Ts'o: Delayed allocation and the zero-length file problem

This whole discussion has really not been focused much on what actually are sane behaviors for a FS to have across an unclean shutdown. To date most writings by FS designers I've read seem to focus entirely on avoiding FSCK and avoiding FS meta-data inconsistencies. Very few people seem to talk about things like what the application sees/wants.

One of the commentors on the blog had the best point - insisting on adding fsync before every close/rename sequence (either implicitly in the kernel as has been done, or explicitly in all apps) is going to badly harm performance. 99% of these case do not need the data on the disk, just the write/close/rename order preserved.

Getting great performance by providing weak guarentees is one thing, but then insisting everyone who cares about their data use explicit calls that provide a much stronger and slower guarantee is kinda crazy. Just because POSIX is silent on this matter doesn't mean FS designers should get a free pass on transactional behaviors that are so weak they are useless.

For instance under the same POSIX arguments Ted is making it would be perfectly legitimate for a write/fsync/close/rename to still erase both files because you didn't do a fsync on the directory! Down this path lies madness - at some point the FS has to preserve order!

I wonder how bad a hit performance sensitive apps like rsync will get due to the flushing on rename patches?

fd1=open(dirname(file))
fd2=openat(fd1, NULL, O_CREAT) // Creates an unlinked file
write(fd2)
flinkat(fd1, fd2, basename(file)) // Should guarantee fd2 is written to disk before linking.
close(fd2)
close(fd1)

This seems race free:
doesn't break if the directory is moved during write
doesn't let other apps see or modify the temp file while writing
doesn't leave a broken tempfile around on app crash
doesn't end up with an empty file on system crash

So, is there an appropriate set of heuristics to infer write barriers sometimes but not others? The specific case in this discussion would be something like "insert a write barrier after file content operations requested before metadata operations affecting linkage of that file's inode"? Is this sufficient and defensible?

Ideally, we should have POSIX write-barriers that can be applied to a set of open file and directory handles, and use them to get the proper level of ordering across crashes. The fsync solution is far too blunt an instrument to provide the transactionality that everyone is looking for when they relink newly created files into place.

But then what about all those shell scripts out there which do "foo > file.tmp && mv file.tmp file"? We would need a new write-barrier operation applicable from the shell script (somehow selecting partial ordering of requests issued from separate processes), or a heuristic write-barrier as above...

- Since mv doesn't fsync and mv is expected to leave things in a sane state after a crash, the kernel must be expected to "do the right thing" wrt rename().

OR

- Since mv doesn't sync, mv is not guaranteed to leave things in a sane state after a crash; if you thought that it was guaranteed to do so you were wrong.

That's not the only scenario. There's the one involving rename... You open a *new* file, write to
it, close it, and rename it over an existing file. Then the filesystem commits the metadata change
(that is: the unlinking of the file with data in it, and the creation of the new empty file with the
same name), but *not* the data written to the new file.

No explicit truncation.

Now, there is also the scenario involving truncation. I expect everybody agrees that if you
truncate a file and then later overwrite it, there's a chance that the empty version of the file
might end up on disk. The thing that's undesirable about what ext4 was doing in *that* scenario
is that it essentially eagerly committed to disk the truncation, but lazily committed the new data.
Thus making it *much* more likely that you end up with the truncated file than you'd expect
given that the application called write() with the new data a few milliseconds after truncating the
file.

I know that contemporary disk controller protocols support write-barriers in their command streams. They were intended to make this sort of thing easy. You don't have to micro-manage the requests all the way to the platter, but just decorate them with the correct ordering relations when you issue the commands.

There are two basic problems here:

The first is that fsync is a ridiculously *expensive* way to get the needed
functionality. The second is that most filesystems cannot implement atomic
operations any other way (i.e. without forcing both the metadata and the
data and any other pending metadata changes to disk).

fsync is orders of magnitude more expensive than necessary for the case
under consideration. A properly designed filesystem (i.e. one with
metadata undo) can issue an atomic rename in microseconds. The only option
that POSIX provides can take hundreds if not thousands of milliseconds on a
busy filesystem.

Databases do *synchronous*, durable commits on busy systems in ten
milliseconds or less. Ten to twenty times faster than it takes
contemporary filesystems to do an fsync under comparable conditions.

Even that is still a hundred times more expensive than necessary, because
synchronous durability is not required here. Just atomicity. Nothing has
to hit the disk. No synchronous I/O overhead. Just metadata undo
capability.

This allows linux to avoid the idiocy of solaris's tmpfs where writing a large file to /tmp can crash the box.

The only thing I never use XFS for is the root filesystem, and that's because nobody has seen fit to fix the XFS fsck to detect it is being run on a read-only filesystem, and to switch to xfs_repair on-the-fly.

It is no fun to need boot CDs to make sure everything is kosher in the root filesystem (or worse, to repair it)...

But it really works well for the MTA queues and squid spool, for example.

http://www.linux.com/feature/55915

Canonical is doing a very very neat tap dance here. They don't distribute the binary drivers...if they did that they'd be engaging in an activity that is restricted by the gpl and could easily be called out on it. No, Canonical is much more clever, they encourage users to download the source and binary bits together and compile them locally on the system, avoiding the distribution of the infringing binary module all together. They've even made a point and click gui to kick off this process. Clever Canonical, skating around the edges of gpl infringement and at the same time introducing significant instability into their userbase's experience without an effort to adequately inform users as to what is going on and the pontential downsides.

I don't think its exactly fair to expect the upstream kernel developers to support this sort of behaviour. And I'll note, that because of the tricks being used to avoid a gpl violation scenario, Canonical can't even do its own integration testing on these modules. There are no centrally built and distributed binaries.

Canonical might be avoiding a gpl violation by doing things this way, but they are certainly breaking some of the spirit of the intent.

-jef

How NVidia impedes Free Desktop adoption.
http://vizzzion.org/?blogentry=819
July 2008
"As a Free Software developer, user and advocate, I feel screwed by NVidia, and as a customer, even more so. I would recommend not buying NVidia hardware at this point. For both political reasons, and for practical ones: Pretty much all other graphics cards around there work better with KDE4 than those requiring nvidia.ko."

Linux Graphics Essay
https://www.linuxfoundation.org/en/Linux_Graphics_Essay

"Nvidia isn't in the list of top oops causers as part of some grand strategy to make itself (and Linux) look bad. It's there because the cost of doing the QA and continuous engineering to support the changing interfaces and to detect and correct these problems outweighs the revenue it can bring in from the Linux market. In essence this is because binary drivers totally negate the shared support and maintenance burden which is what makes Open Source so compelling."

If you must, feel free to shoot the messenger. Make it personal if that's what you need in order to engage on the issues. I'm more than happy to take a few bullets. But for anyone who cares about sustainable growth of the linux ecosystem to disregard the validity of the information is pure folly. Binary drivers are a real and significant problem to the stability of linux systems. The people doing the actually development of the linux desktop realize this, even if individual users and the entire Canonical workforce do not.

-jef

Did you even *read* the article?

http://lxer.com/module/newswire/view/116126/#ext4

"Ext4 isn't all good news though, the new allocator that it uses is likely to expose old bugs in software running on top of it. With ext3, applications were pretty much guaranteed that data was actually written to disk about 5 seconds after a write call. This was never official but simply resulted from the way ext3 was implemented. The new allocator used for ext4 means that this can take between 30 seconds and 5 minutes or more if you are running in laptop mode. It exposes a lot of applications that forget to call fsync() to force data to the disk but nevertheless assume that it has been written."

I recommend that you listen to

http://fosdem.unixheads.org/2009/maintracks/ext4.xvid.avi

His talk actually goes into quite a bit about how to avoid this problem and potential workarounds he was looking at. He mentioned that Eric Sandeen, XFS developer now working on Ext4 in Red Hat had talked to Ted about how XFS had some hacks at the filesystem level to workaround this problem of applications writers relying on Ext3 like behaviour. The current Ext4 patches are based on the same ideas. The rawhide kernel already had backported patches already

https://www.redhat.com/archives/fedora-devel-list/2009-Ma...

It appears that proprietary kernel modules causing more instability aggravates the problem as well. Good to get more exposure on the gotchas however. It looks like Btrfs has now similar patches as well in part as a result of such wider discussions.

The lie is that there was a flaw in ext4. There is no flaw in ext4 (not when it comes to this, at least) - applications are broken, because they don't do what's required. They are falling short.

Ted put a workaround into ext4 to address the shortcomings of applications.

The evidence is in your manual pages. Just read them.