File System Performance and Durability
Rethink the Sync.
intro: why are we reading Rethink the Sync?
move up one level:
last time: performance vs FS consistency
today: performance vs durability
most FS don't care much about durability, just internal consistency
paper expands the scope of crash recovery to include external user
user (or outside world via network)
has some kind of careful update plan while operating
has a recovery plan
depends on careful update plan
and post-crash guarantees of layer below
the paper exploits user-level view to improve system properties
xsyncfs's high-level promises
correctness of synchronous FS updates
performance of asynchronous FS
what is a sync FS?
a sync FS forces updates to disk before returning from syscall, like xv6
if syscall returns, its effects will be visible after a crash
write-through disk cache in kernel, so slow
why is sync FS a good standard for correct FS behavior?
maybe since sync FS easy to reason about?
can count on all ops completed before crash being visible after crash
paper claims apps that are correct on sync will be correct on xsyncfs
not directly useful, since no real file systems are sync
so few (no?) apps are written for sync FSs
they probably mean careful use of fsync()
e.g. mail server fsync()s incoming msg before saying "OK"
sender can safely delete if it sees "OK"
if we said OK, fsync() must have returned, so data must be on disk
what does paper mean by an async FS?
system calls can return before data is on disk
syscalls modify blocks in a write-back cache
but then FS has to worry about internal consistency
paper really means FS w/ async logging, in particular Linux's ext3
simplified review of logging
goal: have both write-back cache and internal FS consistency
make multi-step syscalls atomic despite crash: all or nothing
FS has a log on disk
syscall: append BEGIN, each of syscall's modifications, END
also writes blocks in write-back cache
don't send write-back cache to disk until after log goes to disk
if crash, recovery scans log
iff sees END, re-do all modifications in that xaction
so if crash during a system call
if no END, syscall has no effect at all
since we held write-back until after END on disk
if END, syscall has all effects
logging usually asynchronous
syscall appends records to in-memory log
force log to disk periodically or on fsync
may lose recent updates on crash
thus not durable (but still atomic)
why is not-durable a problem for external users?
mail server says "OK" but crash erases its copy of msg
% cp * backupdir
back to xsyncfs:
currently you have to choose between durability and performance
slow sync fs, or fast non-durable async logging
what's the paper's insight to get performance + durability?
sufficient definition of durability:
updates only need to be durable by the time of external output
display output, network packet
which data has to be durable before external output?
all updates "causally preceding" the external output
"causally preceding" is a transitive relation
process X writes a file, then sends a network message
process X exit()s, process Y's wait() returns
X : write(file) -> exit()
Y : -> wait() -> printf("$ ")
process X's file write must be on disk before user sees Y's "$ "
why is durability of causally preceding updates sufficient?
in order to keep external users happy?
if mail sender sees "OK" msg via net, guaranteed msg is on rcvr's disk
no "OK" -> recovery by resending later
% cp * backupdir
if you see the 2nd prompt, you know backup is complete
if crash before 2nd prompt, user "recovers" by backing up again
seems to be sufficient in these two cases
can we argue that no non-causally-preceding write is necessary?
i.e. is that rule sufficient for user-visible correctness?
read mail msg from socket
fork a child
child writes msg to a file
parent writes "OK" to socket
so: sufficient only if application is written carefully
it is necessary for xsyncfs to force all causally preceding writes?
examples when maybe app doesn't need a causally preceding write forced?
will xsyncfs have higher performance than sync updates?
yes: can use write-back cache, coalesce writes
until external output
will xsyncfs have higher performance than async logging?
xsyncfs has causal tracking overhead
xsyncfs might force to disk more often than every 5 seconds
but perhaps yes for apps that fsync()
when might xsyncfs have *higher* performance than async FS?
client does multiple xactions before external ouput
mysql server really must fsync() for each transaction
but xsyncfs knows: no external output -> can ignore fsync()
xsyncfs guarantees same *user*-visible behavior as a sync FS
what about app-visible behavior?
what guarantees given to applications?
imply apps written for sync file system will work fine
xsyncfs guarantees ordering: section 2.2, end of page
so like sync FS, but crashed earlier
your app still needs to be able to recover from a crash
at any point, can rely on all syscalls up to a certain
point being visible after the crash
what are the hard parts of xsyncfs design / impl?
each process and kernel object (pipe) has list of not-yet-written blocks
copy that list when a process reads/updates kernel object
buffering external output, e.g. display writes and network packets
why useful to buffer? why not just suspend process?
forcing disk writes on external output
track down all causally preceding blocks
ask ext3 to write them
wait, then release output
what does that involve?
can you ask ext3 to write just a particular block?
paper involves ext3 in two ways
1. as the competition
2. as part of xsyncfs
outline of ext3 design
main source: Stephen Tweedie 2000 talk transcript "EXT3, Journaling Filesystem"
goals of ext3
performance via write-back cache
crash recovery w/o fsck (just replay log, quick)
atomic syscalls (to maintain FS internal consistency)
ext3 uses a write-ahead redo log (== "journal")
added to a previous log-less file system
has many modes, I'll described "journaled data"
log contains both metadata and file content blocks
in-memory write-back block cache
in-memory list of blocks to be logged
on-disk log file
what's in the ext3 log?
descriptor: magic, seq, block #s
(can be multiple of descriptor / block)
commit: magic, seq
ext3 logs entire blocks ("value logging")
expensive: one little change -> 4096 bytes in log
other systems often log only operation descriptions, more compact
easy: don't need to invent operation descriptions
how does ext3 get good performance despite value logging?
defers copying cache block to log until it commits log to disk
batches many syscalls per commit
hopes multiple sycalls modified same block
thus many syscalls, only one copy of block in log
h = start(# of log blocks to reserve)
get(h, block #)
warn logging system we'll modify cached block
prevent going to disk until after log is forced
modify the blocks in the cache
guarantee: all or none
ext3 groups many system calls into a "transaction"
again, hopes to coalesce many updates to a block into one logged block
there is only one open transaction at a time
ext3 commits a transaction to disk every five seconds
or on an fsync()
committing a transaction to disk
mark transaction as done (new syscalls must start new xaction)
wait for in-progress syscalls to stop()
for all blocks in list to be logged
write descriptor w/ block #
write block content from cache
wait for all log writes to finish
write the commit record
(now blocks mentioned in committed log can go to disk)
a new xaction may start while prev is committing
what if syscall in new xaction wants to change a block in committing xaction?
copy-on-write, so committing xaction uses consistent snapshot of blocks
if no crash:
after commit, cached blocks written to real locations in FS on disk
then that part of log can be re-used
what if a crash?
may not have finished writing cache to disk (i.e. FS state not consistent)
crash may also interrupt writing the log (partial commit)
how does recovery work
1. find the start and end of the log
scan until bad record or not the expected seq #
so crash during commit -> last transaction ignored during recovery
2. replay all blocks from whole transactions, in log order
other interesting tidbits about ext3
ordered vs journaled
correctness challenges w/ ordered:
A. rmdir, re-use block for file, ordered write of file, crash before log
now scribbled over the file
defer free of block until freeing operation forced to log on disk
B. rmdir, re-use block in file, ordered file write, log force,
crash, replay rmdir
file is left w/ directory content e.g. . and ..
so revoke records, prevent log replay of a given block
lack of checksum in commit record
bad news if disk re-orders writes
probably weak correctness for detecting end of log
what if old data looks like end-of-log record
rm a file while fd is open, then crash
how to cause inode and blocks to be freed?
keep a list of orphaned files, pointed to by superblock
remember: question was "can xsyncfs ask ext3 to write a single block?"
xsyncfs must force whole log, including unrelated updates
given that ext3 won't let you write an individual block
why do they have to do all that causal tracking?
why not just force the log when program does external output?
this eliminates a potential advantage of xsyncfs over async logging FS
in principle, if there are multiple unrelated apps,
xsyncfs only needs to force causally related updates
not entire log, which is what ordinary ext3 fsync() does
in practice, xsyncfs forces whole ext3 log
figure 3: durability
very cool that they systematically test crashes
async is ordinary ext3, force every 5 seconds or on fsync
sync is force ext3 log after every system call
sync + write barriers fixes ide write caching
xsyncfs uses ext3 and write barriers
comparison unfair: async ext3 should be using write barriers
that is how it was designed to be used
then it would be as durable (and as high performance) as xsyncfs
figure 6: mysql, vs async ext3 with write barriers
so both systems are arguably equally durable
why does xsyncfs win with few threads?
why does ext3 catch up with many threads?
figure 7: web server, not much difference, why?
what does specweb99 do?