35 failed tests on beegfs

Please describe the problem.

links: prior report/fix of testing on beegfs 4 years ago; different site/version

Currently I observed 35 tests failing (now at a potential repronim reprocenter location)

yarick@ducky:/data/mri_dicom/tmp/test-git-annex
*$> grep FAIL .duct/logs/2025.08.28T21.04.10-56898_stdout  | nl | tail
    26        add:                           FAIL (2.30s)
    27        add:                                 FAIL (2.34s)
    28        add:                              FAIL (2.80s)
    29        add:                                 FAIL (2.21s)
    30        add:                                    FAIL (1.98s)
    31        add:               FAIL (3.16s)
    32        add:                                                FAIL (4.27s)
    33      git-remote-annex exporttree:      FAIL (8.45s)
    34      export and import:                     FAIL (10.40s)
    35      export and import of subdir:           FAIL (15.99s)

full log: http://www.oneukrainian.com/tmp/2025.08.28T21.04.10-56898_stdout

some info:

$> modinfo beegfs
filename:       /lib/modules/5.15.0-122-generic/updates/fs/beegfs_autobuild/beegfs.ko
version:        7.4.6
alias:          fs-beegfs
author:         ThinkParQ GmbH
description:    BeeGFS parallel file system client (https://www.beegfs.io)
license:        GPL v2
srcversion:     9F666198EABF0EB756ED3AC
depends:        ib_core,rdma_cm
retpoline:      Y
name:           beegfs
vermagic:       5.15.0-122-generic SMP mod_unload modversions 

$> mount | grep data/mri_dicom
beegfs_nodev on /data/mri_dicom type beegfs (rw,nodev,relatime,cfgFile=/etc/beegfs/beegfs-client.conf)

What steps will reproduce the problem?

Run tests on beegfs?

What version of git-annex are you using? On what operating system?

*$> git annex version
git-annex version: 10.20250721-g8867e7590a3a70afa8a93d2fefab94adc9a176d0
build flags: Assistant Webapp Pairing Inotify TorrentParser MagicMime Servant Benchmark Feeds Testsuite S3 WebDAV
dependency versions: aws-0.24.4 bloomfilter-2.0.1.2 crypton-1.0.4 DAV-1.3.4 feed-1.3.2.1 ghc-9.10.1 http-client-0.7.19 persistent
-sqlite-2.13.3.0 torrent-10000.1.3 uuid-1.3.16 yesod-1.6.2.1
key/value backends: SHA256E SHA256 SHA512E SHA512 SHA224E SHA224 SHA384E SHA384 SHA3_256E SHA3_256 SHA3_512E SHA3_512 SHA3_224E S
HA3_224 SHA3_384E SHA3_384 SKEIN256E SKEIN256 SKEIN512E SKEIN512 BLAKE2B256E BLAKE2B256 BLAKE2B512E BLAKE2B512 BLAKE2B160E BLAKE2
B160 BLAKE2B224E BLAKE2B224 BLAKE2B384E BLAKE2B384 BLAKE2BP512E BLAKE2BP512 BLAKE2S256E BLAKE2S256 BLAKE2S160E BLAKE2S160 BLAKE2S
224E BLAKE2S224 BLAKE2SP256E BLAKE2SP256 BLAKE2SP224E BLAKE2SP224 SHA1E SHA1 MD5E MD5 WORM URL GITBUNDLE GITMANIFEST VURL X*
remote types: git gcrypt p2p S3 bup directory rsync web bittorrent webdav adb tahoe glacier ddar git-lfs httpalso borg rclone hoo
k external compute mask
operating system: linux x86_64
supported repository versions: 8 9 10
upgrade supported from repository versions: 0 1 2 3 4 5 6 7 8 9 10

Please provide any additional information below.

# If you can, paste a complete transcript of the problem occurring here.
# If the problem is with the git-annex assistant, paste in .git/annex/daemon.log


# End of transcript or log.

Have you had any luck using git-annex before? (Sometimes we get tired of reading bug reports all day and a lil' positive end note does wonders)

fixed when built with OsPath. --Joey

RSS Atom

comment 1

The failures are mostly of two varieties.

type A:

  add:                            FAIL (2.20s)
    ./Test/Framework.hs:395:
    checkcontent foo
    expected: "annexed file content"
     but got: "could not read file"

type B:

  init:              OK (1.98s)
  add:               FAIL (5.90s)
    ./Test/Framework.hs:92:
    unlock failed with unexpected exit code (transcript follows)
unlock sha1foo cp: cannot open '.git/annex/objects/3j/xV/SHA1-s25--ee80d2cec57a3810db83b80e1b320df3a3721ffa/SHA1-s25--ee80d2cec57a3810db83b80e1b320df3a3721ffa' for reading: No such file or directory

In both cases, a git-annex add is succeeding, but the annex objects directory is somehow not getting populated. Or at least, a subsequent read of a file in it has the filesystem not knowing the file that the add put there is there.

It seems quite likely a lot of other tests would also fail, but they are being skipped because the add tests fail.

In one case, the add tests are succeeding (on an adjusted unlocked branch), but then a subsequent test fails:

git-remote-annex exporttree:      FAIL (8.45s)
  ./Test/Framework.hs:92:
  export failed with unexpected exit code (transcript follows)
  mv: cannot move '.git/annex/othertmp/89ddefa4-a04c-11.0/89ddefa4-a04c-11' to '.git/annex/export.ex/89ddefa4-a04c-11ef-818d8a-1-c6223d6': Device or resource busy
  mv: cannot move '.git/annex/othertmp/89ddefa4-a04c-11.0/89ddefa4-a04c-11' to '.git/annex/export.ex/89ddefa4-a04c-11ef-818d8a-2-c718026': Device or resource busy
  git-annex: renamePath:rename '.git/annex/othertmp/89ddefa4-a04c-11.0/89ddefa4-a04c-11' to '.git/annex/export.ex/89ddefa4-a04c-11ef-87b5-e880882a4f98': resource busy (Device or resource busy)

Comment by joey — Fri Aug 29 15:16:00 2025

comment 2

I'm not familiar with beegfs, but its documentation such as this https://doc.beegfs.io/latest/architecture/overview.html makes me wonder if it manages to behave consistently as we would expect a filesystem to behave.

In particular, we have a file being moved from one directory to another directory. Beegfs's docs says it will pick a random metadata node for each directory. So there can be two metadata nodes that have to be updated for a move. If one node somehow lags seeing the update, could that result in the file not appearing as present in the destination directory after the move?

I'm only speculating about how beegfs might work, but it seems unlikely that git-annex has a bug that causes it to lose an annexed file when all it's done is move it to the objects directory, that only manifests on this one filesystem.

A good next step might be to try manually adding an annexed file and see if there is some lag between git-annex add and being able to read the content of the symlink. Eg, compare:

echo foo > foo
git-annex add foo; cat foo
echo bar > bar
git-annex add bar; sleep 1m; cat bar

Comment by joey — Fri Aug 29 15:31:42 2025

odd odd filesystem

eh, it is indeed quite a f...un filesystem: even chmod might endup unhappy

chmod +w -R test-repo
chmod: changing permissions of 'test-repo/.git/annex/objects/91/9x/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c/SHA256E-s4--b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c': No such file or directory
chmod: changing permissions of 'test-repo/.git/annex/objects/g7/9v/SHA256E-s4--7d865e959b2466918c9863afca942d0fb89d7c9ac0c99bafc3749504ded97730/SHA256
E-s4--7d865e959b2466918c9863afca942d0fb89d7c9ac0c99bafc3749504ded97730': No such file or directory

and it might indeed take minute(s) for filesytem to become "consistent" with expected state. And it seems that even a minute might not be enough!!!

ok
(recording state in git...)
(test_script.sh:14):
sleep 1m
(test_script.sh:14):
cat bar
cat: bar: No such file or directory

with this full tune up script

#!/bin/bash

if [ -e test-repo ]; then 
    chmod +w -R test-repo; 
    rm -rf test-repo;  
fi
mkdir test-repo; cd test-repo; git init; git annex init;

echo foo > foo
git-annex add foo; cat foo
echo bar > bar
# git-annex add bar; sleep 1m; cat bar
git-annex add bar
start_time=$(date +%s)
while ! cat bar 2>/dev/null; do
    sleep 1
    echo -n .
done
end_time=$(date +%s)
wait_time=$((end_time - start_time))
cat bar
echo "Waited ${wait_time} seconds for bar to appear"

it Waited 450 seconds for bar to appear... and on this funny system bash would report that file is available so symlink would not be broken to those tests:

$> test -e bar || echo fail
$> cat bar
cat: bar: No such file or directory

I will report to sysadmins -- may be they have ideas/feedback ;-)

Comment by yarikoptic — Tue Sep 2 15:06:43 2025

comment 4

admins tamed the beast down (disabled some "optimization" options which were enabled) and the beast started to behave better -- now just

yarick@ducky:/data/mri_dicom/tmp/test-git-annex
*$> grep FAIL .duct/logs/2025.09.03T16.49.11-104855_* | nl
     1  .duct/logs/2025.09.03T16.49.11-104855_stdout:    git-remote-annex exporttree:      FAIL (23.37s)
     2  .duct/logs/2025.09.03T16.49.11-104855_stdout:    git-remote-annex exporttree:      FAIL (14.14s)
     3  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import of subdir:           FAIL (39.09s)
     4  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import of subdir:           FAIL (22.57s)
     5  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import:                     FAIL (11.14s)
     6  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import:                     FAIL (28.20s)
     7  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import:                     FAIL (17.36s)
     8  .duct/logs/2025.09.03T16.49.11-104855_stdout:    export and import of subdir:           FAIL (24.52s)

fails. Full log link. That is still with the same 10.20250721-g8867e7590a3a70afa8a93d2fefab94adc9a176d0

Comment by yarikoptic — Thu Sep 4 02:06:22 2025

comment 5

All the fails now look like this:

  mv: cannot move '.git/annex/othertmp/e3d80b70-6bfe-47.0/e3d80b70-6bfe-47' to '.git/annex/export.ex/e3d80b70-6bfe-47a1-830396-0-22d0f933': Device or resource busy
  mv: cannot move '.git/annex/othertmp/e3d80b70-6bfe-47.0/e3d80b70-6bfe-47' to '.git/annex/export.ex/e3d80b70-6bfe-47a1-830396-1-22dea399': Device or resource busy
  git-annex: renamePath:rename '.git/annex/othertmp/e3d80b70-6bfe-47.0/e3d80b70-6bfe-47' to '.git/annex/export.ex/e3d80b70-6bfe-47a1-8288-cf07f7e8bd7d': resource busy (Device or resource busy)

This is the same kind of EBUSY problem as on the previous Beegfs bug report. In that report I hypothesized that Beegfs might not like an open file to be renamed. I'm not sure if we ever verified my fixes in that one fixed a problem with Beegfs, but it still seems like a good hypothesis.

"export.ex/" is a log file that git-annex uses to keep track of files that were part of a tree exported to a special remote, but that were excluded from the export by its preferred content settings. To populate that file, git-annex opens a temp file, writes to it as the export runs, then closes it and renames it.

openat(AT_FDCWD, ".git/annex/othertmp/cfd9e482-a5cc-42.0/cfd9e482-a5cc-42", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 14
...
close(14)                               = 0
rename(".git/annex/othertmp/cfd9e482-a5cc-42.0/cfd9e482-a5cc-42", ".git/annex/export.ex/cfd9e482-a5cc-4277-8ec1-954c5e95060f") = 0

If the rename() fails, it falls back to trying "mv", which is why there are also "mv" errors in the transcript above. Anyway, I've verified the FD is closed before that point.

But, the "..." includes some fork and exec. And this FD is never set close-on-exec! And the processes started while it's open include "git cat-file --batch", which is a long-running process that will still be left running when the rename happens.

This was pretty surprising to me, I did not realize git-annex was generally leaking FDs to child processes in this way. It's easy to demonstrate with a simpler program:

joey@darkstar:~>cat >foo.hs <<EOF
import System.Process
import System.IO

main = do
        h <- openFile "foo.x" WriteMode
    hPutStrLn h "hello"
        callProcess "sh" ["-c", "ls -l /proc/self/fd"]
        hClose h
EOF
joey@darkstar:~>runghc foo.hs
total 0
lrwx------ 1 joey joey 64 Sep  4 14:11 0 -> /dev/pts/8
lrwx------ 1 joey joey 64 Sep  4 14:11 1 -> /dev/pts/8
l-wx------ 1 joey joey 64 Sep  4 14:11 11 -> /dev/tty
l-wx------ 1 joey joey 64 Sep  4 14:11 12 -> /home/joey/foo.x
lrwx------ 1 joey joey 64 Sep  4 14:11 2 -> /dev/pts/8
lr-x------ 1 joey joey 64 Sep  4 14:11 3 -> /proc/516659/fd

So, really supporting this would mean auditing every file git-annex opens with openFile to see if the handle is ever passed to a child process, and otherwise making it use CloseOnExec.

I don't care a great deal about supporting Beegfs; it would be nice to support it in some of its less crazy configurations if possible. But not leaking FDs while running child processes seems like something that ought to be fixed for other reasons.

Comment by joey — Thu Sep 4 17:37:56 2025

comment 6

openFile is not the only one that would need to be dealt with. Also withFile, openBinaryFile, withBinaryFile, appendFile, and openTempFile, readFile, and writeFile (including L. versions).

Since none of those provide a way to set CloseOnExec, they would have to be changed to be implemented using openFd with CloseOnExec, and then mkHandleFromFD. Or rewritten to use https://hackage.haskell.org/package/file-io-0.1.5/docs/src/System.File.OsPath.Internal.html#openFileWithCloseOnExec

I have checked and none of those are ever used to create a handle that is intentionally passed to a child process. The only uses of handleToFd result in a FD that gets dupped to another FD number, and dup() does not inherit the close-on-exec flag. So it should be safe to just write new versions of all of those.

Also there are a few uses of openFd that don't set CloseOnExec.

Comment by joey — Thu Sep 4 18:24:33 2025

comment 7

I've checked all uses of openFd and made CloseOnExec be used where appropriate. Also checked all the fd dupping.

This won't fix the problem, but is necessary goundwork for fixing openFile and the rest.

Comment by joey — Thu Sep 4 19:42:44 2025

comment 8

There is also the problem that any haskell library that does anything with a file might use any of the above internally without setting close-on-exec.

For example, opening a https connection can result in readFile opening a handle to a file in /etc/ssl/certs/, which will not be closed on exec. And which can leak out via another thread doing an exec at just the right time.

But inheriting a single FD like that is not going to cause problems for beegfs or anything else.

The ones I'd worry about is if a haskell library is doing something with a file in the git-annex repo.

Most dependencies of git-annex clearly don't open files there, and most open no files at all. Ones I need to check:

persistent-sqlite (looks ok; no direct uses of problem haskell functions. And in sqlite itself, robust_open sets the close-on-exec flag)
feed (update: parseFeedFromFile uses openBinaryFile, updated git-annex to open the file itself instead)
concurrent-output (addOutputBuffer uses openTempFile; emitOutputBuffer uses T.readFile. Probably neither actually triggers as git-annex uses the library though. I have noted it in the todo for that library though.)
magic (update: checked it, it sets close-on-exec)

At this point, I'm reasonably satisfied about libraries not causing the problem.

Comment by joey — Thu Sep 4 20:56:54 2025

comment 9

copyFile also leaks a FD. git-annex only uses it on Windows though, so not a problem.

As far as general correctness goes, I've reported a bug upstream about it https://github.com/haskell/directory/issues/203, which I suspect they'll fix eventually since they have fixed similar problems before.

Also filed https://github.com/haskell/file-io/issues/44 which would avoid git-annex needing to reimplement a lot of this stuff.

Comment by joey — Fri Sep 5 15:15:03 2025

comment 10

I've made all OsPath operations in git-annex set the close-on-exec flag.

This will largely fix the problem when git-annex is built with the OsPath build flag. Which has now become default, but it's still possible for git-annex to be built without that build flag. Check git-annex version for "OsPath" to know if your git-annex was built with this. I think it will probably pass the test suite on beegfs at this point.

(However, the openTempFile implementation sets the flag only after opening the file, so is still vulnerable to a race where the fd can leak to an execed process. That could use more work, but at least is a quite narrow race window.)

Also the few ByteString readFile/writeFile calls were converted to the OsPath operations.

What remains to be done to fully fix this:

Checking haskell libraries as listed in comment #8
All the FilePath versions of readFile, writeFile, etc, still don't set the close-on-exec flag. There are a few hundred such calls still in of git-annex. Those will all have to be wrapped with versions that do set the close-on-exec flag, or converted to the OsPath versions.

So, this bug is now tied to OsPath conversion in 2 ways.

Comment by joey — Fri Sep 5 17:42:02 2025

comment 11

I've now converted all functions listed above to ones that set the close-on-exec flag. (When building with the OsPath flag.)

And checked all the libraries in comment #8.

All that remains is the openTempFile race.

Comment by joey — Fri Sep 5 19:46:25 2025

comment 12

There are a few other races where a FD can leak to a child process still, where setFdOption is used after dup()/pipe().

These don't involve files, so won't affect beegfs. They should still be fixed.

While dup3() and pipe2() allow setting the close-on-exec flag, I don't think they're portable enough to rely on.

It may be possible to rewrite these handful of things to avoid the problem:

processTranscript should be able to read chunks from stdout and stderr concurrently and interleave, not needing a pipe
Remote.Directory should be able to reuse the same handle passed to fileContentCopier to get the FD for the postchecknoncow.
gpg feedRead may be able to use stdin as the passphrase-fd. If gpg reads one line for that, and then continues to read the rest of stdin for the content to encrypt/decrypt. I have not checked if gpg behaves that way.
Similar for StatelessOpenPGP

Alternatively, it would be possible to solve all of these issues, as well as the openTempFile race, by making the wrappers in Utility.Process prevent starting a process when a global MVar is empty. And have a function that runs an action with the MVar emptied. Then the call to dup/pipe could run effectively atomically with the setFdOption. There would be a small overhead in checking the MVar on each exec, but probably too small to be noticable.

Comment by joey — Sat Sep 6 17:11:55 2025

comment 13

There is some potential for any of these FD leaks to compromise security, in cases where a child process ends up running untrusted code in some kind of sandbox, that is sufficiently leaky that the leaked FD is accessible inside the sandbox.

I don't think any existing special remote or other git-annex addons behave that way, so don't think this is an exploitable security hole. Arguably, if sandboxing untrusted code, it's on you to avoid exposing open Fds to it.

However, since security is involved, it does need to be fixed comprehensively in git-annex, including the remaining races.

Comment by joey — Sat Sep 6 17:28:57 2025

comment 14

Implemented the global MVar fix for remaining races.

Comment by joey — Wed Sep 10 18:27:50 2025

comment 15

FTR: fixed in 10.20250828-58-g38786a4e5e

Comment by yarikoptic — Thu Sep 11 12:30:49 2025

comment 16

I have reran with freshish build 10.20250828+git58-g38786a4e5e-1~ndall+1 and still observe those FAILs as before IIRC

$> show-paths  -e FAIL -f full-lines .duct/logs/2025.09.11T11.15.27-2500297_stdout
1016  Tests
1017    Repo Tests v10 locked
1025:     git-remote-annex exporttree:      FAIL (3.60s)
1206  Tests
1207    Repo Tests v10 locked
1215:     export and import of subdir:           FAIL (7.19s)
1225  Tests
1226    Repo Tests v10 locked
1234:     export and import:                     FAIL (4.91s)
1268  Tests
1269    Repo Tests v10 adjusted unlocked branch
1277:     git-remote-annex exporttree:      FAIL (4.68s)
1299  Tests
1300    Repo Tests v10 unlocked
1308:     export and import of subdir:           FAIL (10.38s)
1330  Tests
1331    Repo Tests v10 unlocked
1339:     export and import:                     FAIL (10.19s)
1373  Tests
1374    Repo Tests v10 adjusted unlocked branch
1382:     export and import:                     FAIL (6.96s)
1428  Tests
1429    Repo Tests v10 adjusted unlocked branch
1437:     export and import of subdir:           FAIL (10.63s)

Comment by yarikoptic — Thu Sep 11 15:46:52 2025

comment 17

Drat. Reopened bug.

Is the error for these still "export.ex [...] Device or resource busy"?

If so, the problem must not be beegfs not liking an open file to be renamed, but something else.

I have verified that the temp file that gets renamed to the "export.ex" log file is now opened with O_CLOEXEC.

Comment by joey — Mon Sep 15 16:07:35 2025

comment 18

I think so -- I posted a full log now to check

Comment by yarikoptic — Mon Sep 15 17:11:51 2025

comment 19

Confirmed in your log that git-annex is not built with the OsPath build flag, so it will still not be using O_CLOEXEC.

It would be good to get a build with OsPath and test it to see if my fixes actually did work. Debian doesn't include the necessary library yet, so a build using stack is needed.

Comment by joey — Mon Sep 15 18:20:21 2025

comment 21

I have enabled OsPath in the build at https://downloads.kitenet.net/git-annex/autobuild/amd64/git-annex-standalone-amd64.tar.gz

Comment by joey — Mon Sep 15 20:12:04 2025

comment 21

that version had no errors: All tests succeeded. (Ran 50 test groups in 11m54s)

So, this will be default option? any specific dependency requirements we need to add/constrain?

Comment by yarikoptic — Tue Sep 16 00:40:21 2025

comment 23

Yay!

OsPath needs the os-string and file-io haskell packages. Which are not currently in Debian. So either work will need to be done to package those, or when Debian upgrades ghc to 9.12.2, it will include those libraries automatically since they are bundled with ghc since that version.

Maybe you know more than I do about the state of Debian's haskell support.

The transition is being tracked at RawFilePath conversion but I don't know yet what the solution is to getting the dependencies broadly available.

(Or I could implement the same fixes when not built with that flag of course. It is doable. Just annoying especially since that code will have to be carefully gotten just right, only to be thrown away later.)

Comment by joey — Tue Sep 16 14:36:24 2025

comment 23

well, may be at least Michael's pypi whl builds which directly install stack (I do not think they use system pkgs) could be tuned as needed?

Comment by yarikoptic — Tue Sep 16 19:33:40 2025

comment 24

well, may be at least Michael's pypi whl builds which directly install stack (I do not think they use system pkgs) could be tuned as needed?

Comment by yarikoptic — Tue Sep 16 19:34:27 2025

comment 25

The pypi whl builds should already have it, as all stack builds default to having the OsPath build flag enabled already.

Comment by joey — Thu Sep 18 15:53:27 2025

Add a comment