Lecture: crash consistency

All File Systems Are Not Created Equal: On the Complexity of Crafting Crash-Consistent Applications, OSDI 2014

Question

In Figure 4(A)(i), “LevelDB compaction,” why is there an arrow from rename(tmp, current) to unlink(mani-old)? Specifically, what happens if the two operations get reordered?

Note that “CURRENT is a simple text file that contains the name of the latest MANIFEST file” - check LevelDB’s format if you are interested.

Question

Consider the follow program for updating a file on POSIX systems:

open(name, O_CREAT | O_TRUNC, 0666);
write();
close();

One may argue that this is unsafe and we should do something like this instead:

creat(tmp, ...);
write();
fsync();
rename(tmp, name);

Based on what you have read in this paper, do you agree? Briely explain why or why not. Free free to propose your own solutions.

Question

What kind of vulnerabilities does ALICE focus on detecting? Give one example that ALICE can detect and one that it cannot detect. How do you think Alice can help with future file-system design (e.g., Section 4.6)?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

crash consistency
- file system review: superblock, inode, free bitmap, data block, directory entries
  - example: file create
    - allocate a new block
    - add dirent entry to parent directory
    - write file inode
- problem: need to update multiple blocks
  - which operations should happen first?
  - what happens if the operations don’t complete?
    - dirent entry points to uninitialized inode - reliablity & security
    - block allocated but not used - waste
    - compare to memory bugs: dangling pointers and leak
- challenges
  - machine may crash at any point
  - disk may reorder writes (unless with flush or a synchronous disk)
  - how to tell if multi-block updates are incomplete?
  - how to either continue with or undo incomplete updates
- goal: crash safety
  - the file system must be “usable” after reboot and recovery
  - invariant: maintain consistent file system state
assumptions
- the system can crash at any arbitrary point
- fail-stop: the disk may miss writes
  - no arbitrary writes, no disk corruption
  - power failures, hardware failures, kernel panics
- single sector/block write is often atomic (by hw)
- ignore concurrency for now - is it related to crash consistency?
approaches
- redundancy: replication, checksums
- best effort repair: fsck
- journaling / write-ahead logging
  - write a log, apply writes, delete log - how many disk flushes
  - downsides
    - write everything twice (data journaling)
    - optimizations (log bypass, delayed allocation, etc.) further complicate the behavior
- copy-on-write
  - log-structured file systems
  - btrfs: COW btrees - see an example in Section 2 of Bruno’s BS thesis
- soft updates - recall the rules in exokernel/XN
understanding crash consistency in file systems
- today’s storage stack is complex
  - see Linux
  - each layer may introduce reordering/spltting/merging
- today’s paper (OSDI’14)
- Ferrite (ASPLOS’16): crash consistency models
  - analogy: memory consistency models
  - limus tests, formal specs (axiomatic, operational), reference impl
- testing/model checking: FiSC (OSDI’04), EXPLODE (OSDI’06), CrashMonkey/ACE (OSDI’18)
- can we do better - simplify/define crash consistency
  - O_TMPFILE - see open
  - rethink the sync (OSDI’06)
  - formal specs with crash
    - data journaling: FSCQ (SOSP’15), Yggdrasil (OSDI’16)
    - metadata prefix: DFSCQ (SOSP’17)
  - crash consistency+concurrency?
    - will discuss more next week
    - example: ScaleFS (SOSP’17)