lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 31 May 2011 00:10:41 +0200 (CEST)
From:	Jesper Juhl <jj@...osbits.net>
To:	"D. Jansen" <d.g.jansen@...glemail.com>
cc:	david@...g.hm, Theodore Tso <tytso@....edu>,
	Oliver Neukum <oneukum@...e.de>, akpm@...ux-foundation.org,
	linux-kernel@...r.kernel.org, Dave Chinner <david@...morbit.com>,
	njs@...ox.com, bart@...wel.tk
Subject: Re: [rfc] Ignore Fsync Calls in Laptop_Mode

On Mon, 30 May 2011, D. Jansen wrote:

> On Mon, May 30, 2011 at 8:45 PM,  <david@...g.hm> wrote:
> > On Mon, 30 May 2011, D. Jansen wrote:
> >
> >> On Mon, May 30, 2011 at 8:02 PM,  <david@...g.hm> wrote:
> >>>
> >>> no, you cannot just change a fsync to a barrier, in some cases the data
> >>> absolutly needs to be saved, not just ordered (remember the example of a
> >>> mail server telling the other system that the data can be deleted after a
> >>> fsync returns)
> >>
> >> I'm not really sure I why shouldn't have that choice as a user. Just
> >> because someone else could be running a mailserver on his system and
> >> configure it in a way that it doesn't behave as it should?
> >> If he really wants to do that there's really nothing we can do to stop
> >> him. I'm sure there are other ways existing kernel options can be used
> >> to make software behave different than it should. Are we going to
> >> remove them all now?
> >>
> >> The big problem is that so far only fsync existed and lots of software
> >> seemingly abuses it as an expensive write barrier. And it would really
> >> be lovely to have the choice to stop that on an opt-in basis in laptop
> >> mode.
> >
> > is the benifit of not spinning up the disk really worth the risk of loosing
> > data?
> 
> Is that a choice I can make myself? Is that a choice I make with
> laptop mode? Or is that a choice I may only make if I'm willing to
> modify and compile my own kernel?
> >
> > and should this really be a global across-the-board option?
> 
> The point is option imo.
> >
> > the problem is that most users don't know what their system is running, or
> > what effect disaling fsync would have. those that do can probably use
> > LD_PRELOAD to override fsync calls.
> 
> As we found out, they can't. But if we export barrier, I hope a
> library could wrap fsyncs into barriers. Is that the case?
> >
> > it doesn't take running a mail server, even a mail client will have the same
> > risk. If you use POP for mail (a very common option) then you download
> > messages and tell the server to delete them. if you do not really save them
> > (one fsync after they are all saved), then you can loose everything that you
> > downloaded.
> 
> Yes, I know. It's the same argument again and again. I understand not
> everybody wants this. But some do. Some prefer working 10-20% longer
> on battery (certainty) instead of possibly losing 5 % data
> (possibility) or losing all your data (possibility if you use laptop
> mode and the hard disk wakes up again and again and eventually wears
> out). That's why there's laptop mode. And this would play into laptop
> mode and prevent the hard disk from breaking down prematurely and
> saving battery.
> 

But how can you say that you are only risking 5% data loss or only risking 
your most recent data?  You can't.
fsync provides guarantees and applications take advantage of that 
guarantee and you have no way of knowing what breaking those guarantees 
will mean for all applications in the system (not without a *lot* of 
research work at least).
You may be willing to lose a few emails or a few recently modified plain 
text files or office documents. But how would you feel if that multi 
megabyte or gigabyte database that has been build up over months with your 
work suddenly became completely unrecoverable because the application 
maintaining it made some assumptions based on fsync's guarantees and those 
guarantees were suddenly broken? My guess is you wouldn't be very happy.

Some applications may only need the ordering guarantee that fsync 
provides, not the "data is safely on media" guarantee. So perhaps if a new 
barrier syscall was provided that gave applications just the lighter 
ordering guarantee, then over time those apps could transition to use it 
instead of fsync. Apps that really do need the "data is safely on media" 
guarantee would of course continue to call fsync, but the number of 
overall fsync calls in the system would decrease over time - this would 
help your battery life and we'd still have a working fsync for those apps 
that really do need it.
How does that sound?

-- 
Jesper Juhl <jj@...osbits.net>       http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ