Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFC r257155, r257582, r259191, r259192, r259193, r259194, r259195, r259196:

r257155:

Make hastctl list command output current queue sizes.

Reviewed by: pjd

r257582 (pjd):

Correct alignment.

r259191:

For memsync replication, hio_countdown is used not only as an
indication when a request can be moved to done queue, but also for
detecting the current state of memsync request.

This approach has problems, e.g. leaking a request if memsynk ack from
the secondary failed, or racy usage of write_complete, which should be
called only once per write request, but for memsync can be entered by
local_send_thread and ggate_send_thread simultaneously.

So the following approach is implemented instead:

1) Use hio_countdown only for counting components we waiting to
complete, i.e. initially it is always 2 for any replication mode.

2) To distinguish between "memsync ack" and "memsync fin" responses
from the secondary, add and use hio_memsyncacked field.

3) write_complete() in component threads is called only before
releasing hio_countdown (i.e. before the hio may be returned to the
done queue).

4) Add and use hio_writecount refcounter to detect when
write_complete() can be called in memsync case.

Reported by: Pete French petefrench ingresso.co.uk
Tested by: Pete French petefrench ingresso.co.uk

r259192:

Add some macros to make the code more readable (no functional chages).

r259193:

Fix compiler warnings.

r259194:

In remote_send_thread, if sending a request fails don't take the
request back from the receive queue -- it might already be processed
by remote_recv_thread, which lead to crashes like below:

(primary) Unable to receive reply header: Connection reset by peer.
(primary) Unable to send request (Connection reset by peer):
WRITE(954662912, 131072).
(primary) Disconnected from kopusha:7772.
(primary) Increasing localcnt to 1.
(primary) Assertion failed: (old > 0), function refcnt_release,
file refcnt.h, line 62.

Taking the request back was not necessary (it would properly be
processed by the remote_recv_thread) and only complicated things.

r259195:

Send wakeup to threads waiting on empty queue before releasing the
lock to decrease spurious wakeups.

Submitted by: davidxu

r259196:

Check remote protocol version only for the first connection (when it
is actually sent by the remote node).

Otherwise it generated confusing "Negotiated protocol version 1" debug
messages when processing the second connection.

MFC r246922 (pjd):

- Add support for 'memsync' mode. This is the fastest replication mode that's
why it will now be the default.
- Bump protocol version to 2 and add backward compatibility for version 1.
- Allow to specify hosts by kern.hostid as well (in addition to hostname and
kern.hostuuid) in configuration file.

Sponsored by: Panzura

MFC r233392, r233679:

r233392:

Fix typo.

r233679:

If hastd is invoked with "-P pidfile" option always create pidfile
regardless of whether -F (foreground) option is set or not.

Also, if -P option is specified, ignore pidfile setting from configuration
not only on start but on reload too. This fixes the issue when for hastd
run with -P option reload caused the pidfile change.

Reviewed by: pjd

MFC r229699, r229744, r229778, r229944, r229945, r229946, r230092, r230395,
r230396, r230436, r230457, r230515, r230976:

r229744 (pjd):

fork(2) returns -1 on failure, not some random negative number.

r229699 (pjd):

Constify argument.

r229778 (uqs):

Spelling fixes for sbin/

r229944 (pjd):

Don't touch pidfiles when running in foreground. Before that change we
would create an empty pidfile on start and check if it changed on SIGHUP.

r229945 (pjd):

For functions that return -1 on failure check exactly for -1 and not for
any negative number.

r229946 (pjd):

- Fix a bug where pidfile was removed in SIGHUP when it hasn't changed in
configuration file.
- Log the fact that pidfile has changed.

r230092 (pjd):

Style cleanups.

r230395 (pjd):

Remove unused token 'port'.

r230396 (pjd):

Remove another unused token.

r230436 (pjd):

Fix minor memory leak.

r230457 (pjd):

Free memory that won't be used in child.

r230515 (pjd):

- Fix documentation to note that /etc/hast.conf is the default configuration
file for hastd(8) and hastctl(8) and not hast.conf.
- In copyright statement correct that this file is documentation, not software.
- Bump date.

r230976 (pjd):

Fix typo in comment.

MFC r225773, r225781, r225782, r225783, r225784, 225785, r225786, r225787,
r225830, r225831, r225832, r225835, r226461, r226462, r226463, r226842,
r226851, r226852, r226854, r226855, r226856, r226857, r226859, r226861,
r228542, r228542, r228543, r228544, r228695, r228696:

r225773 (pjd):

Ensure that pjdlog functions don't modify errno.

r225781 (pjd):

No need to use KEEP_ERRNO() macro around pjdlog functions, as they don't
modify errno.

r225782 (pjd):

Prefer PJDLOG_ASSERT() and PJDLOG_ABORT() over assert() and abort().
pjdlog versions will log problem to syslog when application is running in
background.

r225783 (pjd):

Correct two mistakes when converting asserts to PJDLOG_ASSERT()/PJDLOG_ABORT().

r225784 (pjd):

- Convert some impossible conditions into assertions.
- Add missing 'if' in comment.

r225785 (pjd):

Prefer PJDLOG_ASSERT()/PJDLOG_ABORT() over assert().

r225786 (pjd):

No need to wrap pjdlog functions around with KEEP_ERRNO() macro.

r225787 (pjd):

Use PJDLOG_ASSERT() and PJDLOG_ABORT() everywhere instead of assert().

r225830 (pjd):

After every activemap change flush disk's write cache, so that write
reordering won't make the actual write to be committed before marking
the coresponding extent as dirty.

It can be disabled in configuration file.

If BIO_FLUSH is not supported by the underlying file system we log a warning
and never send BIO_FLUSH again to that GEOM provider.

r225831 (pjd):

Break a bit earlier.

r225832 (pjd):

If the underlying provider doesn't support BIO_FLUSH, log it only once
and don't bother trying in the future.

r225835 (pjd):

Correct typo.

r226461 (pjd):

When path to the configuration file is relative, obtain full path,
so we can always find the file, even after daemonizing and changing
working directory to /.

r226462 (pjd):

Remove redundant space.

r226463 (pjd):

Allow to specify pidfile in HAST configuration file.

r226842 (pjd):

Correct comments.

r226851 (pjd):

Delay resuid generation until first connection to secondary, not until first
write. This way on first connection we will synchronize only the extents that
were modified during the lifetime of primary node, not entire GEOM provider.

r226852 (pjd):

Minor cleanups.

r226854 (pjd):

- Eliminate the need for hio_nv.
- Introduce hio_clear() function for clearing hio before returning it
onto free queue.

r226855 (pjd):

Improve comment so it doesn't suggest race is possible, but that we handle
the race.

r226856 (pjd):

Reduce indentation.

r226857 (pjd):

Minor cleanups.

r226859 (pjd):

Implement 'async' mode for HAST.

r226861 (pjd):

Remove redundant space.

r228542 (pjd):

Remove redundant setting of the error variable.

Found by: Clang Static Analyzer

r228543 (pjd):

Simplify code by changing functions types from int to avoid, as the functions
always return 0.

Found by: Clang Static Analyzer

r228544 (pjd):

Remove redundant assignment.

Found by: Clang Static Analyzer

r228695 (pjd):

Don't use function name as format string.

Detected by: clang

r228696 (pjd):

Use lex's standard way of not generating unused function.

Inspired by: r228555

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

In preparation for IPv6 support allow to specify multiple addresses to
listen on.

MFC after: 3 weeks

Rename HASTCTL_ defines, which are used for conversion between main
hastd process and workers, remove unused one and set different range
of numbers. This is done in order not to confuse them with HASTCTL_CMD
defines, used for conversation between hastctl and hastd, and to avoid
bugs like the one fixed in in r221075.

Approved by: pjd (mentor)
MFC after: 1 week

Correct comment.

MFC after: 1 week

When we become primary, we connect to the remote and expect it to be in
secondary role. It is possible that the remote node is primary, but only
because there was a role change and it didn't finish cleaning up (unmounting
file systems, etc.). If we detect such situation, wait for the remote node
to switch the role to secondary before accepting I/Os. If we don't wait for
it in that case, we will most likely cause split-brain.

MFC after: 1 week

If we act in different role than requested by the remote node, log it
as a warning and not an error.

MFC after: 1 week

Don't create socketpair for connection forwarding between parent and secondary.
Secondary doesn't need to connect anywhere.

MFC after: 1 week

White space cleanups.

MFC after: 1 week

Before handling any events on descriptors check signals so we can update
our info about worker processes if any of them was terminated in the meantime.

This fixes the problem with 'hastctl status' running from a hook called on
split-brain:
1. Secondary calls a hooks and terminates.
2. Hook asks for resource status via 'hastctl status'.
3. The main hastd handles the status request by sending it to the secondary
worker who is already dead, but because signals weren't checked yet he
doesn't know that and we get EPIPE.

MFC after: 1 week

In hast.conf we define the other node's address in 'remote' variable.
This way we know how to connect to secondary node when we are primary.
The same variable is used by the secondary node - it only accepts
connections from the address stored in 'remote' variable.
In cluster configurations it is common that each node has its individual
IP address and there is one addtional shared IP address which is assigned
to primary node. It seems it is possible that if the shared IP address is
from the same network as the individual IP address it might be choosen by
the kernel as a source address for connection with the secondary node.
Such connection will be rejected by secondary, as it doesn't come from
primary node individual IP.

Add 'source' variable that allows to specify source IP address we want to
bind to before connecting to the secondary node.

MFC after: 1 week

When creating connection on behalf of primary worker, set pjdlog prefix
to resource name and role, so that any logs related to that can be identified
properly.

MFC after: 1 week

If there is any traffic on one of out descriptors, we were not checking for
long running hooks. Fix it by not using select(2) timeout to decide if we want
to check hooks or not.

MFC after: 1 week

Allow to compress on-the-wire data using two algorithms:
- HOLE - it simply turns all-zero blocks into few bytes header;
it is extremely fast, so it is turned on by default;
it is mostly intended to speed up initial synchronization
where we expect many zeros;
- LZF - very fast algorithm by Marc Alexander Lehmann, which shows
very decent compression ratio and has BSD license.

MFC after: 2 weeks

Allow to checksum on-the-wire data using either CRC32 or SHA256.

MFC after: 2 weeks

Now that we break the loop on fstat(2) failure we no longer need to satisfy
gcc's imperfections.

MFC after: 1 week

Add (void) cast before snprintf(3)s for which we are not interested in return
values.

MFC after: 1 week

Treat fstat(2) failure (different than EBADF) as fatal error.

Reported by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 1 week

Open syslog when logging sysconf(3) failure.

Reported by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 1 week

Close more descriptors that can be open if the worker process for the given
resource is already running.

Submitted by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 1 week

Setup another socketpair between parent and child, so that primary sandboxed
worker can ask the main privileged process to connect in worker's behalf
and then we can migrate descriptor using this socketpair to worker.
This is not really needed now, but will be needed once we start to use
capsicum for sandboxing.

MFC after: 1 week

- Use pjdlog for assertions and aborts as this will log assert/abort message
to syslog if we run in background.
- Asserts in proto.c that method we want to call is implemented and remove
dummy methods from protocols implementation that are only there to abort
the program with nice message.

MFC after: 1 week

Add function to assert that the only descriptors we have open are the ones
we expect to be open. Also assert that they point at expected type.

Because openlog(3) API is unable to tell us descriptor number it is using, we
have to close syslog socket, remember assert message in local buffer and if we
fail on assertion, reopen syslog socket and log the message.

MFC after: 1 week

Add function to close all unneeded descriptors after fork(2).

MFC after: 1 week

Close the control socket before exiting, so it will be unlinked.

MFC after: 1 week

Add functions to initialize/finalize pjdlog. This allows to open/close log
file at will.

MFC after: 1 week

Don't open configuration file from worker process. Handle SIGHUP in the
master process only and pass changes to the worker processes over control
socket. This removes access to global namespace in preparation for capsicum
sandboxing.

MFC after: 2 weeks

- On primary worker reload, update hr_exec field.
- Update comment.

MFC after: 1 week

Install default signal handlers before masking signals we want to handle.
It is possible that the parent process ignores some of them and sigtimedwait()
will never see them, eventhough they are masked.

The most common situation for this to happen is boot process where init(8)
ignores SIGHUP before starting to execute /etc/rc. This in turn caused
hastd(8) to ignore SIGHUP.

Reported by: trasz
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com
MFC after: 3 days

Log the fact of launching and include protocol version number.

MFC after: 3 days

Load geom_gate.ko module after parsing arguments.

MFC after: 3 days

Log correct connection when canceling half-open connection.

Submitted by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Decrease report interval to 5 seconds, as this also means we will check for
signals every 5 seconds and not every 10 seconds as before.

MFC after: 3 days

hook_check() is now only used to report about long-running hooks, so the
argument is redundant, remove it.

MFC after: 3 days

We can't mask ignored signal, so install dummy signal hander for SIGCHLD before
masking it.

This fixes bogus reports about hooks running for too long and other problems
related to garbage-collecting child processes.

Reported by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Switch to sigprocmask(2) API also in the main process and secondary process.
This way the primary process inherits signal mask from the main process,
which fixes a race where signal is delivered to the primary process before
configuring signal mask.

Reported by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Assert that descriptor numbers are sane.

MFC after: 3 days

Fix descriptor leaks: when child exits, we have to close control and event
socket pairs. We did that only in one case out of three.

MFC after: 3 days

Because it is very hard to make fork(2) from threaded process safe (we are
limited to async-signal safe functions in the child process), move all hooks
execution to the main (non-threaded) process.

Do it by maintaining connection (socketpair) between child and parent
and sending events from the child to parent, so it can execute the hook.

This is step in right direction for others reasons too. For example there is
one less problem to drop privs in worker processes.

MFC after: 2 weeks
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com

We only want to know if descriptors are ready for reading.

MFC after: 2 weeks
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com

Allow to run hooks from the main hastd process.

MFC after: 2 weeks
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com

When SIGTERM or SIGINT is received, terminate worker processes.

MFC after: 2 weeks
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com

Allow to execute specified program on various HAST events.

MFC after: 2 weeks
Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com

Implement configuration reload on SIGHUP. This includes:
- Load added resources.
- Stop and forget removed resources.
- Update modified resources in least intrusive way, ie. don't touch
/dev/hast/<name> unless path to local component or provider name were
modified.

Obtained from: Wheel Systems Sp. z o.o. http://www.wheelsystems.com
MFC after: 1 month

Prepare configuration parsing code to be called multiple times:
- Don't exit on errors if not requested.
- Don't keep configuration in global variable, but allocate memory for
configuration.
- Call yyrestart() before yyparse() so that on error in configuration file
we will start from the begining next time and not from the place we left of.

MFC after: 1 month

- Use pjdlog_exitx() to log errors and exit instead of errx().
- Use 'unable to' (instead of 'cannot') consistently.

MFC after: 1 month

Correct various log messages.

Submitted by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Remove macros that are not really needed. The idea was to have them in case
we grow more descriptors, but I'll reconsider readding them once we get there.

Passing (a = b) expression to FD_ISSET() is bad idea, as FD_ISSET() evaluates
its argument twice.

Found by: Coverity Prevent
CID: 5243
MFC after: 3 days

- Check if the worker process was killed by signal and restart it.
- Improve logging.

Pointed out by: Garrett Cooper <yanefbsd@gmail.com>
MFC after: 3 days

Fix a problem where hastd will stuck in recv(2) after sending request to
secondary, which died between send(2) and recv(2). Do it by adding timeout
to recv(2) for primary incoming and outgoing sockets and secondary outgoing
socket.

Reported by: Mikolaj Golub <to.my.trociny@gmail.com>
Tested by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Restart worker thread only if the problem was temporary.
In case of persistent problem we don't want to loop forever.

MFC after: 3 days

Use WEXITSTATUS() to obtain real exit code.

MFC after: 3 days

Fix control socket leak when worker process exits.

Submitted by: Mikolaj Golub <to.my.trociny@gmail.com>
MFC after: 3 days

Please welcome HAST - Highly Avalable Storage.

HAST allows to transparently store data on two physically separated machines
connected over the TCP/IP network. HAST works in Primary-Secondary
(Master-Backup, Master-Slave) configuration, which means that only one of the
cluster nodes can be active at any given time. Only Primary node is able to
handle I/O requests to HAST-managed devices. Currently HAST is limited to two
cluster nodes in total.

HAST operates on block level - it provides disk-like devices in /dev/hast/
directory for use by file systems and/or applications. Working on block level
makes it transparent for file systems and applications. There in no difference
between using HAST-provided device and raw disk, partition, etc. All of them
are just regular GEOM providers in FreeBSD.

For more information please consult hastd(8), hastctl(8) and hast.conf(5)
manual pages, as well as http://wiki.FreeBSD.org/HAST.

Sponsored by: FreeBSD Foundation
Sponsored by: OMCnet Internet Service GmbH
Sponsored by: TransIP BV