Overview¶

CacheFiles is a caching backend that’s meant to use as a cache a directory onan already mounted filesystem of a local type (such as Ext3).

CacheFiles uses a userspace daemon to do some of the cache management - such asreaping stale nodes and culling. This is called cachefilesd and lives in/sbin.

The filesystem and data integrity of the cache are only as good as those of thefilesystem providing the backing services. Note that CacheFiles does notattempt to journal anything since the journalling interfaces of the variousfilesystems are very specific in nature.

CacheFiles creates a misc character device - “/dev/cachefiles” - that is usedto communication with the daemon. Only one thing may have this open at once,and while it is open, a cache is at least partially in existence. The daemonopens this and sends commands down it to control the cache.

CacheFiles is currently limited to a single cache.

CacheFiles attempts to maintain at least a certain percentage of free space onthe filesystem, shrinking the cache by culling the objects it contains to makespace if necessary - see the “Cache Culling” section. This means it can beplaced on the same medium as a live set of data, and will expand to make use ofspare space and automatically contract when the set of data requires morespace.

Requirements¶

The use of CacheFiles and its daemon requires the following features to beavailable in the system and in the cache filesystem:

• dnotify.

• extended attributes (xattrs).

• openat() and friends.

• bmap() support on files in the filesystem (FIBMAP ioctl).

• The use ofbmap() to detect a partial page at the end of the file.

It is strongly recommended that the “dir_index” option is enabled on Ext3filesystems being used as a cache.

Configuration¶

The cache is configured by a script in /etc/cachefilesd.conf. These commandsset up cache ready for use. The following script commands are available:

brun <N>%, bcull <N>%, bstop <N>%, frun <N>%, fcull <N>%, fstop <N>%

Configure the culling limits. Optional. See the section on cullingThe defaults are 7% (run), 5% (cull) and 1% (stop) respectively.

The commands beginning with a ‘b’ are file space (block) limits, thosebeginning with an ‘f’ are file count limits.

dir <path>

Specify the directory containing the root of the cache. Mandatory.

tag <name>

Specify a tag to FS-Cache to use in distinguishing multiple caches.Optional. The default is “CacheFiles”.

debug <mask>

Specify a numeric bitmask to control debugging in the kernel module.Optional. The default is zero (all off). The following values can beOR’d into the mask to collect various information:

1	Turn on trace of function entry (_enter() macros)
2	Turn on trace of function exit (_leave() macros)
4	Turn on trace of internal debug points (_debug())

This mask can also be set through sysfs, eg:

echo 5 > /sys/module/cachefiles/parameters/debug

Starting the Cache¶

The cache is started by running the daemon. The daemon opens the cache device,configures the cache and tells it to begin caching. At that point the cachebinds to fscache and the cache becomes live.

The daemon is run as follows:

/sbin/cachefilesd [-d]* [-s] [-n] [-f <configfile>]

The flags are:

-d

Increase the debugging level. This can be specified multiple times andis cumulative with itself.

-s

Send messages to stderr instead of syslog.

-n

Don’t daemonise and go into background.

-f<configfile>

Use an alternative configuration file rather than the default one.

Things to Avoid¶

Do not mount other things within the cache as this will cause problems. Thekernel module contains its own very cut-down path walking facility that ignoresmountpoints, but the daemon can’t avoid them.

Do not create, rename or unlink files and directories in the cache while thecache is active, as this may cause the state to become uncertain.

Renaming files in the cache might make objects appear to be other objects (thefilename is part of the lookup key).

Do not change or remove the extended attributes attached to cache files by thecache as this will cause the cache state management to get confused.

Do not create files or directories in the cache, lest the cache get confused orserve incorrect data.

Do not chmod files in the cache. The module creates things with minimalpermissions to prevent random users being able to access them directly.

Cache Culling¶

The cache may need culling occasionally to make space. This involvesdiscarding objects from the cache that have been used less recently thananything else. Culling is based on the access time of data objects. Emptydirectories are culled if not in use.

Cache culling is done on the basis of the percentage of blocks and thepercentage of files available in the underlying filesystem. There are six“limits”:

brun, frun

If the amount of free space and the number of available files in the cacherises above both these limits, then culling is turned off.

bcull, fcull

If the amount of available space or the number of available files in thecache falls below either of these limits, then culling is started.

bstop, fstop

If the amount of available space or the number of available files in thecache falls below either of these limits, then no further allocation ofdisk space or files is permitted until culling has raised things abovethese limits again.

These must be configured thusly:

0 <= bstop < bcull < brun < 1000 <= fstop < fcull < frun < 100

Note that these are percentages of available space and available files, and do_not_ appear as 100 minus the percentage displayed by the “df” program.

The userspace daemon scans the cache to build up a table of cullable objects.These are then culled in least recently used order. A new scan of the cache isstarted as soon as space is made in the table. Objects will be skipped iftheir atimes have changed or if the kernel module says it is still using them.

Cache Structure¶

The CacheFiles module will create two directories in the directory it wasgiven:

• cache/

• graveyard/

The active cache objects all reside in the first directory. The CacheFileskernel module moves any retired or culled objects that it can’t simply unlinkto the graveyard from which the daemon will actually delete them.

The daemon uses dnotify to monitor the graveyard directory, and will deleteanything that appears therein.

The module represents index objects as directories with the filename “I...” or“J...”. Note that the “cache/” directory is itself a special index.

Data objects are represented as files if they have no children, or directoriesif they do. Their filenames all begin “D...” or “E...”. If represented as adirectory, data objects will have a file in the directory called “data” thatactually holds the data.

Special objects are similar to data objects, except their filenames begin“S...” or “T...”.

If an object has children, then it will be represented as a directory.Immediately in the representative directory are a collection of directoriesnamed for hash values of the child object keys with an ‘@’ prepended. Intothis directory, if possible, will be placed the representations of the childobjects:

 /INDEX    /INDEX     /INDEX                            /DATA FILES/=========/==========/=================================/================cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400cache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...DB1rycache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...N22rycache/@4a/I03nfs/@30/Ji000000000000000--fHg8hi8400/@75/Es0g000w...FP1ry

If the key is so long that it exceeds NAME_MAX with the decorations added on toit, then it will be cut into pieces, the first few of which will be used tomake a nest of directories, and the last one of which will be the objectsinside the last directory. The names of the intermediate directories will have‘+’ prepended:

J1223/@23/+xy...z/+kl...m/Epqr

Note that keys are raw data, and not only may they exceed NAME_MAX in size,they may also contain things like ‘/’ and NUL characters, and so they may notbe suitable for turning directly into a filename.

To handle this, CacheFiles will use a suitably printable filename directly and“base-64” encode ones that aren’t directly suitable. The two versions ofobject filenames indicate the encoding:

OBJECT TYPE	PRINTABLE	ENCODED
Index	“I...”	“J...”
Data	“D...”	“E...”
Special	“S...”	“T...”

Intermediate directories are always “@” or “+” as appropriate.

Each object in the cache has an extended attribute label that holds the objecttype ID (required to distinguish special objects) and the auxiliary data fromthe netfs. The latter is used to detect stale objects in the cache and updateor retire them.

Note that CacheFiles will erase from the cache any file it doesn’t recognise orany file of an incorrect type (such as a FIFO file or a device file).

Security Model and SELinux¶

CacheFiles is implemented to deal properly with the LSM security features ofthe Linux kernel and the SELinux facility.

One of the problems that CacheFiles faces is that it is generally acting onbehalf of a process, and running in that process’s context, and that includes asecurity context that is not appropriate for accessing the cache - eitherbecause the files in the cache are inaccessible to that process, or because ifthe process creates a file in the cache, that file may be inaccessible to otherprocesses.

The way CacheFiles works is to temporarily change the security context (fsuid,fsgid and actor security label) that the process acts as - without changing thesecurity context of the process when it the target of an operation performed bysome other process (so signalling and suchlike still work correctly).

When the CacheFiles module is asked to bind to its cache, it:

1. Finds the security label attached to the root cache directory and usesthat as the security label with which it will create files. By default,this is:

   cachefiles_var_t

2. Finds the security label of the process which issued the bind request(presumed to be the cachefilesd daemon), which by default will be:

   cachefilesd_t

   and asks LSM to supply a security ID as which it should act given thedaemon’s label. By default, this will be:

   cachefiles_kernel_t

   SELinux transitions the daemon’s security ID to the module’s security IDbased on a rule of this form in the policy:

   type_transition <daemon's-ID> kernel_t : process <module's-ID>;

   For instance:

   type_transition cachefilesd_t kernel_t : process cachefiles_kernel_t;

The module’s security ID gives it permission to create, move and remove filesand directories in the cache, to find and access directories and files in thecache, to set and access extended attributes on cache objects, and to read andwrite files in the cache.

The daemon’s security ID gives it only a very restricted set of permissions: itmay scan directories, stat files and erase files and directories. It maynot read or write files in the cache, and so it is precluded from accessing thedata cached therein; nor is it permitted to create new files in the cache.

There are policy source files available in:

https://people.redhat.com/~dhowells/fscache/cachefilesd-0.8.tar.bz2

and later versions. In that tarball, see the files:

cachefilesd.tecachefilesd.fccachefilesd.if

They are built and installed directly by the RPM.

If a non-RPM based system is being used, then copy the above files to their owndirectory and run:

make -f /usr/share/selinux/devel/Makefilesemodule -i cachefilesd.pp

You will need checkpolicy and selinux-policy-devel installed prior to thebuild.

By default, the cache is located in /var/fscache, but if it is desirable thatit should be elsewhere, than either the above policy files must be altered, oran auxiliary policy must be installed to label the alternate location of thecache.

For instructions on how to add an auxiliary policy to enable the cache to belocated elsewhere when SELinux is in enforcing mode, please see:

/usr/share/doc/cachefilesd-*/move-cache.txt

When the cachefilesd rpm is installed; alternatively, the document can be foundin the sources.

A Note on Security¶

CacheFiles makes use of the split security in the task_struct. It allocatesits own task_security structure, and redirects current->cred to point to itwhen it acts on behalf of another process, in that process’s context.

The reason it does this is that it callsvfs_mkdir() and suchlike rather thanbypassing security and calling inode ops directly. Therefore the VFS and LSMmay deny the CacheFiles access to the cache data because under somecircumstances the caching code is running in the security context of whateverprocess issued the original syscall on the netfs.

Furthermore, should CacheFiles create a file or directory, the securityparameters with that object is created (UID, GID, security label) would bederived from that process that issued the system call, thus potentiallypreventing other processes from accessing the cache - including CacheFiles’scache management daemon (cachefilesd).

What is required is to temporarily override the security of the process thatissued the system call. We can’t, however, just do an in-place change of thesecurity data as that affects the process as an object, not just as a subject.This means it may lose signals or ptrace events for example, and affects whatthe process looks like in /proc.

So CacheFiles makes use of a logical split in the security between theobjective security (task->real_cred) and the subjective security (task->cred).The objective security holds the intrinsic security properties of a process andis never overridden. This is what appears in /proc, and is what is used when aprocess is the target of an operation by some other process (SIGKILL forexample).

The subjective security holds the active security properties of a process, andmay be overridden. This is not seen externally, and is used when a processacts upon another object, for example SIGKILLing another process or opening afile.

LSM hooks exist that allow SELinux (or Smack or whatever) to reject a requestfor CacheFiles to run in a context of a specific security label, or to createfiles and directories with another security label.

Statistical Information¶

If FS-Cache is compiled with the following option enabled:

CONFIG_CACHEFILES_HISTOGRAM=y

then it will gather certain statistics and display them through a proc file.

/proc/fs/cachefiles/histogram

cat /proc/fs/cachefiles/histogramJIFS  SECS  LOOKUPS   MKDIRS    CREATES===== ===== ========= ========= =========

This shows the breakdown of the number of times each amount of timebetween 0 jiffies and HZ-1 jiffies a variety of tasks took to run. Thecolumns are as follows:

COLUMN	TIME MEASUREMENT
LOOKUPS	Length of time to perform a lookup on the backing fs
MKDIRS	Length of time to perform a mkdir on the backing fs
CREATES	Length of time to perform a create on the backing fs

Each row shows the number of events that took a particular range of times.Each step is 1 jiffy in size. The JIFS column indicates the particularjiffy range covered, and the SECS field the equivalent number of seconds.

Debugging¶

If CONFIG_CACHEFILES_DEBUG is enabled, the CacheFiles facility can have runtimedebugging enabled by adjusting the value in:

/sys/module/cachefiles/parameters/debug

This is a bitmask of debugging streams to enable:

BIT	VALUE	STREAM	POINT
0	1	General	Function entry trace
1	2		Function exit trace
2	4		General

The appropriate set of values should be OR’d together and the result written tothe control file. For example:

echo $((1|4|8)) >/sys/module/cachefiles/parameters/debug

will turn on all function entry debugging.

On-demand Read¶

When working in its original mode, CacheFiles serves as a local cache for aremote networking fs - while in on-demand read mode, CacheFiles can boost thescenario where on-demand read semantics are needed, e.g. container imagedistribution.

The essential difference between these two modes is seen when a cache missoccurs: In the original mode, the netfs will fetch the data from the remoteserver and then write it to the cache file; in on-demand read mode, fetchingthe data and writing it into the cache is delegated to a user daemon.

CONFIG_CACHEFILES_ONDEMAND should be enabled to support on-demand read mode.

kernel --[request]--> user daemon --[reply]--> kernel

struct cachefiles_msg {        __u32 msg_id;        __u32 opcode;        __u32 len;        __u32 object_id;        __u8  data[];};

bind [ondemand]

struct cachefiles_open {        __u32 volume_key_size;        __u32 cookie_key_size;        __u32 fd;        __u32 flags;        __u8  data[];};

copen <msg_id>,<cache_size>

struct cachefiles_read {        __u64 off;        __u64 len;};

ioctl(fd, CACHEFILES_IOC_READ_COMPLETE, msg_id);