''''''''''''''''''''''''''
Checker/Verifier/Repairer
-------------------------
- The primary focus of this release has been writing a checker /
verifier / repairer for files and directories. "Checking" is the
act of asking storage servers whether they have a share for the
given file or directory: if there are not enough shares available,
the file or directory will be unrecoverable. "Verifying" is the act
of downloading and cryptographically asserting that the server's
share is undamaged: it requires more work (bandwidth and CPU) than
checking, but can catch problems that simple checking
cannot. "Repair" is the act of replacing missing or damaged shares
with new ones.
- This release includes a full checker, a partial verifier, and a
partial repairer. The repairer is able to handle missing shares: new
shares are generated and uploaded to make up for the missing
ones. This is currently the best application of the repairer: to
replace shares that were lost because of server departure or
permanent drive failure.
- The repairer in this release is somewhat able to handle corrupted
shares. The limitations are:
- Immutable verifier is incomplete: not all shares are used, and not
all fields of those shares are verified. Therefore the immutable
verifier has only a moderate chance of detecting corrupted shares.
- The mutable verifier is mostly complete: all shares are examined,
and most fields of the shares are validated.
- The storage server protocol offers no way for the repairer to
replace or delete immutable shares. If corruption is detected, the
repairer will upload replacement shares to other servers, but the
corrupted shares will be left in place.
- read-only directories and read-only mutable files must be repaired
by someone who holds the write-cap: the read-cap is
insufficient. Moreover, the deep-check-and-repair operation will
halt with an error if it attempts to repair one of these read-only
objects.
- Some forms of corruption can cause both download and repair
operations to fail. A future release will fix this, since download
should be tolerant of any corruption as long as there are at least
'k' valid shares, and repair should be able to fix any file that is
downloadable.
- If the downloader, verifier, or repairer detects share corruption,
the servers which provided the bad shares will be notified (via a
file placed in the BASEDIR/storage/corruption-advisories directory)
so their operators can manually delete the corrupted shares and
investigate the problem. In addition, the "incident gatherer"
mechanism will automatically report share corruption to an incident
gatherer service, if one is configured. Note that corrupted shares
indicate hardware failures, serious software bugs, or malice on the
part of the storage server operator, so a corrupted share should be
considered highly unusual.
- By periodically checking/repairing all files and directories,
objects in the Tahoe filesystem remain resistant to recoverability
failures due to missing and/or broken servers.
- This release includes a wapi mechanism to initiate checks on
individual files and directories (with or without verification, and
with or without automatic repair). A related mechanism is used to
initiate a "deep-check" on a directory: recursively traversing the
directory and its children, checking (and/or verifying/repairing)
everything underneath. Both mechanisms can be run with an
"output=JSON" argument, to obtain machine-readable check/repair
status results. These results include a copy of the filesystem
statistics from the "deep-stats" operation (including total number
of files, size histogram, etc). If repair is possible, a "Repair"
button will appear on the results page.
- The client web interface now features some extra buttons to initiate
check and deep-check operations. When these operations finish, they
display a results page that summarizes any problems that were
encountered. All long-running deep-traversal operations, including
deep-check, use a start-and-poll mechanism, to avoid depending upon
a single long-lived HTTP connection. `webapi.rst`_ has
details.
Efficient Backup
----------------
- The "tahoe backup" command is new in this release, which creates
efficient versioned backups of a local directory. Given a local
pathname and a target Tahoe directory, this will create a read-only
snapshot of the local directory in $target/Archives/$timestamp. It
will also create $target/Latest, which is a reference to the latest
such snapshot. Each time you run "tahoe backup" with the same source
and target, a new $timestamp snapshot will be added. These snapshots
will share directories that have not changed since the last backup,
to speed up the process and minimize storage requirements. In
addition, a small database is used to keep track of which local
files have been uploaded already, to avoid uploading them a second
time. This drastically reduces the work needed to do a "null backup"
(when nothing has changed locally), making "tahoe backup' suitable
to run from a daily cronjob.
Note that the "tahoe backup" CLI command must be used in conjunction
with a 1.3.0-or-newer Tahoe client node; there was a bug in the
1.2.0 webapi implementation that would prevent the last step (create
$target/Latest) from working.
Large Files
-----------
- The 12GiB (approximate) immutable-file-size limitation is
lifted. This release knows how to handle so-called "v2 immutable
shares", which permit immutable files of up to about 18 EiB (about
3*10^14). These v2 shares are created if the file to be uploaded is
too large to fit into v1 shares. v1 shares are created if the file
is small enough to fit into them, so that files created with
tahoe-1.3.0 can still be read by earlier versions if they are not
too large. Note that storage servers also had to be changed to
support larger files, and this release is the first release in which
they are able to do that. Clients will detect which servers are
capable of supporting large files on upload and will not attempt to
upload shares of a large file to a server which doesn't support it.
FTP/SFTP Server
---------------
- Tahoe now includes experimental FTP and SFTP servers. When
configured with a suitable method to translate username+password
into a root directory cap, it provides simple access to the virtual
filesystem. Remember that FTP is completely unencrypted: passwords,
filenames, and file contents are all sent over the wire in
cleartext, so FTP should only be used on a local (127.0.0.1)
connection. This feature is still in development: there are no unit
tests yet, and behavior with respect to Unicode filenames is
uncertain. Please see `FTP-and-SFTP.rst`_ for
configuration details. (`512`_, `531`_)
CLI Changes
-----------
- This release adds the 'tahoe create-alias' command, which is a
combination of 'tahoe mkdir' and 'tahoe add-alias'. This also allows
you to start using a new tahoe directory without exposing its URI in
the argv list, which is publicly visible (through the process table)
on most unix systems. Thanks to Kevin Reid for bringing this issue
to our attention.
- The single-argument form of "tahoe put" was changed to create an
unlinked file. I.e. "tahoe put bar.txt" will take the contents of a
local "bar.txt" file, upload them to the grid, and print the
resulting read-cap; the file will not be attached to any
directories. This seemed a bit more useful than the previous
behavior (copy stdin, upload to the grid, attach the resulting file
into your default tahoe: alias in a child named 'bar.txt').
- "tahoe put" was also fixed to handle mutable files correctly: "tahoe
put bar.txt URI:SSK:..." will read the contents of the local bar.txt
and use them to replace the contents of the given mutable file.
- The "tahoe webopen" command was modified to accept aliases. This
means "tahoe webopen tahoe:" will cause your web browser to open to
a "wui" page that gives access to the directory associated with the
default "tahoe:" alias. It should also accept leading slashes, like
"tahoe webopen tahoe:/stuff".
- Many esoteric debugging commands were moved down into a "debug"
subcommand:
- tahoe debug dump-cap
- tahoe debug dump-share
- tahoe debug find-shares
- tahoe debug catalog-shares
- tahoe debug corrupt-share
The last command ("tahoe debug corrupt-share") flips a random bit
of the given local sharefile. This is used to test the file
verifying/repairing code, and obviously should not be used on user
data.
The cli might not correctly handle arguments which contain non-ascii
characters in Tahoe v1.3 (although depending on your platform it
might, especially if your platform can be configured to pass such
characters on the command-line in utf-8 encoding). See
https://tahoe-lafs.org/trac/tahoe-lafs/ticket/565 for details.
Web changes
-----------
- The "default webapi port", used when creating a new client node (and
in the getting-started documentation), was changed from 8123 to
3456, to reduce confusion when Tahoe accessed through a Firefox
browser on which the "Torbutton" extension has been installed. Port
8123 is occasionally used as a Tor control port, so Torbutton adds
8123 to Firefox's list of "banned ports" to avoid CSRF attacks
against Tor. Once 8123 is banned, it is difficult to diagnose why
you can no longer reach a Tahoe node, so the Tahoe default was
changed. Note that 3456 is reserved by IANA for the "vat" protocol,
but there are argueably more Torbutton+Tahoe users than vat users
these days. Note that this will only affect newly-created client
nodes. Pre-existing client nodes, created by earlier versions of
tahoe, may still be listening on 8123.
- All deep-traversal operations (start-manifest, start-deep-size,
start-deep-stats, start-deep-check) now use a start-and-poll
approach, instead of using a single (fragile) long-running
synchronous HTTP connection. All these "start-" operations use POST
instead of GET. The old "GET manifest", "GET deep-size", and "POST
deep-check" operations have been removed.
- The new "POST start-manifest" operation, when it finally completes,
results in a table of (path,cap), instead of the list of verifycaps
produced by the old "GET manifest". The table is available in
several formats: use output=html, output=text, or output=json to
choose one. The JSON output also includes stats, and a list of
verifycaps and storage-index strings. The "return_to=" and
"when_done=" arguments have been removed from the t=check and
deep-check operations.
- The top-level status page (/status) now has a machine-readable form,
via "/status/?t=json". This includes information about the
currently-active uploads and downloads, which may be useful for
frontends that wish to display progress information. There is no
easy way to correlate the activities displayed here with recent wapi
requests, however.
- Any files in BASEDIR/public_html/ (configurable) will be served in
response to requests in the /static/ portion of the URL space. This
will simplify the deployment of javascript-based frontends that can
still access wapi calls by conforming to the (regrettable)
"same-origin policy".
- The welcome page now has a "Report Incident" button, which is tied
into the "Incident Gatherer" machinery. If the node is attached to
an incident gatherer (via log_gatherer.furl), then pushing this
button will cause an Incident to be signalled: this means recent log
events are aggregated and sent in a bundle to the gatherer. The user
can push this button after something strange takes place (and they
can provide a short message to go along with it), and the relevant
data will be delivered to a centralized incident-gatherer for later
processing by operations staff.
- The "HEAD" method should now work correctly, in addition to the
usual "GET", "PUT", and "POST" methods. "HEAD" is supposed to return
exactly the same headers as "GET" would, but without any of the
actual response body data. For mutable files, this now does a brief
mapupdate (to figure out the size of the file that would be
returned), without actually retrieving the file's contents.
- The "GET" operation on files can now support the HTTP "Range:"
header, allowing requests for partial content. This allows certain
media players to correctly stream audio and movies out of a Tahoe
grid. The current implementation uses a disk-based cache in
BASEDIR/private/cache/download , which holds the plaintext of the
files being downloaded. Future implementations might not use this
cache. GET for immutable files now returns an ETag header.
- Each file and directory now has a "Show More Info" web page, which
contains much of the information that was crammed into the directory
page before. This includes readonly URIs, storage index strings,
object type, buttons to control checking/verifying/repairing, and
deep-check/deep-stats buttons (for directories). For mutable files,
the "replace contents" upload form has been moved here too. As a
result, the directory page is now much simpler and cleaner, and
several potentially-misleading links (like t=uri) are now gone.
- Slashes are discouraged in Tahoe file/directory names, since they
cause problems when accessing the filesystem through the
wapi. However, there are a couple of accidental ways to generate
such names. This release tries to make it easier to correct such
mistakes by escaping slashes in several places, allowing slashes in
the t=info and t=delete commands, and in the source (but not the
target) of a t=rename command.
Packaging
---------
- Tahoe's dependencies have been extended to require the
"[secure_connections]" feature from Foolscap, which will cause
pyOpenSSL to be required and/or installed. If OpenSSL and its
development headers are already installed on your system, this can
occur automatically. Tahoe now uses pollreactor (instead of the
default selectreactor) to work around a bug between pyOpenSSL and
the most recent release of Twisted (8.1.0). This bug only affects
unit tests (hang during shutdown), and should not impact regular
use.
- The Tahoe source code tarballs now come in two different forms:
regular and "sumo". The regular tarball contains just Tahoe, nothing
else. When building from the regular tarball, the build process will
download any unmet dependencies from the internet (starting with the
index at PyPI) so it can build and install them. The "sumo" tarball
contains copies of all the libraries that Tahoe requires (foolscap,
twisted, zfec, etc), so using the "sumo" tarball should not require
any internet access during the build process. This can be useful if
you want to build Tahoe while on an airplane, a desert island, or
other bandwidth-limited environments.
- Similarly, tahoe-lafs.org now hosts a "tahoe-deps" tarball which
contains the latest versions of all these dependencies. This
tarball, located at
https://tahoe-lafs.org/source/tahoe/deps/tahoe-deps.tar.gz, can be
unpacked in the tahoe source tree (or in its parent directory), and
the build process should satisfy its downloading needs from it
instead of reaching out to PyPI. This can be useful if you want to
build Tahoe from a darcs checkout while on that airplane or desert
island.
- Because of the previous two changes ("sumo" tarballs and the
"tahoe-deps" bundle), most of the files have been removed from
misc/dependencies/ . This brings the regular Tahoe tarball down to
2MB (compressed), and the darcs checkout (without history) to about
7.6MB. A full darcs checkout will still be fairly large (because of
the historical patches which included the dependent libraries), but
a 'lazy' one should now be small.
- The default "make" target is now an alias for "setup.py build",
which itself is an alias for "setup.py develop --prefix support",
with some extra work before and after (see setup.cfg). Most of the
complicated platform-dependent code in the Makefile was rewritten in
Python and moved into setup.py, simplifying things considerably.
- Likewise, the "make test" target now delegates most of its work to
"setup.py test", which takes care of getting PYTHONPATH configured
to access the tahoe code (and dependencies) that gets put in
support/lib/ by the build_tahoe step. This should allow unit tests
to be run even when trial (which is part of Twisted) wasn't already
installed (in this case, trial gets installed to support/bin because
Twisted is a dependency of Tahoe).
- Tahoe is now compatible with the recently-released Python 2.6 ,
although it is recommended to use Tahoe on Python 2.5, on which it
has received more thorough testing and deployment.
- Tahoe is now compatible with simplejson-2.0.x . The previous release
assumed that simplejson.loads always returned unicode strings, which
is no longer the case in 2.0.x .
Grid Management Tools
---------------------
- Several tools have been added or updated in the misc/ directory,
mostly munin plugins that can be used to monitor a storage grid.
- The misc/spacetime/ directory contains a "disk watcher" daemon
(startable with 'tahoe start'), which can be configured with a set
of HTTP URLs (pointing at the wapi '/statistics' page of a bunch of
storage servers), and will periodically fetch
disk-used/disk-available information from all the servers. It keeps
this information in an Axiom database (a sqlite-based library
available from divmod.org). The daemon computes time-averaged rates
of disk usage, as well as a prediction of how much time is left
before the grid is completely full.
- The misc/munin/ directory contains a new set of munin plugins
(tahoe_diskleft, tahoe_diskusage, tahoe_doomsday) which talk to the
disk-watcher and provide graphs of its calculations.
- To support the disk-watcher, the Tahoe statistics component
(visible through the wapi at the /statistics/ URL) now includes
disk-used and disk-available information. Both are derived through
an equivalent of the unix 'df' command (i.e. they ask the kernel
for the number of free blocks on the partition that encloses the
BASEDIR/storage directory). In the future, the disk-available
number will be further influenced by the local storage policy: if
that policy says that the server should refuse new shares when less
than 5GB is left on the partition, then "disk-available" will
report zero even though the kernel sees 5GB remaining.
- The 'tahoe_overhead' munin plugin interacts with an
allmydata.com-specific server which reports the total of the
'deep-size' reports for all active user accounts, compares this
with the disk-watcher data, to report on overhead percentages. This
provides information on how much space could be recovered once
Tahoe implements some form of garbage collection.
Configuration Changes: single INI-format tahoe.cfg file
-------------------------------------------------------
- The Tahoe node is now configured with a single INI-format file,
named "tahoe.cfg", in the node's base directory. Most of the
previous multiple-separate-files are still read for backwards
compatibility (the embedded SSH debug server and the
advertised_ip_addresses files are the exceptions), but new
directives will only be added to tahoe.cfg . The "tahoe
create-client" command will create a tahoe.cfg for you, with sample
values commented out. (ticket `518`_)
- tahoe.cfg now has controls for the foolscap "keepalive" and
"disconnect" timeouts (`521`_).
- tahoe.cfg now has controls for the encoding parameters:
"shares.needed" and "shares.total" in the "[client]" section. The
default parameters are still 3-of-10.
- The inefficient storage 'sizelimit' control (which established an
upper bound on the amount of space that a storage server is allowed
to consume) has been replaced by a lightweight 'reserved_space'
control (which establishes a lower bound on the amount of remaining
space). The storage server will reject all writes that would cause
the remaining disk space (as measured by a '/bin/df' equivalent) to
drop below this value. The "[storage]reserved_space=" tahoe.cfg
parameter controls this setting. (note that this only affects
immutable shares: it is an outstanding bug that reserved_space does
not prevent the allocation of new mutable shares, nor does it
prevent the growth of existing mutable shares).
Other Changes
-------------
- Clients now declare which versions of the protocols they
support. This is part of a new backwards-compatibility system:
https://tahoe-lafs.org/trac/tahoe-lafs/wiki/Versioning .
- The version strings for human inspection (as displayed on the
Welcome web page, and included in logs) now includes a platform
identifer (frequently including a linux distribution name, processor
architecture, etc).
- Several bugs have been fixed, including one that would cause an
exception (in the logs) if a wapi download operation was cancelled
(by closing the TCP connection, or pushing the "stop" button in a
web browser).
- Tahoe now uses Foolscap "Incidents", writing an "incident report"
file to logs/incidents/ each time something weird occurs. These
reports are available to an "incident gatherer" through the flogtool
command. For more details, please see the Foolscap logging
documentation. An incident-classifying plugin function is provided
in misc/incident-gatherer/classify_tahoe.py .
- If clients detect corruption in shares, they now automatically
report it to the server holding that share, if it is new enough to
accept the report. These reports are written to files in
BASEDIR/storage/corruption-advisories .
- The 'nickname' setting is now defined to be a UTF-8 -encoded string,
allowing non-ascii nicknames.
- The 'tahoe start' command will now accept a --syslog argument and
pass it through to twistd, making it easier to launch non-Tahoe
nodes (like the cpu-watcher) and have them log to syslogd instead of
a local file. This is useful when running a Tahoe node out of a USB
flash drive.
- The Mac GUI in src/allmydata/gui/ has been improved.
.. _512: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/512
.. _518: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/518
.. _521: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/521
.. _531: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/531