From: "NeilBrown" <neilb@suse.de>
To: "Jeff Layton" <jlayton@kernel.org>
Cc: "Trond Myklebust" <trondmy@hammerspace.com>,
"bfields@fieldses.org" <bfields@fieldses.org>,
"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"djwong@kernel.org" <djwong@kernel.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"linux-xfs@vger.kernel.org" <linux-xfs@vger.kernel.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"david@fromorbit.com" <david@fromorbit.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"chuck.lever@oracle.com" <chuck.lever@oracle.com>,
"linux-man@vger.kernel.org" <linux-man@vger.kernel.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
"tytso@mit.edu" <tytso@mit.edu>,
"linux-ext4@vger.kernel.org" <linux-ext4@vger.kernel.org>,
"jack@suse.cz" <jack@suse.cz>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"xiubli@redhat.com" <xiubli@redhat.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"adilger.kernel@dilger.ca" <adilger.kernel@dilger.ca>,
"lczerner@redhat.com" <lczerner@redhat.com>,
"ceph-devel@vger.kernel.org" <ceph-devel@vger.kernel.org>,
"linux-btrfs@vger.kernel.org" <linux-btrfs@vger.kernel.org>
Subject: Re: [man-pages RFC PATCH v4] statx, inode: document the new STATX_INO_VERSION field
Date: Fri, 16 Sep 2022 08:23:55 +1000 [thread overview]
Message-ID: <166328063547.15759.12797959071252871549@noble.neil.brown.name> (raw)
In-Reply-To: <e8922bc821a40f5a3f0a1301583288ed19b6891b.camel@kernel.org>
On Fri, 16 Sep 2022, Jeff Layton wrote:
> On Thu, 2022-09-15 at 19:03 +0000, Trond Myklebust wrote:
> > On Thu, 2022-09-15 at 14:11 -0400, Jeff Layton wrote:
> > > On Thu, 2022-09-15 at 17:49 +0000, Trond Myklebust wrote:
> > > > On Thu, 2022-09-15 at 12:45 -0400, Jeff Layton wrote:
> > > > > On Thu, 2022-09-15 at 15:08 +0000, Trond Myklebust wrote:
> > > > > > On Thu, 2022-09-15 at 10:06 -0400, J. Bruce Fields wrote:
> > > > > > > On Tue, Sep 13, 2022 at 09:14:32AM +1000, NeilBrown wrote:
> > > > > > > > On Mon, 12 Sep 2022, J. Bruce Fields wrote:
> > > > > > > > > On Sun, Sep 11, 2022 at 08:13:11AM +1000, NeilBrown
> > > > > > > > > wrote:
> > > > > > > > > > On Fri, 09 Sep 2022, Jeff Layton wrote:
> > > > > > > > > > >
> > > > > > > > > > > The machine crashes and comes back up, and we get a
> > > > > > > > > > > query
> > > > > > > > > > > for
> > > > > > > > > > > i_version
> > > > > > > > > > > and it comes back as X. Fine, it's an old version.
> > > > > > > > > > > Now
> > > > > > > > > > > there
> > > > > > > > > > > is a write.
> > > > > > > > > > > What do we do to ensure that the new value doesn't
> > > > > > > > > > > collide
> > > > > > > > > > > with X+1?
> > > > > > > > > >
> > > > > > > > > > (I missed this bit in my earlier reply..)
> > > > > > > > > >
> > > > > > > > > > How is it "Fine" to see an old version?
> > > > > > > > > > The file could have changed without the version
> > > > > > > > > > changing.
> > > > > > > > > > And I thought one of the goals of the crash-count was
> > > > > > > > > > to be
> > > > > > > > > > able to
> > > > > > > > > > provide a monotonic change id.
> > > > > > > > >
> > > > > > > > > I was still mainly thinking about how to provide reliable
> > > > > > > > > close-
> > > > > > > > > to-open
> > > > > > > > > semantics between NFS clients. In the case the writer
> > > > > > > > > was an
> > > > > > > > > NFS
> > > > > > > > > client, it wasn't done writing (or it would have
> > > > > > > > > COMMITted),
> > > > > > > > > so
> > > > > > > > > those
> > > > > > > > > writes will come in and bump the change attribute soon,
> > > > > > > > > and
> > > > > > > > > as
> > > > > > > > > long as
> > > > > > > > > we avoid the small chance of reusing an old change
> > > > > > > > > attribute,
> > > > > > > > > we're OK,
> > > > > > > > > and I think it'd even still be OK to advertise
> > > > > > > > > CHANGE_TYPE_IS_MONOTONIC_INCR.
> > > > > > > >
> > > > > > > > You seem to be assuming that the client doesn't crash at
> > > > > > > > the
> > > > > > > > same
> > > > > > > > time
> > > > > > > > as the server (maybe they are both VMs on a host that lost
> > > > > > > > power...)
> > > > > > > >
> > > > > > > > If client A reads and caches, client B writes, the server
> > > > > > > > crashes
> > > > > > > > after
> > > > > > > > writing some data (to already allocated space so no inode
> > > > > > > > update
> > > > > > > > needed)
> > > > > > > > but before writing the new i_version, then client B
> > > > > > > > crashes.
> > > > > > > > When server comes back the i_version will be unchanged but
> > > > > > > > the
> > > > > > > > data
> > > > > > > > has
> > > > > > > > changed. Client A will cache old data indefinitely...
> > > > > > >
> > > > > > > I guess I assume that if all we're promising is close-to-
> > > > > > > open,
> > > > > > > then a
> > > > > > > client isn't allowed to trust its cache in that situation.
> > > > > > > Maybe
> > > > > > > that's
> > > > > > > an overly draconian interpretation of close-to-open.
> > > > > > >
> > > > > > > Also, I'm trying to think about how to improve things
> > > > > > > incrementally.
> > > > > > > Incorporating something like a crash count into the on-disk
> > > > > > > i_version
> > > > > > > fixes some cases without introducing any new ones or
> > > > > > > regressing
> > > > > > > performance after a crash.
> > > > > > >
> > > > > > > If we subsequently wanted to close those remaining holes, I
> > > > > > > think
> > > > > > > we'd
> > > > > > > need the change attribute increment to be seen as atomic with
> > > > > > > respect
> > > > > > > to
> > > > > > > its associated change, both to clients and (separately) on
> > > > > > > disk.
> > > > > > > (That
> > > > > > > would still allow the change attribute to go backwards after
> > > > > > > a
> > > > > > > crash,
> > > > > > > to
> > > > > > > the value it held as of the on-disk state of the file. I
> > > > > > > think
> > > > > > > clients
> > > > > > > should be able to deal with that case.)
> > > > > > >
> > > > > > > But, I don't know, maybe a bigger hammer would be OK:
> > > > > > >
> > > > > >
> > > > > > If you're not going to meet the minimum bar of data integrity,
> > > > > > then
> > > > > > this whole exercise is just a massive waste of everyone's time.
> > > > > > The
> > > > > > answer then going forward is just to recommend never using
> > > > > > Linux as
> > > > > > an
> > > > > > NFS server. Makes my life much easier, because I no longer have
> > > > > > to
> > > > > > debug any of the issues.
> > > > > >
> > > > > >
> > > > >
> > > > > To be clear, you believe any scheme that would allow the client
> > > > > to
> > > > > see
> > > > > an old change attr after a crash is insufficient?
> > > > >
> > > >
> > > > Correct. If a NFSv4 client or userspace application cannot trust
> > > > that
> > > > it will always see a change to the change attribute value when the
> > > > file
> > > > data changes, then you will eventually see data corruption due to
> > > > the
> > > > cached data no longer matching the stored data.
> > > >
> > > > A false positive update of the change attribute (i.e. a case where
> > > > the
> > > > change attribute changes despite the data/metadata staying the
> > > > same) is
> > > > not desirable because it causes performance issues, but false
> > > > negatives
> > > > are far worse because they mean your data backup, cache, etc... are
> > > > not
> > > > consistent. Applications that have strong consistency requirements
> > > > will
> > > > have no option but to revalidate by always reading the entire file
> > > > data
> > > > + metadata.
> > > >
> > > > > The only way I can see to fix that (at least with only a crash
> > > > > counter)
> > > > > would be to factor it in at presentation time like Neil
> > > > > suggested.
> > > > > Basically we'd just mask off the top 16 bits and plop the crash
> > > > > counter
> > > > > in there before presenting it.
> > > > >
> > > > > In principle, I suppose we could do that at the nfsd level as
> > > > > well
> > > > > (and
> > > > > that might be the simplest way to fix this). We probably wouldn't
> > > > > be
> > > > > able to advertise a change attr type of MONOTONIC with this
> > > > > scheme
> > > > > though.
> > > >
> > > > Why would you want to limit the crash counter to 16 bits?
> > > >
> > >
> > > To leave more room for the "real" counter. Otherwise, an inode that
> > > gets
> > > frequent writes after a long period of no crashes could experience
> > > the
> > > counter wrap.
> > >
> > > IOW, we have 63 bits to play with. Whatever part we dedicate to the
> > > crash counter will not be available for the actual version counter.
> > >
> > > I'm proposing a 16+47+1 split, but I'm happy to hear arguments for a
> > > different one.
> >
> >
> > What is the expectation when you have an unclean shutdown or crash? Do
> > all change attribute values get updated to reflect the new crash
> > counter value, or only some?
> >
> > If the answer is that 'all values change', then why store the crash
> > counter in the inode at all? Why not just add it as an offset when
> > you're generating the user-visible change attribute?
> >
> > i.e. statx.change_attr = inode->i_version + (crash counter * offset)
> >
> > (where offset is chosen to be larger than the max number of inode-
> > > i_version updates that could get lost by an inode in a crash).
> >
> > Presumably that offset could be significantly smaller than 2^63...
> >
>
>
> Yes, if we plan to ensure that all the change attrs change after a
> crash, we can do that.
>
> So what would make sense for an offset? Maybe 2**12? One would hope that
> there wouldn't be more than 4k increments before one of them made it to
> disk. OTOH, maybe that can happen with teeny-tiny writes.
Leave it up the to filesystem to decide. The VFS and/or NFSD should
have not have part in calculating the i_version. It should be entirely
in the filesystem - though support code could be provided if common
patterns exist across filesystems.
A filesystem *could* decide to ensure the on-disk i_version is updated
when the difference between in-memory and on-disk reaches X/2, and add X
after an unclean restart. Or it could just choose a large X and hope.
Or it could do something else that neither of us has thought of. But
PLEASE leave the filesystem in control, do not make it fit with our
pre-conceived ideas of what would be easy for it.
>
> If we want to leave this up to the filesystem, I guess we could just add
> a new struct super_block.s_version_offset field and let the filesystem
> precompute that value and set it at mount time. Then we can just add
> that in after querying i_version.
If we are leaving "this up to the filesystem", the we don't add anything
to struct super_block and we don't add anything "in after querying
i_version". Rather, we "leave this up to the filesystem" and use
exactly the i_version that the filesystem provides. We only provide
advice as to minimum requirements, preferred behaviours, and possible
implementation suggestions.
NeilBrown
> --
> Jeff Layton <jlayton@kernel.org>
>
next prev parent reply other threads:[~2022-09-15 22:24 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 11:16 [man-pages RFC PATCH v4] statx, inode: document the new STATX_INO_VERSION field Jeff Layton
2022-09-07 11:37 ` NeilBrown
2022-09-07 12:20 ` J. Bruce Fields
2022-09-07 12:58 ` Jeff Layton
2022-09-07 12:47 ` Jeff Layton
2022-09-07 12:52 ` J. Bruce Fields
2022-09-07 13:12 ` Jeff Layton
2022-09-07 13:51 ` Jan Kara
2022-09-07 14:43 ` Jeff Layton
2022-09-08 0:44 ` NeilBrown
2022-09-08 8:33 ` Jan Kara
2022-09-08 15:21 ` Theodore Ts'o
2022-09-08 15:44 ` J. Bruce Fields
2022-09-08 15:44 ` Jeff Layton
2022-09-08 15:56 ` J. Bruce Fields
2022-09-08 16:15 ` Chuck Lever III
2022-09-08 17:40 ` Jeff Layton
2022-09-08 18:22 ` J. Bruce Fields
2022-09-08 19:07 ` Jeff Layton
2022-09-08 23:01 ` NeilBrown
2022-09-08 23:23 ` Jeff Layton
2022-09-08 23:45 ` NeilBrown
2022-09-09 15:45 ` J. Bruce Fields
2022-09-09 16:36 ` Jeff Layton
2022-09-10 14:56 ` J. Bruce Fields
2022-09-12 11:42 ` Jeff Layton
2022-09-12 12:13 ` Florian Weimer
2022-09-12 12:55 ` Jeff Layton
2022-09-12 13:20 ` Florian Weimer
2022-09-12 13:49 ` Jeff Layton
2022-09-12 13:51 ` J. Bruce Fields
2022-09-12 14:02 ` Jeff Layton
2022-09-12 14:47 ` J. Bruce Fields
2022-09-12 14:15 ` Trond Myklebust
2022-09-12 14:50 ` J. Bruce Fields
2022-09-12 14:56 ` Trond Myklebust
2022-09-12 15:32 ` Trond Myklebust
2022-09-12 15:49 ` Jeff Layton
2022-09-12 12:54 ` J. Bruce Fields
2022-09-12 12:59 ` Jeff Layton
2022-09-13 0:29 ` John Stoffel
2022-09-13 0:41 ` Dave Chinner
2022-09-13 1:49 ` NeilBrown
2022-09-13 2:41 ` Dave Chinner
2022-09-13 3:30 ` NeilBrown
2022-09-13 9:38 ` Theodore Ts'o
2022-09-13 19:02 ` J. Bruce Fields
2022-09-13 23:19 ` NeilBrown
2022-09-14 0:08 ` J. Bruce Fields
2022-09-09 20:34 ` John Stoffel
2022-09-10 22:13 ` NeilBrown
2022-09-12 10:43 ` Jeff Layton
2022-09-12 13:42 ` J. Bruce Fields
2022-09-12 23:14 ` NeilBrown
2022-09-15 14:06 ` J. Bruce Fields
2022-09-15 15:08 ` Trond Myklebust
2022-09-15 16:45 ` Jeff Layton
2022-09-15 17:49 ` Trond Myklebust
2022-09-15 18:11 ` Jeff Layton
2022-09-15 19:03 ` Trond Myklebust
2022-09-15 19:25 ` Jeff Layton
2022-09-15 22:23 ` NeilBrown [this message]
2022-09-16 6:54 ` Theodore Ts'o
2022-09-16 11:36 ` Jeff Layton
2022-09-16 15:11 ` Jeff Layton
2022-09-18 23:53 ` Dave Chinner
2022-09-19 13:13 ` Jeff Layton
2022-09-20 0:16 ` Dave Chinner
2022-09-20 10:26 ` Jeff Layton
2022-09-21 0:00 ` Dave Chinner
2022-09-21 10:33 ` Jeff Layton
2022-09-21 21:41 ` Dave Chinner
2022-09-22 10:18 ` Jeff Layton
2022-09-22 20:18 ` Jeff Layton
2022-09-23 9:56 ` Jan Kara
2022-09-23 10:19 ` Jeff Layton
2022-09-23 13:44 ` Trond Myklebust
2022-09-23 13:50 ` Jeff Layton
2022-09-23 14:58 ` Frank Filz
2022-09-26 22:43 ` NeilBrown
2022-09-27 11:14 ` Jeff Layton
2022-09-27 13:18 ` Jeff Layton
2022-09-15 15:41 ` Jeff Layton
2022-09-15 22:42 ` NeilBrown
2022-09-16 11:32 ` Jeff Layton
2022-09-09 12:11 ` Theodore Ts'o
2022-09-09 12:47 ` Jeff Layton
2022-09-09 13:48 ` Theodore Ts'o
2022-09-09 14:43 ` Jeff Layton
2022-09-09 14:58 ` Theodore Ts'o
2022-09-08 22:55 ` NeilBrown
2022-09-08 23:59 ` Trond Myklebust
2022-09-09 0:51 ` NeilBrown
2022-09-09 1:05 ` Trond Myklebust
2022-09-09 1:07 ` NeilBrown
2022-09-09 1:10 ` Trond Myklebust
2022-09-09 2:14 ` Trond Myklebust
2022-09-09 6:41 ` NeilBrown
2022-09-10 12:39 ` Jeff Layton
2022-09-10 22:53 ` NeilBrown
2022-09-12 10:25 ` Jeff Layton
2022-09-12 23:29 ` NeilBrown
2022-09-13 1:15 ` Dave Chinner
2022-09-13 1:41 ` NeilBrown
2022-09-13 19:01 ` Jeff Layton
2022-09-13 23:24 ` NeilBrown
2022-09-14 11:51 ` Jeff Layton
2022-09-14 22:45 ` NeilBrown
2022-09-14 23:02 ` NeilBrown
2022-09-08 22:40 ` NeilBrown
2022-09-07 13:55 ` Trond Myklebust
2022-09-07 14:05 ` Jeff Layton
2022-09-07 15:04 ` Trond Myklebust
2022-09-07 15:11 ` Jeff Layton
2022-09-08 0:40 ` NeilBrown
2022-09-08 11:34 ` Jeff Layton
2022-09-08 22:29 ` NeilBrown
2022-09-09 11:53 ` Jeff Layton
2022-09-10 22:58 ` NeilBrown
2022-09-10 19:46 ` Al Viro
2022-09-10 23:00 ` NeilBrown
2022-09-08 0:31 ` NeilBrown
2022-09-08 0:41 ` Trond Myklebust
2022-09-08 0:53 ` NeilBrown
2022-09-08 11:37 ` Jeff Layton
2022-09-08 12:40 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=166328063547.15759.12797959071252871549@noble.neil.brown.name \
--to=neilb@suse.de \
--cc=adilger.kernel@dilger.ca \
--cc=bfields@fieldses.org \
--cc=brauner@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=chuck.lever@oracle.com \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=fweimer@redhat.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=lczerner@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=trondmy@hammerspace.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=xiubli@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).