|
|
Log in / Subscribe / Register

Dealing with negative dentries

Dealing with negative dentries

Posted May 10, 2022 6:20 UTC (Tue) by nickodell (subscriber, #125165)
Parent article: Dealing with negative dentries

In one of the threads discussing this patch, there's an example of how dentry bloat can happen on non-crazy systems: https://bugzilla.redhat.com/show_bug.cgi?id=1720479 I thought it was interesting, so I dug through the bug tracker and associated source code to understand the rationale behind *why* it was making so many dentries.

Here's a short summary of why it happened:

1. In the linked bug, curl is being used as a Docker healthcheck for Elasticsearch. It's getting run every second and creating ~20,000 negative dentries each time.
2. NSS is a library for loading and validating SSL certificates. It's used in curl and Firefox. It can load a set of certificate authorities from the filesystem.
3. But loading these is slow, so it builds an indexed SQLite database of SSL certs so that cert lookup is fast.
4. The location that the database is being built on could be a network filesystem, so if that happens, the database should be built up in memory, *then* written to disk in one go, for speed reasons.
5. But how can it detect if it's a slow network FS or a fast disk FS? It measures it using stat(). But if it stats a file which exists, the file could be in the dentry cache already, which would throw off the measurement. So it measures the stat() time of a nonexistant file with a random number in the filename.
6. It repeats that measurement 10,000 files, or for 33ms, whichever comes first. Also, it measures both /tmp and the directory it loads the certificates from.

There are a couple of contributing factors to the problem:

1. The developers of NSS, Mozilla, mostly care about performance for Firefox. In Firefox, NSS is only loaded once per process. curl also loads NSS once per process, but each process much shorter lived.
2. Firefox is used on desktop systems, which get rebooted more often.
3. AFAIK, there's no good cross-platform way to determine if a path is on a network filesystem.
4. Elasticsearch gets run on systems with gobs and gobs of memory, and it's not rebooted for a really long time.

The story does have a happy ending, though. These days, NSS will make a temporary dir, look up its 10000 non-existant files in that directory, and deletes the temporary dir. As I understand it, that cleans up all but one negative dentry.
https://github.com/nss-dev/nss/blob/18668d2e34500a6f14b68...

But it's easy to see why the NSS developers started looking up nonexistent files - it solved a pressing performance problem in a cross-platform way that looked to be nearly free. It seems like negative dentries are something of an attractive nuisance - easy to misuse without knowing the performance costs.

to post comments

Dealing with negative dentries

Posted May 10, 2022 17:26 UTC (Tue) by brenns10 (subscriber, #112114) [Link] (1 responses)

I remember reading this bug report and thinking that this was one of the crazier systems. I don't love the idea of timing operations to determine whether something is local or remote: ideally we should provide an API to provide the required info and then try to make every operation fast enough to appear as if it's local :P . But I suppose craziness is in the eye of the beholder :)

> But it's easy to see why the NSS developers started looking up nonexistent files - it solved a pressing performance problem in a cross-platform way that looked to be nearly free. It seems like negative dentries are something of an attractive nuisance - easy to misuse without knowing the performance costs.

You're 100% right though. Userspace shouldn't need to know or care what a dentry is, or worry about the cache pollution they cause. The kernel needs to be smart enough to weed out these useless negative dentries.

Dealing with negative dentries

Posted May 10, 2022 18:57 UTC (Tue) by nickodell (subscriber, #125165) [Link]

>I don't love the idea of timing operations to determine whether something is local or remote: ideally we should provide an API to provide the required info and then try to make every operation fast enough to appear as if it's local :P

They don't care about whether the directory is local or remote, exactly - they care about whether it's fast or slow. In principle, you could have a really fast network filesystem, and then NSS wouldn't bother with the workaround.

>But I suppose craziness is in the eye of the beholder :)

Haha, exactly.

-----

By the way, thanks for hosting this session, and posting the initial patch. I thought it was a really smart and fast heuristic.

Dealing with negative dentries

Posted May 11, 2022 7:37 UTC (Wed) by jengelh (subscriber, #33263) [Link]

>3. AFAIK, there's no good cross-platform way to determine if a path is on a network filesystem.

At what point does certain storage become "network"? Media conversion to fiber? Cabling distance to the array >1000m? What would you do if the "network"ed mount were still to be the faster choice over a local disk?
Such checking attempts can only end in vain, even before having to consider the difference in OS APIs.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds