| 1 |
On Wednesday, August 31, 2016 12:12:15 AM Volker Armin Hemmann wrote: |
| 2 |
> Am 30.08.2016 um 23:59 schrieb Rich Freeman: |
| 3 |
> > On Tue, Aug 30, 2016 at 4:58 PM, Volker Armin Hemmann |
| 4 |
> > |
| 5 |
> > <volkerarmin@××××××××××.com> wrote: |
| 6 |
> >> the journal does not add any data integrity benefits at all. It just |
| 7 |
> >> makes it more likely that the fs is in a sane state if there is a crash. |
| 8 |
> >> Likely. Not a guarantee. Your data? No one cares. |
| 9 |
> > |
| 10 |
> > That depends on the mode of operation. In journal=data I believe |
| 11 |
> > everything gets written twice, which should make it fairly immune to |
| 12 |
> > most forms of corruption. |
| 13 |
> |
| 14 |
> nope. Crash at the wrong time, data gone. FS hopefully sane. |
| 15 |
|
| 16 |
No, seriously. Mount with data=ordered. Per ext4(5): |
| 17 |
|
| 18 |
data={journal|ordered|writeback} |
| 19 |
Specifies the journaling mode for file data. Metadata is always |
| 20 |
journaled. To use modes other than ordered on the root filesystem, pass the |
| 21 |
mode to the kernel as boot parameter, e.g. rootflags=data=journal. |
| 22 |
|
| 23 |
journal |
| 24 |
All data is committed into the journal prior to being |
| 25 |
written into the main filesystem. |
| 26 |
|
| 27 |
ordered |
| 28 |
This is the default mode. All data is forced directly |
| 29 |
out to the main file system prior to its metadata being committed to the |
| 30 |
journal. |
| 31 |
|
| 32 |
writeback |
| 33 |
Data ordering is not preserved – data may be written into |
| 34 |
the main filesystem after its metadata has been committed to the journal. This |
| 35 |
is rumoured to be the highest-throughput option. It guarantees internal |
| 36 |
filesystem integrity, however it can allow old data to appear in files after a |
| 37 |
crash and journal recovery. |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
In writeback mode, only filesystem metadata goes through the journal. This |
| 42 |
guarantees that the filesystem's structure itself will remain intact in the |
| 43 |
event of a crash. |
| 44 |
|
| 45 |
In data=journal mode, the contents of files pass through the journal as well, |
| 46 |
ensuring that, at least as far as the filesystem's responsibility is concerned, |
| 47 |
the data will be intact in the event of a crash. |
| 48 |
|
| 49 |
Now, I can still think of ways you can lose data in data=journal mode: |
| 50 |
|
| 51 |
* You mounted the filesystem with barrier=0 or with nobarrier; this can result |
| 52 |
in data writes going to disk out of order, if the I/O stack supports barriers. |
| 53 |
If you say "my file is ninety bytes" "here are ninety bytes of data, all 9s", |
| 54 |
"my file is now thirty bytes", "here are thirty bytes of data, all 3s", then in |
| 55 |
the end you should have a thirty-byte file filled with 3s. If you have barriers |
| 56 |
enabled and you crash halfway through the whole process, you should find a file |
| 57 |
of ninety bytes, all 9s. But if you have barriers disabled, the data may hit |
| 58 |
disk as though you'd said "my file is ninety bytes, here are ninety bytes of |
| 59 |
data, all 9s, here are thirty bytes of data, all 3s, now my file is thirty |
| 60 |
bytes." If that happens, and you crash partway through the commit to disk, you |
| 61 |
may see a ninety-byte file consisting of thirty 3s and sixty 9s. Or things may |
| 62 |
landthat you see a thirty-byte file of 9s. |
| 63 |
|
| 64 |
* Your application didn't flush its writes to disk when it should have. |
| 65 |
|
| 66 |
* Your vm.dirty_bytes or vm.dirty_ratio are too high, you've been writing a |
| 67 |
lot to disk, and the kernel still has a lot of data buffered waiting to be |
| 68 |
written. (Well, that can always lead to data loss regardless of how high those |
| 69 |
settings are, which is why applications should flush their writes.) |
| 70 |
|
| 71 |
* You've used hdparm to enable write buffers in your hard disks, and your hard |
| 72 |
disks lose power while their buffers have data waiting to be written. |
| 73 |
|
| 74 |
* You're using a buggy disk device that does a poor job of handling power |
| 75 |
loss. Such as some SSDs which don't have large enough capacitors for their own |
| 76 |
write reordering. Or just about any flash drive. |
| 77 |
|
| 78 |
* There's a bug in some code, somewhere. |
| 79 |
|
| 80 |
> |
| 81 |
> > f2fs would also have this benefit. Data is not overwritten in-place |
| 82 |
> > in a log-based filesystem; they're essentially journaled by their |
| 83 |
> > design (actually, they're basically what you get if you ditch the |
| 84 |
> > regular part of the filesystem and keep nothing but the journal). |
| 85 |
> > |
| 86 |
> >> If you want an fs that cares about your data: zfs. |
| 87 |
> > |
| 88 |
> > I won't argue that the COW filesystems have better data security |
| 89 |
> > features. It will be nice when they're stable in the main kernel. |
| 90 |
> |
| 91 |
> it is not so much about cow, but integrity checks all the way from the |
| 92 |
> moment the cpu spends some cycles on it. Caught some silent file |
| 93 |
> corruptions that way. Switched to ECC ram and never saw them again. |
| 94 |
|
| 95 |
In-memory corruption of a data is a universal hazard. ECC should be the norm, |
| 96 |
not the exception, honestly. |
| 97 |
|
| 98 |
-- |
| 99 |
:wq |
Archives