On Wed, Apr 08, 2020 at 12:10:12AM -0400, Martin K. Petersen wrote: > > Hi Dave! > > >> In the standards space, the allocation concept was mainly aimed at > >> protecting filesystem internals against out-of-space conditions on > >> devices that dedup identical blocks and where simply zeroing the blocks > >> therefore is ineffective. > > > Um, so we're supposed to use space allocation before overwriting > > existing metadata in the filesystem? > > Not before overwriting, no. Once you have allocated an LBA it remains > allocated until you discard it. That is not a consistent argument. If the data has been deduped and we overwrite, the storage array has to allocate new physical space for an overwrite to an existing LBA. i.e. deduped data has multiple LBAs pointing to the same physical storage. Any overwrite of an LBA that maps to mulitply referenced physical storage requires the storage array to allocate new physical space for that overwrite. i.e. allocation is not determined by whether the LBA has been written to, "pinned" or not - it's whether the act of writing to that LBA requires the storage to allocate new space to allow the write to proceed. That's my point here - one particular shared data overwrite case is being special cased by preallocation (avoiding dedupe of zero filled data) to prevent ENOSPC, ignoring all the other cases where we overwrite shared non-zero data and will also require new physical space for the new data. In all those cases, the storage has to take the same action - allocation on overwrite - and so all of them are susceptible to ENOSPC. > > So that the underlying storage can reserve space for it before we > > write it? Which would mean we have to issue a space allocation before > > we dirty the metadata, which means before we dirty any metadata in a > > transaction. Which means we'll basically have to redesign the > > filesystems from the ground up, yes? > > My understanding is that this facility was aimed at filesystems that do > not dynamically allocate metadata. The intent was that mkfs would > preallocate the metadata LBA ranges, not the filesystem. For filesystems > that allocate metadata dynamically, then yes, an additional step is > required if you want to pin the LBAs. Ok, so you are confirming what I thought: it's almost completely useless to us. i.e. this requires issuing IO to "reserve" space whilst preserving data before every metadata object goes from clean to dirty in memory. But the problem with that is we don't know how much metadata we are going to dirty in any specific operation. Worse is that we don't know exactly *what* metadata we will modify until we walk structures and do lookups, which often happen after we've dirtied other structures. An ENOSPC from a space reservation at that point is fatal to the filesystem anyway, so there's no point in even trying to do this. Like I said, functionality like this cannot be retrofitted to existing filesysetms. IOWs, this is pretty much useless functionality for the filesystem layer, and if the only use is for some mythical filesystem with completely static metadata then the standards space really jumped the shark on this one.... > > You might be talking about filesystem metadata and block devices, > > but this patchset ends up connecting ext4's user data fallocate() to > > the block device, thereby allowing users to reserve space directly > > in the underlying block device and directly exposing this issue to > > userspace. > > I missed that Chaitanya's repost of this series included the ext4 patch. > Sorry! > > >> How XFS decides to enforce space allocation policy and potentially > >> leverage this plumbing is entirely up to you. > > > > Do I understand this correctly? i.e. that it is the filesystem's > > responsibility to prevent users from preallocating more space than > > exists in an underlying storage pool that has been intentionally > > hidden from the filesystem so it can be underprovisioned? > > No. But as an administrative policy it is useful to prevent runaway > applications from writing a petabyte of random garbage to media. My > point was that it is up to you and the other filesystem developers to > decide how you want to leverage the low-level allocation capability and > how you want to provide it to processes. And whether CAP_SYS_ADMIN, > ulimit, or something else is the appropriate policy interface for this. My cynical translation: the storage standards space haven't given any thought to how it can be used and/or administered in the real world. Pass the buck - let the filesystem people work that out. What I'm hearing is that this wasn't designed for typical filesystem use, it wasn't designed for typical user application use, and how to prevent abuse wasn't thought about at all. That sounds like a big fat NACK to me.... > In terms of thin provisioning and space management there are various > thresholds that may be reported by the device. In past discussions there > haven't been much interest in getting these exposed. It is also unclear > to me whether it is actually beneficial to send low space warnings to > hundreds or thousands of hosts attached to an array. In many cases the > individual server admins are not even the right audience. The most > common notification mechanism is a message to the storage array admin > saying "click here to buy more disk". Notifications are not relevant to preallocation functionality at all. -Dave. -- Dave Chinner david@xxxxxxxxxxxxx