Re: [RFC PATCH v2] statx, inode: document the new STATX_INO_VERSION field

From: Jeff Layton <jlayton@kernel.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: tytso@mit.edu, adilger.kernel@dilger.ca, djwong@kernel.org,
	david@fromorbit.com, trondmy@hammerspace.com, neilb@suse.de,
	viro@zeniv.linux.org.uk, zohar@linux.ibm.com, xiubli@redhat.com,
	chuck.lever@oracle.com, lczerner@redhat.com, jack@suse.cz,
	bfields@fieldses.org, brauner@kernel.org,
	linux-man@vger.kernel.org, linux-api@vger.kernel.org,
	linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, ceph-devel@vger.kernel.org,
	linux-ext4@vger.kernel.org, linux-nfs@vger.kernel.org,
	linux-xfs@vger.kernel.org
Subject: Re: [RFC PATCH v2] statx, inode: document the new STATX_INO_VERSION field
Date: Tue, 06 Sep 2022 12:41:30 -0400	[thread overview]
Message-ID: <d1ee62062c3f805460b7bdf2776e759be4dba43f.camel@kernel.org> (raw)
In-Reply-To: <87ilm066jh.fsf@oldenburg.str.redhat.com>

On Tue, 2022-09-06 at 14:17 +0200, Florian Weimer wrote:
> * Jeff Layton:
> 
> > All of the existing implementations use all 64 bits. If you were to
> > increment a 64 bit value every nanosecond, it will take >500 years for
> > it to wrap. I'm hoping that's good enough. ;)
> > 
> > The implementation that all of the local Linux filesystems use track
> > whether the value has been queried using one bit, so there you only get
> > 63 bits of counter.
> > 
> > My original thinking here was that we should leave the spec "loose" to
> > allow for implementations that may not be based on a counter. E.g. could
> > some filesystem do this instead by hashing certain metadata?
> 
> Hashing might have collisions that could be triggered deliberately, so
> probably not a good idea.  It's also hard to argue that random
> collisions are unlikely.
> 

In principle, if a filesystem could guarantee enough timestamp
resolution, it's possible collisions could be hard to achieve. It's also
possible you could factor in other metadata that wasn't necessarily
visible to userland to try and ensure uniqueness in the counter.

Still...

> > It's arguable though that the NFSv4 spec requires that this be based on
> > a counter, as the client is required to increment it in the case of
> > write delegations.
> 
> Yeah, I think it has to be monotonic.
> 

I think so too. NFSv4 sort of needs that anyway.

> > > If the system crashes without flushing disks, is it possible to observe
> > > new file contents without a change of i_version?
> > 
> > Yes, I think that's possible given the current implementations.
> > 
> > We don't have a great scheme to combat that at the moment, other than
> > looking at this in conjunction with the ctime. As long as the clock
> > doesn't jump backward after the crash and it takes more than one jiffy
> > to get the host back up, then you can be reasonably sure that
> > i_version+ctime should never repeat.
> > 
> > Maybe that's worth adding to the NOTES section of the manpage?
> 
> I'd appreciate that.

Ok! New version of the manpage patch sent. If no one has strong
objections to the proposed docs, I'll send out new kernel patches in the
next day or two.

Thanks!
-- 
Jeff Layton <jlayton@kernel.org>