Custom column names and scripts for zpool status/iostat -c

[tonyhutter]

Description

This patch updates the zpool status/iostat -c option to only run "pre-baked" scripts from the /usr/local/etc/zfs/zpool.d directory (or wherever you install to). The scripts can only be run from -c as an unprivileged user. This was done mainly for security reasons. If you script needs to run a privileged command, consider adding the appropriate line in /etc/sudoers. See zpool(8) for an example of how to do this.

The patch also allows the scripts to output custom column names. If the script outputs a line like:

name=value

then "name" is used for the column name, and "value" is its value. Multiple columns can be specified by outputting multiple lines. Column names and values can have spaces. If the value is empty, a dash (-) is printed instead.

After all the "name=value" lines are read (if any), zpool will take the next the next line of output (if any) and print it without a column header. After that, no more lines will be processed. This can be useful for printing errors.

Example output of running four scripts:

$ zpool iostat -vc vendor,model,enc,slot
                         capacity     operations     bandwidth
pool                   alloc   free   read  write   read  write   vendor         model       enc  slot
---------------------  -----  -----  -----  -----  -----  -----  -------  ------------  --------  ----
tank                   20.4G  7.23T      0      8  44.6K  1020K
  mirror               20.4G  7.23T      0      8  44.6K  1020K
    24050438227969495      -      -      0      0      0      0  SEAGATE  ST8000NM0075   0:0:1:0     2
    U10                    -      -      0      0    566  13.1K  SEAGATE  ST8000NM0075   0:0:1:0    11
    U11                    -      -      0      0    913  13.1K  SEAGATE  ST8000NM0075   0:0:1:0    12
    U12                    -      -      0      0    486  13.1K  SEAGATE  ST8000NM0075   0:0:1:0    13
    U13                    -      -      0      0    504  13.1K  SEAGATE  ST8000NM0075   0:0:1:0    14
...

Lastly, this patch also disables the -c option with the latency and request size histograms, since it produced awkward output and made the code harder to maintain.

Motivation and Context

• Make the -c option more secure.
• Create pre-baked scripts to make looking up common disk stats easier

How Has This Been Tested?

Tested by hand and updated automated test scripts.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• Change has been approved by a ZFS on Linux member.

[mention-bot]

@tonyhutter, thanks for your PR! By analyzing the history of the files in this pull request, we identified @behlendorf, @inkdot7 and @ryao to be potential reviewers.

[tonyhutter]

Lint is reporting some memory leaks, let me fix those.

[behlendorf]

You can fix the kernel.org build issues with a rebase on master too.

[tonyhutter]

Ok, I fixed the memory leak and rebased.

[tonyhutter]

Open question for everyone:
The proposed patch prints the user's column titles as-is, but the convention for zpool status is to capitalize column titles. Should zpool status capitalize titles and/or substitute column spaces for underscores? Examples:

Current patch:

$ zpool status -c 'echo col1=val1; echo vdev path=$VDEV_PATH'
...
NAME        STATE     READ WRITE CKSUM  col1  vdev path
mypool      ONLINE       0     0     0
  mirror-0  ONLINE       0     0     0
    sdb     ONLINE       0     0     0  val1   /dev/sdb
    sdc     ONLINE       0     0     0  val1   /dev/sdc

Capitalize column names:

$ zpool status -c 'echo col1=val1; echo vdev path=$VDEV_PATH'
...
NAME        STATE     READ WRITE CKSUM  COL1  VDEV PATH
mypool      ONLINE       0     0     0
  mirror-0  ONLINE       0     0     0
    sdb     ONLINE       0     0     0  val1   /dev/sdb
    sdc     ONLINE       0     0     0  val1   /dev/sdc

Capitalize w/underscores:

$ zpool status -c 'echo col1=val1; echo vdev path=$VDEV_PATH'
...
NAME        STATE     READ WRITE CKSUM  COL1  VDEV_PATH
mypool      ONLINE       0     0     0
  mirror-0  ONLINE       0     0     0
    sdb     ONLINE       0     0     0  val1   /dev/sdb
    sdc     ONLINE       0     0     0  val1   /dev/sdc

[chrisrd]

I think leave as-is, i.e. no title munging: if the user wants capitals etc. they can specify them.

[behlendorf]

nit: The preferred style is line == NULL, style guide page 25.

[behlendorf]

getline was originally a GNU extension but it looks like it was added to POSIX.1-2008 and FreeBSD and Illumos both have an implementation so this shouldn't case any compatibility issues.

[behlendorf]

nit: extra newline

[behlendorf]

Extra leading space before tab

[behlendorf]

Using realloc() in this way results in a memory leak on failure. When NULL is returned we'll overwrite the pointer to the allocated block and it won't be freed by realloc().

[behlendorf]

nit: We're now able to switch the c99 style usage here for the variables. It'd be nice to switch to this usage in functions touched by this patch.

for (int i = 0; i < vcdl->count; i++) {

[behlendorf]

s/use/used/

[behlendorf]

s/vars/variables/

[behlendorf]

s/use/used/

[behlendorf]

s/vars/variables/

[behlendorf]

I think as-is the right way to go here as well. This gives users the most flexibly to specify exactly what they want without us second guessing them.

[tonyhutter]

misc updates:

1. My latest push fixed all @behlendorf's comments
2. I need to deal with the issue where vdevs don't all output the same column names. This could happen if you're running smartctl on a pool with mixed disks, since the smartctl output is different for SATA vs SAS. Right now zpool blindly takes the column names from the 1st vdev's results:

zpool status -c 'if [ "$VDEV_UPATH" == "/dev/sdb" ] ; then echo "1st_vdev=1st" ; else echo "2nd_vdev=2nd" ; fi'
  pool: tank
 state: ONLINE
  scan: none requested
config:

    NAME        STATE     READ WRITE CKSUM  1st_vdev
    tank        ONLINE       0     0     0
      mirror-0  ONLINE       0     0     0
        sdb     ONLINE       0     0     0       1st
        sdc     ONLINE       0     0     0       2nd

What we really want:

    NAME        STATE     READ WRITE CKSUM  1st_vdev  2nd_vdev
    tank        ONLINE       0     0     0
      mirror-0  ONLINE       0     0     0
        sdb     ONLINE       0     0     0       1st
        sdc     ONLINE       0     0     0                 2nd

I'll fix this in the next push.

3. @chrisrd bought up some good points about potential security issues with -c (Add -c to zpool iostat & status to run command, remove libdevmapper requirement #5368 (comment)). I've been going over them in my head and have some thoughts on it:

We should never set SUID on the 'zpool' binary! If set, the user could run anything they want as root with -c. In fact, we should probably error out if someone trys to use -c with SUID set.

People need to sanitize input to zpool. If you have a webserver querying zpool status don't do this!:

zpool status $poolname_from_webserver

...because someone will inevitably set $poolname_from_webserver="-c 'rm -fr /'". You could sanitize it with:

zpool status -c true $poolname_from_webserver

...so you'd hit double -c's and error out. Currently, the double -c actually doesn't error out, and instead just uses the 2nd -c, so I need to fix this in my next push.

[chrisrd]

Maybe a -- to indicate "end of options", so you can zpool status -- "$poolname_from_webserver"? That has the advantage of being (semi-?)standard, e.g. man 3 getopt.

I'd still prefer running a single command(/script) via fork/exec rather than having arbitrary shell commands passed in on the command line - using either the hard-coded dir you spoke of in #5368 or my suggested ZFS_PATH/PATH version (where an suid zpool only looks at ZFS_PATH and non-suid looks at ZFS_PATH then PATH).

[chrisrd]

Sigh. What was I thinking?? Of course an suid zpool needs to use a hard-coded dir.

[tonyhutter]

@chrisrd I talked to @behlendorf offline and we decided to go the fork/exec route you suggested, for all the reasons you mentioned. So -c will only run scripts from /etc/zfs/zpool.d. In fact we're going to take it a step further and only allow non-privilaged users to run the scripts. If a script needs to run a privileged command (like smartctl) then admins will need to add smartctl -a to their /etc/sudoers for the user, like:

username ALL=NOPASSWD: /usr/sbin/smartctl -a /dev/sd[a-z]*, NOEXEC: /usr/sbin/smartctl -a /dev/sd[a-z]*

I'm not sure how I feel about having a $ZFS_PATH. I'll need to give it some thought. In general, I'd rather error on the side of paranoid just to get this code into the 0.7.0 release. After that, we can add features to it after we've convinced ourselves that they're safe.

I do like the -- idea though.

[behlendorf]

Let's make sure these scripts pass shellcheck cleanly by adding this directory to the top level shellcheck make target. Running it locally does uncover a few small issues.

[behlendorf]

[nit] static void should be on it's own line.

[behlendorf]

Let's use a local variable to hold the return value throughout this block of code to make it more readable. For example.

                error = asprintf(&env[0], "PATH=/bin:/sbin:/usr/bin:/usr/sbin");
                if (error == -1)
                        goto end;

[behlendorf]

[style] out, not end is the label most commonly used throughout the code base for this kind of cleanup. Let's switch to that.

[behlendorf]

You could define the hard coded path here which is static.

        char *env[5] = { "PATH=/bin:/sbin:/usr/bin:/usr/sbin", NULL, NULL, NULL, NULL };

[behlendorf]

How about not framing this as an error and just printing the available scripts. It would be really convenient if we could provide a brief description extracted from the script, maybe by invoking it with a -h option. For example:

Available scripts:
  enc       Print SCSI Enclosure Services (SES) info.
  iostat    Display most relevant iostat bandwidth/latency numbers.
  ...

We should probably also restrict the entries returned to file which are executable.

[behlendorf]

The commit comment should reference the /etc/zfs/zpool.d directory which is what users will use.

[behlendorf]

nit: You'll want to add an empty line here for consistency with the other scripts.

[behlendorf]

nit: You've got an extra empty line here which needs to be removed.

[behlendorf]

Let's phrase this to avoid abbreviations.

s/uniq/unique
s/col/column

[behlendorf]

Let's phrase this to avoid abbreviations.

s/uniq/unique
s/col/column

[behlendorf]

Leading space before tab should be removed.

[behlendorf]

nit: stray empty line

[behlendorf]

Let's move this up before the <sys/*> entries.

[behlendorf]

Let's make sure vdev_run_cmd() and print_zpool_script_help use the same shared function for fork/exec. Ideally, and updated/modified more generic version of the existing libzfs_run_process() would be nice.

[behlendorf]

nit: missing newline

[behlendorf]

No need for the ERROR: here which differs from all the other error messages. Please remove it.

[tonyhutter]

My latest push fixes all the little stuff @behlendorf was looking for. I still need to ponder what to do about the common fork/exec code in print_zpool_script_help()/_zed_exec_fork_child()/vdev_run_cmd()/libzfs_run_process(). Seems like we should be able to consolidate those functions, but they're all subtly different...

[dinatale2]

I recommend adding the scripts in zpool.d directory to the shellcheck make recipe.

[behlendorf]

@tonyhutter regarding the fork/exec code, if we can't come up with a clean way to refactor it in this change I'm OK with leaving it for another day.

[dinatale2]

I like how this is shaping up! Good work @tonyhutter!

Only other note (which I already previously mentioned), add the scripts to the shellcheck recipe.

[dinatale2]

nit: you're not always doing a 1 second sample here. You're doing either a 1s or 10s sample. Or when you're not running iostat-1s or iostat-10s, you're getting summary stats.

[dinatale2]

use grep directly

[dinatale2]

use rm directly

[dinatale2]

should this be something like return (gettext("\tstatus [-c script1[,script2,...]] [-gLPvxD]"? You need to specify at least one script to run? The list of multiple scripts to run is optional part.

[dinatale2]

Should be return (gettext("\tiostat [[[-c script1[,script2,...]"? You need to specify at least one script to run, right?

[tonyhutter]

You can run with just -c to get the list of the scripts:

$ zpool status -c
Current scripts in /usr/local/etc/zfs/zpool.d:

  enc             Show disk enclosure w:x:y:z value.
  encdev          Show the /dev/sg* device for the enclosure associated with the disk slot.
  fault_led       Show the value of the disk enclosure slot fault LED.
  iostat-1s       Do a single 1-second iostat sample and show values.
  iostat-10s      Do a single 10-second iostat sample and show values.
  label           Show filesystem label.
  locate_led      Show the value of the disk enclosure slot locate LED.
  lsblk           Show the disk size, vendor, model number, and serial number.
  model           Show disk model number.
  serial          Show disk serial number.
  ses             Show disk's enclosure, enclosure dev, slot number, and fault/locate LED values.
  size            Show the disk capacity.
  slaves          Show device mapper slave devices.
  slot            Show disk slot number as reported by the enclosure.
  upath           Show the underlying path for a device.
  vendor          Show the disk vendor.
  iostat          Show iostat values since boot (summary page).

[dinatale2]

ah, I missed that! Sorry!

[dinatale2]

nit: comment should be above the if

[dinatale2]

* zpool status [-c script1[,script2,...]] [-gLPvx] [-T d|u] [pool] ...?

[dinatale2]

ditto from above.

[dinatale2]

ditto about the optional comma separated list of scripts to run

[dinatale2]

ditto

[dinatale2]

You need to remove the semicolon from the previous line. Your scripts aren't being passed to shellcheck atm.

[tonyhutter]

Thanks, fixed in latest push

[tonyhutter]

@behlendorf I was able to refactor libzfs_run_process() to get it to work for the two -c cases. That code is in the latest push that is passing all the tests. I'm still working on the environment variable that you can set to run -c as root though. @dinatale2 all your fixes are in there as well.

[dinatale2]

nit: you should be consistent with your helpstr format all the way through these scripts.

[dinatale2]

Ah, I just realized what you were doing in all the other scripts... and it's really clever. It's still a nit in the sense that you have a helpstr in most of the other scripts. But, I'm not so bothered by this anymore. Feel free to ignore the nits related to this.

[dinatale2]

nit: ditto 'helpstr` format.

[dinatale2]

Related to the nit: about helpstr, would it be worth making a helper function and placing it in a lib style shell script? You can then define helpstr in each script and simply call a handle_helpstr function of some sort.

[dinatale2]

Actually, nevermind. I don't see any other things that you could pull into a lib style shell script. Just ignore this.

[dinatale2]

Do you mean null terminated?

[dinatale2]

...run script(s) on each vdev...?

[dinatale2]

Might sound better as For security reasons, a user can only execute scripts found in the /<etc>/zfs/zpool.d directory as an unprivileged user. Thoughts?

[dinatale2]

Privileged is misspelled. Though, the line may sound better as However, a user can run \fB-c\fR with elevated privileges if they have the ZPOOL_SCRIPTS_AS_ROOT environment variable set. Thoughts?

[dinatale2]

Does If a script requires the use of a privileged command (such as smartctl), then it is recommended you allow... sound better?

[dinatale2]

ditto: same as the above comments for this same paragraph.

[dinatale2]

Running zpool iostat -c <script> pool vdev results in the footer being printed incorrectly. The last line of dashes is not fully printed and no newline is printed.

Also, zpool iostat -c <script> doesn't display any extra information unless you use the -v flag. I understand that data won't be available because the scripts can only be run on leaf vdevs, but I feel like giving the user no feedback is confusing. It makes the user feel like the -c was ignored entirely. Maybe it would be a good idea to just print the full header so that way the user gets some visual feedback?

[tonyhutter]

@dinatale2 thanks for spotting the missing footer on the pool vdev case. I fixed that and the other things you were looking for in the latest push. Also, I made it so -c to automatically turns on verbose mode in zpool iostat, so you don't need to do -vc with it anymore.

[tonyhutter]

@behlendorf forgot to mention that the latest push also has the ZPOOL_SCRIPTS_AS_ROOT env var that allows you to run -c as root.

[mgmartin]

After pulling in this change, I'm seeing a minor formatting issue using zpool iostat -v with a cache device attached:

                                                capacity     operations     bandwidth 
pool                                           alloc   free   read  write   read  write
---------------------------------------------  -----  -----  -----  -----  -----  -----
array1                                         6.62T  2.44T  2.14K    113  44.2M   834K
  raidz1                                       6.62T  2.44T  2.14K    113  44.2M   834K
    wwn-0x50014ee05878a760                         -      -    441     23  8.90M   167K
    wwn-0x50014ee0adcd6257                         -      -    437     23  8.79M   167K
    wwn-0x50014ee003236b03                         -      -    437     22  8.77M   167K
    ata-WDC_WD2002FAEX-007BA0_WD-WMAY04091360      -      -    439     22  8.84M   167K
    wwn-0x50014ee05878abf1                         -      -    440     21  8.88M   167K
cache                                              -      -      -      -      -      -  loop0                                        3.34G  60.7G      3      9   110K   755K
---------------------------------------------  -----  -----  -----  -----  -----  -----

[tonyhutter]

@mgmartin thanks for reporting. I'll take a look.

[tonyhutter]

@mgmartin #6060