, r228695, r228696:

r225773 (pjd):

Ensure that pjdlog functions don't modify errno.

r225781 (pjd):

No need to use KEEP_ERRNO() macro around pjdlog functions, as they don't
modify errno.

r225782 (pjd):

Prefer PJDLOG_ASSERT() and PJDLOG_ABORT() over assert() and abort().
pjdlog versions will log problem to syslog when application is running in
background.

r225783 (pjd):

Correct two mistakes when converting asserts to PJDLOG_ASSERT()/PJDLOG_ABORT().

r225784 (pjd):

- Convert some impossible conditions into assertions.
- Add missing 'if' in comment.

r225785 (pjd):

Prefer PJDLOG_ASSERT()/PJDLOG_ABORT() over assert().

r225786 (pjd):

No need to wrap pjdlog functions around with KEEP_ERRNO() macro.

r225787 (pjd):

Use PJDLOG_ASSERT() and PJDLOG_ABORT() everywhere instead of assert().

r225830 (pjd):

After every activemap change flush disk's write cache, so that write
reordering won't make the actual write to be committed before marking
the coresponding extent as dirty.

It can be disabled in configuration file.

If BIO_FLUSH is not supported by the underlying file system we log a warning
and never send BIO_FLUSH again to that GEOM provider.

r225831 (pjd):

Break a bit earlier.

r225832 (pjd):

If the underlying provider doesn't support BIO_FLUSH, log it only once
and don't bother trying in the future.

r225835 (pjd):

Correct typo.

r226461 (pjd):

When path to the configuration file is relative, obtain full path,
so we can always find the file, even after daemonizing and changing
working directory to /.

r226462 (pjd):

Remove redundant space.

r226463 (pjd):

Allow to specify pidfile in HAST configuration file.

r226842 (pjd):

Correct comments.

r226851 (pjd):

Delay resuid generation until first connection to secondary, not until first
write. This way on first connection we will synchronize only the extents that
were modified during the lifetime of primary node, not entire GEOM provider.

r226852 (pjd):

Minor cleanups.

r226854 (pjd):

- Eliminate the need for hio_nv.
- Introduce hio_clear() function for clearing hio before returning it
onto free queue.

r226855 (pjd):

Improve comment so it doesn't suggest race is possible, but that we handle
the race.

r226856 (pjd):

Reduce indentation.

r226857 (pjd):

Minor cleanups.

r226859 (pjd):

Implement 'async' mode for HAST.

r226861 (pjd):

Remove redundant space.

r228542 (pjd):

Remove redundant setting of the error variable.

Found by: Clang Static Analyzer

r228543 (pjd):

Simplify code by changing functions types from int to avoid, as the functions
always return 0.

Found by: Clang Static Analyzer

r228544 (pjd):

Remove redundant assignment.

Found by: Clang Static Analyzer

r228695 (pjd):

Don't use function name as format string.

Detected by: clang

r228696 (pjd):

Use lex's standard way of not generating unused function.

Inspired by: r228555

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

When exiting with error because of an invalid command line argument
use errx(3), not err(3), and the exit code from sysexits(3).

Approved by: pjd (mentor)

Keep statistics on number of BIO_READ, BIO_WRITE, BIO_DELETE and BIO_FLUSH
requests as well as number of activemap updates.

Number of BIO_WRITEs and activemap updates are especially interesting, because
if those two are too close to each other, it means that your workload needs
bigger number of dirty extents. Activemap should be updated as rarely as
possible.

MFC after: 1 week

Currently we are unable to use capsicum for the primary worker process,
because we need to do ioctl(2)s, which are not permitted in the capability
mode. What we do now is to chroot(2) to /var/empty, which restricts access
to file system name space and we drop privileges to hast user and hast
group.

This still allows to access to other name spaces, like list of processes,
network and sysvipc.

To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict
access to process table, network (we use ip-less jails) and sysvipc (if
security.jail.sysvipc_allowed is turned off). This provides much better
separation.

MFC after: 1 week

Fix assert messages.

Approved by: pjd (mentor)

Remove hast_proto_recv(). It was used only in one place, where
hast_proto_recv_hdr() may be used. This also fixes the issue
(introduced by r220523) with hastctl, which crashed on assert in
hast_proto_recv_data().

Suggested and approved by: pjd (mentor)

When dropping privileges prefer capsicum over chroot+setgid+setuid.
We can use capsicum for secondary worker processes and hastctl.
When working as primary we drop privileges using chroot+setgid+setuid
still as we need to send ioctl(2)s to ggate device, for which capsicum
doesn't allow (yet).

X-MFC after: capsicum is merged to stable/8

Forgot to commit this as a part of r219818.

MFC after: 1 week

In command line options allow size to be specified using k/M/G/T
suffixes.

Approved by: pjd (mentor)
MFC after: 1 week

Print some of the numbers in human readable form (using %N).

MFC after: 2 weeks

Drop privileges after connecting to hastd, but before sending or receiving
anything.

MFC after: 1 week

Add missing argument after r218192.

Add functions to initialize/finalize pjdlog. This allows to open/close log
file at will.

MFC after: 1 week

Force commit to remind me about MFCing r210909.

MFC after: 1 month

Update the arguments to yy_config_parse() to match r210883.

Choose the more conservative option ('yes' to exit on error) to match
the equivalent code in hastd.

Please welcome HAST - Highly Avalable Storage.

HAST allows to transparently store data on two physically separated machines
connected over the TCP/IP network. HAST works in Primary-Secondary
(Master-Backup, Master-Slave) configuration, which means that only one of the
cluster nodes can be active at any given time. Only Primary node is able to
handle I/O requests to HAST-managed devices. Currently HAST is limited to two
cluster nodes in total.

HAST operates on block level - it provides disk-like devices in /dev/hast/
directory for use by file systems and/or applications. Working on block level
makes it transparent for file systems and applications. There in no difference
between using HAST-provided device and raw disk, partition, etc. All of them
are just regular GEOM providers in FreeBSD.

For more information please consult hastd(8), hastctl(8) and hast.conf(5)
manual pages, as well as http://wiki.FreeBSD.org/HAST.

Sponsored by: FreeBSD Foundation
Sponsored by: OMCnet Internet Service GmbH
Sponsored by: TransIP BV