snix_castore/fs/

mod.rs

mod file_attr;
mod inode_tracker;
mod inodes;
pub mod root_nodes;

#[cfg(feature = "fuse")]
pub mod fuse;

#[cfg(feature = "virtiofs")]
pub mod virtiofs;

pub use self::root_nodes::RootNodes;
use self::{
    file_attr::ROOT_FILE_ATTR,
    inode_tracker::InodeTracker,
    inodes::{DirectoryInodeData, InodeData},
};
use crate::{
    B3Digest, Node,
    blobservice::{BlobReader, BlobService},
    directoryservice::DirectoryService,
    path::PathComponent,
};
use bstr::ByteVec;
use fuse_backend_rs::api::filesystem::{
    Context, FileSystem, FsOptions, GetxattrReply, ListxattrReply, ROOT_ID,
};
use fuse_backend_rs::{
    abi::fuse_abi::{Attr, OpenOptions, stat64},
    api::filesystem::Entry,
};
use futures::{StreamExt, stream::BoxStream};
use parking_lot::RwLock;
use std::sync::Mutex;
use std::{
    collections::HashMap,
    io,
    sync::atomic::AtomicU64,
    sync::{Arc, atomic::Ordering},
    time::Duration,
};
use std::{ffi::CStr, io::Cursor};
use tokio::io::{AsyncReadExt, AsyncSeekExt};
use tracing::{Span, debug, error, instrument, warn};

/// This implements a read-only [FileSystem] for a snix-castore
/// with the passed [BlobService], [DirectoryService] and [RootNodes].
///
/// Linux uses inodes in filesystems. When implementing the trait, most calls
/// *are for* a given inode.
///
/// This means, we need to have a stable mapping of inode numbers to the
/// corresponding store nodes.
///
/// We internally delegate all inode allocation and state keeping to the
/// inode tracker.
/// We store a mapping from currently "explored" names in the root to their
/// inode.
///
/// There's some places where inodes are allocated / data inserted into
/// the inode tracker, if not allocated before already:
///  - Processing a `lookup` request, either in the mount root, or somewhere
///    deeper.
///  - Processing a `readdir` request
///
///  Things pointing to the same contents get the same inodes, irrespective of
///  their own location.
///  This means:
///  - Symlinks with the same target will get the same inode.
///  - Regular/executable files with the same contents will get the same inode
///  - Directories with the same contents will get the same inode.
///
/// Due to the above being valid across the whole store, and considering the
/// merkle structure is a DAG, not a tree, this also means we can't do "bucketed
/// allocation", aka reserve Directory.size inodes for each directory node we
/// explore.
/// Tests for this live in the snix-store crate.
pub struct SnixStoreFs<BS, DS, RN: RootNodes> {
    blob_service: BS,
    directory_service: DS,
    root_nodes_provider: RN,
    settings: FSSettings,

    /// This maps a given basename in the root to the inode we allocated for the node.
    root_nodes: RwLock<HashMap<PathComponent, u64>>,

    /// This keeps track of inodes and data alongside them.
    inode_tracker: RwLock<InodeTracker>,

    // FUTUREWORK: have a generic container type for dir/file handles and handle
    // allocation.
    /// This holds all opendir handles (for the root inode), keyed by the handle
    /// returned from the opendir call.
    /// For each handle, we store an enumerated Result<(PathComponent, Node), crate::Error>.
    /// The index is needed as we need to send offset information.
    #[allow(clippy::type_complexity)]
    dir_handles: RwLock<
        HashMap<
            u64,
            (
                Span,
                Arc<Mutex<BoxStream<'static, (usize, Result<(PathComponent, Node), RN::Error>)>>>,
            ),
        >,
    >,

    next_dir_handle: AtomicU64,

    /// This holds all open file handles
    #[allow(clippy::type_complexity)]
    file_handles: RwLock<HashMap<u64, (Span, Arc<Mutex<Box<dyn BlobReader>>>)>>,

    next_file_handle: AtomicU64,

    tokio_handle: tokio::runtime::Handle,
}

/// Configures some filesystem settings
#[derive(Debug, Default)]
pub struct FSSettings {
    /// Whether to (try) listing elements in the root.
    pub list_root: bool,

    /// If uid/gid should be overridden, their values
    pub uid_gid_override: Option<(u32, u32)>,

    /// Whether to expose blob and directory digests as extended attributes.
    pub show_xattr: bool,
}

impl<BS, DS, RN> SnixStoreFs<BS, DS, RN>
where
    BS: BlobService,
    DS: DirectoryService,
    RN: RootNodes,
{
    pub fn new(
        blob_service: BS,
        directory_service: DS,
        root_nodes_provider: RN,

        settings: FSSettings,
        tokio_handle: tokio::runtime::Handle,
    ) -> Self {
        Self {
            blob_service,
            directory_service,
            root_nodes_provider,

            settings,

            root_nodes: RwLock::new(HashMap::default()),
            inode_tracker: RwLock::new(Default::default()),

            dir_handles: RwLock::new(Default::default()),
            next_dir_handle: AtomicU64::new(1),

            file_handles: RwLock::new(Default::default()),
            next_file_handle: AtomicU64::new(1),
            tokio_handle,
        }
    }

    /// Retrieves the inode for a given root node basename, if present.
    /// This obtains a read lock on self.root_nodes.
    fn get_inode_for_root_name(&self, name: &PathComponent) -> Option<u64> {
        self.root_nodes.read().get(name).cloned()
    }

    /// For a given inode, look up the given directory behind it (from
    /// self.inode_tracker), and return its children.
    /// The inode_tracker MUST know about this inode already, and it MUST point
    /// to a [InodeData::Directory].
    /// It is ok if it's a [DirectoryInodeData::Sparse] - in that case, a lookup
    /// in self.directory_service is performed, and self.inode_tracker is updated with the
    /// [DirectoryInodeData::Populated].
    #[allow(clippy::type_complexity)]
    #[instrument(skip(self), err)]
    fn get_directory_children(
        &self,
        ino: u64,
    ) -> io::Result<(B3Digest, Vec<(u64, PathComponent, Node)>)> {
        let data = self.inode_tracker.read().get(ino).unwrap();
        match *data {
            // if it's populated already, return children.
            InodeData::Directory(DirectoryInodeData::Populated(parent_digest, ref children)) => {
                Ok((parent_digest, children.clone()))
            }
            // if it's sparse, fetch data using directory_service, populate child nodes
            // and update it in [self.inode_tracker].
            InodeData::Directory(DirectoryInodeData::Sparse(parent_digest, _)) => {
                let directory = self
                    .tokio_handle
                    .block_on(async { self.directory_service.get(&parent_digest).await })
                    .map_err(|err| {
                        warn!(%err, "error from directory service");
                        io::Error::other(err)
                    })?
                    .ok_or_else(|| {
                        warn!(directory.digest=%parent_digest, "directory not found");
                        // If the Directory can't be found, this is a hole, bail out.
                        io::Error::from_raw_os_error(libc::EIO)
                    })?;

                // Turn the retrieved directory into a InodeData::Directory(DirectoryInodeData::Populated(..)),
                // allocating inodes for the children on the way.
                // FUTUREWORK: there's a bunch of cloning going on here, which we can probably avoid.
                let children = {
                    let mut inode_tracker = self.inode_tracker.write();

                    let children: Vec<(u64, PathComponent, Node)> = directory
                        .into_nodes()
                        .map(|(child_name, child_node)| {
                            let inode_data = InodeData::from_node(&child_node);

                            let child_ino = inode_tracker.put(inode_data);
                            (child_ino, child_name, child_node)
                        })
                        .collect();

                    // replace.
                    inode_tracker.replace(
                        ino,
                        Arc::new(InodeData::Directory(DirectoryInodeData::Populated(
                            parent_digest,
                            children.clone(),
                        ))),
                    );

                    children
                };

                Ok((parent_digest, children))
            }
            // if the parent inode was not a directory, this doesn't make sense
            InodeData::Regular(..) | InodeData::Symlink(_) => {
                Err(io::Error::from_raw_os_error(libc::ENOTDIR))
            }
        }
    }

    /// This will turn a lookup request for a name in the root to a ino and
    /// [InodeData].
    /// It will peek in [self.root_nodes], and then either look it up from
    /// [self.inode_tracker],
    /// or otherwise fetch from [self.root_nodes], and then insert into
    /// [self.inode_tracker].
    /// In the case the name can't be found, a libc::ENOENT is returned.
    fn name_in_root_to_ino_and_data(
        &self,
        name: &PathComponent,
    ) -> io::Result<(u64, Arc<InodeData>)> {
        // Look up the inode for that root node.
        // If there's one, [self.inode_tracker] MUST also contain the data,
        // which we can then return.
        if let Some(inode) = self.get_inode_for_root_name(name) {
            return Ok((
                inode,
                self.inode_tracker
                    .read()
                    .get(inode)
                    .expect("must exist")
                    .to_owned(),
            ));
        }

        // We don't have it yet, look it up in [self.root_nodes].
        match self
            .tokio_handle
            .block_on(async { self.root_nodes_provider.get_by_basename(name).await })
        {
            // if there was an error looking up the root node, propagate up an IO error.
            Err(_e) => Err(io::Error::from_raw_os_error(libc::EIO)),
            // the root node doesn't exist, so the file doesn't exist.
            Ok(None) => Err(io::Error::from_raw_os_error(libc::ENOENT)),
            // The root node does exist
            Ok(Some(root_node)) => {
                // Let's check if someone else beat us to updating the inode tracker and
                // root_nodes map. This avoids locking inode_tracker for writing.
                if let Some(ino) = self.root_nodes.read().get(name) {
                    return Ok((
                        *ino,
                        self.inode_tracker.read().get(*ino).expect("must exist"),
                    ));
                }

                // Only in case it doesn't, lock [self.root_nodes] and
                // [self.inode_tracker] for writing.
                let mut root_nodes = self.root_nodes.write();
                let mut inode_tracker = self.inode_tracker.write();

                // insert the (sparse) inode data and register in
                // self.root_nodes.
                let inode_data = InodeData::from_node(&root_node);
                let ino = inode_tracker.put(inode_data.clone());
                root_nodes.insert(name.to_owned(), ino);

                Ok((ino, Arc::new(inode_data)))
            }
        }
    }

    /// Helper function, converting a [InodeData] to [Attr],
    /// applying uid/gid override if configured.
    fn inode_data_to_attr(&self, inode_data: &InodeData, ino: u64) -> Attr {
        let mode = match inode_data {
            InodeData::Regular(_, _, false) => libc::S_IFREG | 0o444,
            // executable
            InodeData::Regular(_, _, true) => libc::S_IFREG | 0o555,
            InodeData::Symlink(_) => libc::S_IFLNK | 0o444,
            InodeData::Directory(_) => libc::S_IFDIR | 0o555,
        };
        // libc::S_IFREG, libc::S_IFLNK & libc::S_IFDIR are u32 on Linux and u16 on MacOS
        #[cfg(target_os = "macos")]
        let mode = mode as u32;
        let mut attr = Attr {
            ino,
            // FUTUREWORK: play with this numbers, as it affects read sizes for client applications.
            blocks: 1024,
            size: match inode_data {
                InodeData::Regular(_, size, _) => *size,
                InodeData::Symlink(target) => target.len() as u64,
                InodeData::Directory(DirectoryInodeData::Sparse(_, size)) => *size,
                InodeData::Directory(DirectoryInodeData::Populated(_, children)) => {
                    children.len() as u64
                }
            },
            mode,
            mtime: 1, // Everything in /nix/store must have timestamp "1".
            ..Default::default()
        };

        if let Some((uid, gid)) = self.settings.uid_gid_override {
            attr.uid = uid;
            attr.gid = gid;
        }

        attr
    }
}
fn attr_to_fuse_entry(attr: Attr) -> Entry {
    Entry {
        inode: attr.ino,
        attr: attr.into(),
        attr_timeout: Duration::MAX,
        entry_timeout: Duration::MAX,
        ..Default::default()
    }
}

/// Returns the u32 fuse type
fn node_to_fuse_type(node: &Node) -> u32 {
    #[allow(clippy::let_and_return)]
    let ty = match node {
        Node::Directory { .. } => libc::S_IFDIR,
        Node::File { .. } => libc::S_IFREG,
        Node::Symlink { .. } => libc::S_IFLNK,
    };
    // libc::S_IFDIR is u32 on Linux and u16 on MacOS
    #[cfg(target_os = "macos")]
    let ty = ty as u32;

    ty
}

const XATTR_NAME_DIRECTORY_DIGEST: &[u8] = b"user.snix.castore.directory.digest";
const XATTR_NAME_BLOB_DIGEST: &[u8] = b"user.snix.castore.blob.digest";

#[cfg(all(feature = "virtiofs", target_os = "linux"))]
impl<BS, DS, RN> fuse_backend_rs::api::filesystem::Layer for SnixStoreFs<BS, DS, RN>
where
    BS: BlobService,
    DS: DirectoryService,
    RN: RootNodes,
{
    fn root_inode(&self) -> Self::Inode {
        ROOT_ID
    }
}

impl<BS, DS, RN> FileSystem for SnixStoreFs<BS, DS, RN>
where
    BS: BlobService,
    DS: DirectoryService,
    RN: RootNodes,
{
    type Handle = u64;
    type Inode = u64;

    fn init(&self, _capable: FsOptions) -> io::Result<FsOptions> {
        let mut opts = FsOptions::empty();

        // allow more than one pending read request per file-handle at any time
        opts |= FsOptions::ASYNC_READ;

        #[cfg(target_os = "linux")]
        {
            // the filesystem supports readdirplus
            opts |= FsOptions::DO_READDIRPLUS;
            // issue both readdir and readdirplus depending on the information expected to be required
            opts |= FsOptions::READDIRPLUS_AUTO;
            // allow concurrent lookup() and readdir() requests for the same directory
            opts |= FsOptions::PARALLEL_DIROPS;
            // have the kernel cache symlink contents
            opts |= FsOptions::CACHE_SYMLINKS;
        }
        // TODO: figure out what dawrin options make sense.

        Ok(opts)
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode))]
    fn getattr(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        _handle: Option<Self::Handle>,
    ) -> io::Result<(stat64, Duration)> {
        let attr = if inode == ROOT_ID {
            ROOT_FILE_ATTR
        } else {
            self.inode_data_to_attr(
                self.inode_tracker
                    .read()
                    .get(inode)
                    .ok_or_else(|| io::Error::from_raw_os_error(libc::ENOENT))?
                    .as_ref(),
                inode,
            )
        };

        Ok((attr.into(), Duration::MAX))
    }

    #[tracing::instrument(skip_all, fields(rq.parent_inode = parent, rq.name = ?name))]
    fn lookup(
        &self,
        _ctx: &Context,
        parent: Self::Inode,
        name: &std::ffi::CStr,
    ) -> io::Result<Entry> {
        debug!("lookup");

        // convert the CStr to a PathComponent
        // If it can't be converted, we definitely don't have anything here.
        let name: PathComponent = name.try_into().map_err(|_| std::io::ErrorKind::NotFound)?;

        // This goes from a parent inode to a node.
        let (ino, inode_data) = if parent == ROOT_ID {
            // If the parent is [ROOT_ID], we need to check [self.root_nodes] (fetching from a [RootNode] provider if needed)
            self.name_in_root_to_ino_and_data(&name)?
        } else {
            // else the parent must be a directory, otherwise we would never come up with this request.
            // Lookup the parent in [self.inode_tracker] (which must be a [InodeData::Directory]), and find the child with that name.
            let (parent_digest, children) = self.get_directory_children(parent)?;

            Span::current().record("directory.digest", parent_digest.to_string());
            // Search for that name in the list of children (which we know are sorted)
            // and return the FileAttrs.
            let idx = children
                .binary_search_by_key(&&name, |(_, n, _)| n)
                .map_err(|_| {
                    // Child not found, return ENOENT.
                    io::Error::from_raw_os_error(libc::ENOENT)
                })?;

            let (child_ino, _, child_node) = &children[idx];

            // Reply with the file attributes for the child,
            (*child_ino, Arc::new(InodeData::from_node(child_node)))
        };

        debug!(inode_data=?&inode_data, ino=ino, "Some");

        let attr = self.inode_data_to_attr(
            self.inode_tracker
                .read()
                .get(ino)
                .ok_or_else(|| io::Error::from_raw_os_error(libc::ENOENT))?
                .as_ref(),
            ino,
        );
        Ok(attr_to_fuse_entry(attr))
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode))]
    fn opendir(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        _flags: u32,
    ) -> io::Result<(Option<Self::Handle>, OpenOptions)> {
        // In case opendir on the root is called, we provide the handle, as re-entering that listing is expensive.
        // For all other directory inodes we just let readdir take care of it.
        if inode == ROOT_ID {
            if !self.settings.list_root {
                return Err(io::Error::from_raw_os_error(libc::EPERM)); // same error code as ipfs/kubo
            }

            let stream = self.root_nodes_provider.list().enumerate().boxed();

            // Put the stream into [self.dir_handles].
            // TODO: this will overflow after 2**64 operations,
            // which is fine for now.
            // See https://cl.tvl.fyi/c/depot/+/8834/comment/a6684ce0_d72469d1
            // for the discussion on alternatives.
            let dh = self.next_dir_handle.fetch_add(1, Ordering::SeqCst);

            self.dir_handles
                .write()
                .insert(dh, (Span::current(), Arc::new(Mutex::new(stream))));

            return Ok((Some(dh), OpenOptions::NONSEEKABLE));
        }

        let mut opts = OpenOptions::empty();

        opts |= OpenOptions::KEEP_CACHE;
        #[cfg(target_os = "linux")]
        {
            opts |= OpenOptions::CACHE_DIR;
        }
        // allow caching this directory contents, don't invalidate on open
        Ok((None, opts))
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, rq.handle = handle, rq.offset = offset), parent = self.dir_handles.read().get(&handle).and_then(|x| x.0.id()))]
    fn readdir(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        handle: Self::Handle,
        _size: u32,
        offset: u64,
        add_entry: &mut dyn FnMut(fuse_backend_rs::api::filesystem::DirEntry) -> io::Result<usize>,
    ) -> io::Result<()> {
        debug!("readdir");

        if inode == ROOT_ID {
            if !self.settings.list_root {
                return Err(io::Error::from_raw_os_error(libc::EPERM)); // same error code as ipfs/kubo
            }

            // get the stream from [self.dir_handles]
            let dir_handles = self.dir_handles.read();
            let (_span, stream) = dir_handles.get(&handle).ok_or_else(|| {
                warn!("dir handle {} unknown", handle);
                io::Error::from_raw_os_error(libc::EIO)
            })?;

            let mut stream = stream
                .lock()
                .map_err(|_| io::Error::other("mutex poisoned"))?;

            while let Some((i, n)) = self.tokio_handle.block_on(async { stream.next().await }) {
                let (name, node) = n.map_err(|e| {
                    warn!("failed to retrieve root node: {}", e);
                    io::Error::from_raw_os_error(libc::EIO)
                })?;

                // obtain the inode, or allocate a new one.
                let ino = self.get_inode_for_root_name(&name).unwrap_or_else(|| {
                    // insert the (sparse) inode data and register in
                    // self.root_nodes.
                    let ino = self.inode_tracker.write().put(InodeData::from_node(&node));
                    self.root_nodes.write().insert(name.clone(), ino);
                    ino
                });

                let written = add_entry(fuse_backend_rs::api::filesystem::DirEntry {
                    ino,
                    offset: offset + (i as u64) + 1,
                    type_: node_to_fuse_type(&node),
                    name: name.as_ref(),
                })?;
                // If the buffer is full, add_entry will return `Ok(0)`.
                if written == 0 {
                    break;
                }
            }
            return Ok(());
        }

        // Non root-node case: lookup the children, or return an error if it's not a directory.
        let (parent_digest, children) = self.get_directory_children(inode)?;
        Span::current().record("directory.digest", parent_digest.to_string());

        for (i, (ino, child_name, child_node)) in
            children.into_iter().skip(offset as usize).enumerate()
        {
            // the second parameter will become the "offset" parameter on the next call.
            let written = add_entry(fuse_backend_rs::api::filesystem::DirEntry {
                ino,
                offset: offset + (i as u64) + 1,
                type_: node_to_fuse_type(&child_node),
                name: child_name.as_ref(),
            })?;
            // If the buffer is full, add_entry will return `Ok(0)`.
            if written == 0 {
                break;
            }
        }

        Ok(())
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, rq.handle = handle), parent = self.dir_handles.read().get(&handle).and_then(|x| x.0.id()))]
    fn readdirplus(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        handle: Self::Handle,
        _size: u32,
        offset: u64,
        add_entry: &mut dyn FnMut(
            fuse_backend_rs::api::filesystem::DirEntry,
            Entry,
        ) -> io::Result<usize>,
    ) -> io::Result<()> {
        debug!("readdirplus");

        if inode == ROOT_ID {
            if !self.settings.list_root {
                return Err(io::Error::from_raw_os_error(libc::EPERM)); // same error code as ipfs/kubo
            }

            // get the stream from [self.dir_handles]
            let dir_handles = self.dir_handles.read();
            let (_span, stream) = dir_handles.get(&handle).ok_or_else(|| {
                warn!("dir handle {} unknown", handle);
                io::Error::from_raw_os_error(libc::EIO)
            })?;

            let mut stream = stream
                .lock()
                .map_err(|_| io::Error::other("mutex poisoned"))?;

            while let Some((i, n)) = self.tokio_handle.block_on(async { stream.next().await }) {
                let (name, node) = n.map_err(|e| {
                    warn!("failed to retrieve root node: {}", e);
                    io::Error::from_raw_os_error(libc::EPERM)
                })?;

                let inode_data = InodeData::from_node(&node);

                // obtain the inode, or allocate a new one.
                let ino = self.get_inode_for_root_name(&name).unwrap_or_else(|| {
                    // insert the (sparse) inode data and register in
                    // self.root_nodes.
                    let ino = self.inode_tracker.write().put(inode_data.clone());
                    self.root_nodes.write().insert(name.clone(), ino);
                    ino
                });

                let written = add_entry(
                    fuse_backend_rs::api::filesystem::DirEntry {
                        ino,
                        offset: offset + (i as u64) + 1,
                        type_: node_to_fuse_type(&node),
                        name: name.as_ref(),
                    },
                    attr_to_fuse_entry(self.inode_data_to_attr(&inode_data, ino)),
                )?;
                // If the buffer is full, add_entry will return `Ok(0)`.
                if written == 0 {
                    break;
                }
            }
            return Ok(());
        }

        // Non root-node case: lookup the children, or return an error if it's not a directory.
        let (parent_digest, children) = self.get_directory_children(inode)?;
        Span::current().record("directory.digest", parent_digest.to_string());

        for (i, (ino, name, child_node)) in children.into_iter().skip(offset as usize).enumerate() {
            let inode_data = InodeData::from_node(&child_node);

            // the second parameter will become the "offset" parameter on the next call.
            let written = add_entry(
                fuse_backend_rs::api::filesystem::DirEntry {
                    ino,
                    offset: offset + (i as u64) + 1,
                    type_: node_to_fuse_type(&child_node),
                    name: name.as_ref(),
                },
                attr_to_fuse_entry(self.inode_data_to_attr(&inode_data, ino)),
            )?;
            // If the buffer is full, add_entry will return `Ok(0)`.
            if written == 0 {
                break;
            }
        }

        Ok(())
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, rq.handle = handle), parent = self.dir_handles.read().get(&handle).and_then(|x| x.0.id()))]
    fn releasedir(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        _flags: u32,
        handle: Self::Handle,
    ) -> io::Result<()> {
        if inode == ROOT_ID {
            // drop the stream.
            if let Some(stream) = self.dir_handles.write().remove(&handle) {
                // drop it, which will close it.
                drop(stream)
            } else {
                warn!("dir handle not found");
            }
        }

        Ok(())
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode))]
    fn open(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        _flags: u32,
        _fuse_flags: u32,
    ) -> io::Result<(Option<Self::Handle>, OpenOptions, Option<u32>)> {
        if inode == ROOT_ID {
            return Err(io::Error::from_raw_os_error(libc::ENOSYS));
        }

        // lookup the inode
        match *self.inode_tracker.read().get(inode).unwrap() {
            // read is invalid on non-files.
            InodeData::Directory(..) | InodeData::Symlink(_) => {
                warn!("is directory");
                Err(io::Error::from_raw_os_error(libc::EISDIR))
            }
            InodeData::Regular(ref blob_digest, _blob_size, _) => {
                Span::current().record("blob.digest", blob_digest.to_string());

                match self
                    .tokio_handle
                    .block_on(async { self.blob_service.open_read(blob_digest).await })
                {
                    Ok(None) => {
                        warn!("blob not found");
                        Err(io::Error::from_raw_os_error(libc::EIO))
                    }
                    Err(e) => {
                        warn!(e=?e, "error opening blob");
                        Err(io::Error::from_raw_os_error(libc::EIO))
                    }
                    Ok(Some(blob_reader)) => {
                        // get a new file handle
                        // TODO: this will overflow after 2**64 operations,
                        // which is fine for now.
                        // See https://cl.tvl.fyi/c/depot/+/8834/comment/a6684ce0_d72469d1
                        // for the discussion on alternatives.
                        let fh = self.next_file_handle.fetch_add(1, Ordering::SeqCst);

                        self.file_handles
                            .write()
                            .insert(fh, (Span::current(), Arc::new(Mutex::new(blob_reader))));

                        Ok((
                            Some(fh),
                            // Don't invalidate the data cache on open.
                            OpenOptions::KEEP_CACHE,
                            None,
                        ))
                    }
                }
            }
        }
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, rq.handle = handle), parent = self.file_handles.read().get(&handle).and_then(|x| x.0.id()))]
    fn release(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        _flags: u32,
        handle: Self::Handle,
        _flush: bool,
        _flock_release: bool,
        _lock_owner: Option<u64>,
    ) -> io::Result<()> {
        match self.file_handles.write().remove(&handle) {
            // drop the blob reader, which will close it.
            Some(blob_reader) => drop(blob_reader),
            None => {
                // These might already be dropped if a read error occured.
                warn!("file handle not found");
            }
        }

        Ok(())
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, rq.handle = handle, rq.offset = offset, rq.size = size), parent = self.file_handles.read().get(&handle).and_then(|x| x.0.id()))]
    fn read(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        handle: Self::Handle,
        w: &mut dyn fuse_backend_rs::api::filesystem::ZeroCopyWriter,
        size: u32,
        offset: u64,
        _lock_owner: Option<u64>,
        _flags: u32,
    ) -> io::Result<usize> {
        debug!("read");

        // We need to take out the blob reader from self.file_handles, so we can
        // interact with it in the separate task.
        // On success, we pass it back out of the task, so we can put it back in self.file_handles.
        let (_span, blob_reader) = self
            .file_handles
            .read()
            .get(&handle)
            .ok_or_else(|| {
                warn!("file handle {} unknown", handle);
                io::Error::from_raw_os_error(libc::EIO)
            })
            .cloned()?;

        let mut blob_reader = blob_reader
            .lock()
            .map_err(|_| io::Error::other("mutex poisoned"))?;

        let buf = self.tokio_handle.block_on(async move {
            // seek to the offset specified, which is relative to the start of the file.
            let pos = blob_reader
                .seek(io::SeekFrom::Start(offset))
                .await
                .map_err(|e| {
                    warn!("failed to seek to offset {}: {}", offset, e);
                    io::Error::from_raw_os_error(libc::EIO)
                })?;

            debug_assert_eq!(offset, pos);

            // As written in the fuse docs, read should send exactly the number
            // of bytes requested except on EOF or error.

            let mut buf: Vec<u8> = Vec::with_capacity(size as usize);

            // copy things from the internal buffer into buf to fill it till up until size
            tokio::io::copy(&mut blob_reader.as_mut().take(size as u64), &mut buf).await?;

            Ok::<_, std::io::Error>(buf)
        })?;

        // We cannot use w.write() here, we're required to call write multiple
        // times until we wrote the entirety of the buffer (which is `size`, except on EOF).
        let buf_len = buf.len();
        let bytes_written = io::copy(&mut Cursor::new(buf), w)?;
        if bytes_written != buf_len as u64 {
            error!(bytes_written=%bytes_written, "unable to write all of buf to kernel");
            return Err(io::Error::from_raw_os_error(libc::EIO));
        }

        Ok(bytes_written as usize)
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode))]
    fn readlink(&self, _ctx: &Context, inode: Self::Inode) -> io::Result<Vec<u8>> {
        if inode == ROOT_ID {
            return Err(io::Error::from_raw_os_error(libc::ENOSYS));
        }

        // lookup the inode
        match *self.inode_tracker.read().get(inode).unwrap() {
            InodeData::Directory(..) | InodeData::Regular(..) => {
                Err(io::Error::from_raw_os_error(libc::EINVAL))
            }
            InodeData::Symlink(ref target) => Ok(target.to_vec()),
        }
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode, name=?name))]
    fn getxattr(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        name: &CStr,
        size: u32,
    ) -> io::Result<GetxattrReply> {
        if !self.settings.show_xattr {
            return Err(io::Error::from_raw_os_error(libc::ENOSYS));
        }

        // Peek at the inode requested, and construct the response.
        let digest_str = match *self
            .inode_tracker
            .read()
            .get(inode)
            .ok_or_else(|| io::Error::from_raw_os_error(libc::ENODATA))?
        {
            InodeData::Directory(DirectoryInodeData::Sparse(ref digest, _))
            | InodeData::Directory(DirectoryInodeData::Populated(ref digest, _))
                if name.to_bytes() == XATTR_NAME_DIRECTORY_DIGEST =>
            {
                digest.to_string()
            }
            InodeData::Regular(ref digest, _, _) if name.to_bytes() == XATTR_NAME_BLOB_DIGEST => {
                digest.to_string()
            }
            _ => {
                return Err(io::Error::from_raw_os_error(libc::ENODATA));
            }
        };

        if size == 0 {
            Ok(GetxattrReply::Count(digest_str.len() as u32))
        } else if size < digest_str.len() as u32 {
            Err(io::Error::from_raw_os_error(libc::ERANGE))
        } else {
            Ok(GetxattrReply::Value(digest_str.into_bytes()))
        }
    }

    #[tracing::instrument(skip_all, fields(rq.inode = inode))]
    fn listxattr(
        &self,
        _ctx: &Context,
        inode: Self::Inode,
        size: u32,
    ) -> io::Result<ListxattrReply> {
        if !self.settings.show_xattr {
            return Err(io::Error::from_raw_os_error(libc::ENOSYS));
        }

        // determine the (\0-terminated list) to of xattr keys present, depending on the type of the inode.
        let xattrs_names = {
            let mut out = Vec::new();
            if let Some(inode_data) = self.inode_tracker.read().get(inode) {
                match *inode_data {
                    InodeData::Directory(_) => {
                        out.extend_from_slice(XATTR_NAME_DIRECTORY_DIGEST);
                        out.push_byte(b'\x00');
                    }
                    InodeData::Regular(..) => {
                        out.extend_from_slice(XATTR_NAME_BLOB_DIGEST);
                        out.push_byte(b'\x00');
                    }
                    _ => {}
                }
            }
            out
        };

        if size == 0 {
            Ok(ListxattrReply::Count(xattrs_names.len() as u32))
        } else if size < xattrs_names.len() as u32 {
            Err(io::Error::from_raw_os_error(libc::ERANGE))
        } else {
            Ok(ListxattrReply::Names(xattrs_names.to_vec()))
        }
    }
}