1 |
On Wednesday, August 31, 2016 12:12:15 AM Volker Armin Hemmann wrote: |
2 |
> Am 30.08.2016 um 23:59 schrieb Rich Freeman: |
3 |
> > On Tue, Aug 30, 2016 at 4:58 PM, Volker Armin Hemmann |
4 |
> > |
5 |
> > <volkerarmin@××××××××××.com> wrote: |
6 |
> >> the journal does not add any data integrity benefits at all. It just |
7 |
> >> makes it more likely that the fs is in a sane state if there is a crash. |
8 |
> >> Likely. Not a guarantee. Your data? No one cares. |
9 |
> > |
10 |
> > That depends on the mode of operation. In journal=data I believe |
11 |
> > everything gets written twice, which should make it fairly immune to |
12 |
> > most forms of corruption. |
13 |
> |
14 |
> nope. Crash at the wrong time, data gone. FS hopefully sane. |
15 |
|
16 |
No, seriously. Mount with data=ordered. Per ext4(5): |
17 |
|
18 |
data={journal|ordered|writeback} |
19 |
Specifies the journaling mode for file data. Metadata is always |
20 |
journaled. To use modes other than ordered on the root filesystem, pass the |
21 |
mode to the kernel as boot parameter, e.g. rootflags=data=journal. |
22 |
|
23 |
journal |
24 |
All data is committed into the journal prior to being |
25 |
written into the main filesystem. |
26 |
|
27 |
ordered |
28 |
This is the default mode. All data is forced directly |
29 |
out to the main file system prior to its metadata being committed to the |
30 |
journal. |
31 |
|
32 |
writeback |
33 |
Data ordering is not preserved – data may be written into |
34 |
the main filesystem after its metadata has been committed to the journal. This |
35 |
is rumoured to be the highest-throughput option. It guarantees internal |
36 |
filesystem integrity, however it can allow old data to appear in files after a |
37 |
crash and journal recovery. |
38 |
|
39 |
|
40 |
|
41 |
In writeback mode, only filesystem metadata goes through the journal. This |
42 |
guarantees that the filesystem's structure itself will remain intact in the |
43 |
event of a crash. |
44 |
|
45 |
In data=journal mode, the contents of files pass through the journal as well, |
46 |
ensuring that, at least as far as the filesystem's responsibility is concerned, |
47 |
the data will be intact in the event of a crash. |
48 |
|
49 |
Now, I can still think of ways you can lose data in data=journal mode: |
50 |
|
51 |
* You mounted the filesystem with barrier=0 or with nobarrier; this can result |
52 |
in data writes going to disk out of order, if the I/O stack supports barriers. |
53 |
If you say "my file is ninety bytes" "here are ninety bytes of data, all 9s", |
54 |
"my file is now thirty bytes", "here are thirty bytes of data, all 3s", then in |
55 |
the end you should have a thirty-byte file filled with 3s. If you have barriers |
56 |
enabled and you crash halfway through the whole process, you should find a file |
57 |
of ninety bytes, all 9s. But if you have barriers disabled, the data may hit |
58 |
disk as though you'd said "my file is ninety bytes, here are ninety bytes of |
59 |
data, all 9s, here are thirty bytes of data, all 3s, now my file is thirty |
60 |
bytes." If that happens, and you crash partway through the commit to disk, you |
61 |
may see a ninety-byte file consisting of thirty 3s and sixty 9s. Or things may |
62 |
landthat you see a thirty-byte file of 9s. |
63 |
|
64 |
* Your application didn't flush its writes to disk when it should have. |
65 |
|
66 |
* Your vm.dirty_bytes or vm.dirty_ratio are too high, you've been writing a |
67 |
lot to disk, and the kernel still has a lot of data buffered waiting to be |
68 |
written. (Well, that can always lead to data loss regardless of how high those |
69 |
settings are, which is why applications should flush their writes.) |
70 |
|
71 |
* You've used hdparm to enable write buffers in your hard disks, and your hard |
72 |
disks lose power while their buffers have data waiting to be written. |
73 |
|
74 |
* You're using a buggy disk device that does a poor job of handling power |
75 |
loss. Such as some SSDs which don't have large enough capacitors for their own |
76 |
write reordering. Or just about any flash drive. |
77 |
|
78 |
* There's a bug in some code, somewhere. |
79 |
|
80 |
> |
81 |
> > f2fs would also have this benefit. Data is not overwritten in-place |
82 |
> > in a log-based filesystem; they're essentially journaled by their |
83 |
> > design (actually, they're basically what you get if you ditch the |
84 |
> > regular part of the filesystem and keep nothing but the journal). |
85 |
> > |
86 |
> >> If you want an fs that cares about your data: zfs. |
87 |
> > |
88 |
> > I won't argue that the COW filesystems have better data security |
89 |
> > features. It will be nice when they're stable in the main kernel. |
90 |
> |
91 |
> it is not so much about cow, but integrity checks all the way from the |
92 |
> moment the cpu spends some cycles on it. Caught some silent file |
93 |
> corruptions that way. Switched to ECC ram and never saw them again. |
94 |
|
95 |
In-memory corruption of a data is a universal hazard. ECC should be the norm, |
96 |
not the exception, honestly. |
97 |
|
98 |
-- |
99 |
:wq |