Re: [patch] document flash/RAID dangers

From: Pavel Machek
Date: Sun Aug 30 2009 - 02:49:29 EST

Next message: Mario: "Re: Is acpi_ec_ecdt_probe() broken? (was: Re: ACPI locks hardware devices when it doesn't detect vista)"
Previous message: Pavel Machek: "Re: [PATCH 2/6] PM: Asynchronous resume of devices"
In reply to: Theodore Tso: "Re: [patch] document flash/RAID dangers"
Next in thread: Rik van Riel: "Re: [patch] document flash/RAID dangers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed 2009-08-26 08:37:09, Theodore Tso wrote:
> On Wed, Aug 26, 2009 at 01:25:36PM +0200, Pavel Machek wrote:
> > > you just plain cannot count on writes that are in flight when a powerfail
> > > happens to do predictable things, let alone what you consider sane or
> > > proper.
> >
> > From what I see, this kind of failure is rather harder to reproduce
> > than the software problems. And at least SGI machines were designed to
> > avoid this...
> >
> > Anyway, I'd like to hear from ext3 people... what happens on read
> > errors in journal? That's what you'd expect to see in situation above.
>
> On a power failure, what normally happens is that the random garbage
> gets written into the disk drive's last dying gasp, since the memory
> starts going insane and sends garbage to the disk. So the disk
> successfully completes the write, but the sector contains garbage.
> Since HDD's tend to be last thing to die, being less sensitive to
> voltage drops than the memory or DMA controller, my experience is that
> you don't get a read error after the system comes up, you just get
> garbage written into the journal.
>
> The ext3 journalling code waits until all of the journal code is
> written, and only then writes the commit block. On restart, we look
> for the last valid commit block. So if the power failure is before we
> write the commit block, we replay the journal up until the previous
> commit block. If the power failure is while we are writing the commit
> block, garbage will be written out instead of the commit block, and so
> it falls back to the previous case.
>
> We do not allow any updates to the filesystem metadata to take place
> until the commit block has been written; therefore the filesystem
> stays consistent.

Ok, cool.

> If there the journal *does* develop read errors, then fsck will
> require a manual fsck, and so the boot operation will get stopped so a
> system administrator can provide manual intervention. The best bet
> for the sysadmin is to replay as much of the journal she can, and then
> let fsck fix any resulting filesystem inconsistencies. In practice,

...and that should result in consistent fs with no data loss, because
read error is essentialy the same as garbage given back, right?

...plus, this is significant difference from logical-logging
filesystems, no?

Should this go to Documentation/, somewhere?

Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mario: "Re: Is acpi_ec_ecdt_probe() broken? (was: Re: ACPI locks hardware devices when it doesn't detect vista)"
Previous message: Pavel Machek: "Re: [PATCH 2/6] PM: Asynchronous resume of devices"
In reply to: Theodore Tso: "Re: [patch] document flash/RAID dangers"
Next in thread: Rik van Riel: "Re: [patch] document flash/RAID dangers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]