can applications recover from fsync failures
play

Can Applications Recover from fsync Failures? Anthony Rebello, - PowerPoint PPT Presentation

Aug 17, 2023 •19 likes •349 views

Can Applications Recover from fsync Failures? Anthony Rebello, Yuvraj Patel, Ramnatthan Alagappan, Andrea C. Arpaci-Dusseau and Remzi H. Arpaci-Dusseau University of Wisconsin-Madison How does data reach the disk? Applications use the file

  1. Can Applications Recover from fsync Failures? Anthony Rebello, Yuvraj Patel, Ramnatthan Alagappan, Andrea C. Arpaci-Dusseau and Remzi H. Arpaci-Dusseau University of Wisconsin-Madison

  2. How does data reach the disk? • Applications use the file system Applications • System calls – open( ), read( ), write( ) • For Performance File System Dirty Pages: New data • Data buffered in the page cache to write to disk • Modified pages are marked dirty • Periodically flushed to disk Clean pages: same • Vulnerable to data loss while in RAM content as disk Periodically • For Correctness or on fsync( ) • Dirty pages can be flushed immediately Disk using fsync( ) 2

  3. fsync is really important • Many applications care about durability • Ensure data on non-volatile storage before acknowledging client • Devices have volatile storage • Direct IO: fsync can issue a FLUSH command • Ordering of writes is important • Force to disk with fsync before writing the next • Optimistic Crash Consistency Chidambaram et al. [SOSP’13] • Decouples ordering from durability 3

  4. It’s hard to get durability correct • Applications find it difficult • Even when fsync works correctly • Example: persisting a newly created file • creat(/d/foo) • write(/d/foo, “abcd”) • fsync(/d/foo) • fsync(/d) ß Ensure that directory entry is persisted • All File Systems Are Not Created Equal Pillai et al. [OSDI’14] • Studied 11 applications • Update protocols are tricky • More than 30 vulnerabilities under ext3, ext4, btrfs 4

  5. fsync can fail • Durability gets harder to get right • Failures before interacting with disk • Invalid arguments, insufficient space • Easy to handle • Failures while interacting with disk • EIO: An error occurred during synchronization • Transient disk errors, network disconnects • In-memory data structures may need to be reverted 5

  6. Why care about fsync failures? “About a year ago the PostgreSQL community discovered that fsync (on Linux and some BSD systems) may not work the way we always thought it is [sic], with possibly disastrous consequences for data durability/consistency (which is something the PostgreSQL community really values).” - Tomas Vondra, FOSDEM 2019 6

  7. Our work • Systematically understand fsync failures 2 • Application reactions to fsync failures Applications • Redis, LMDB, LevelDB, SQLite, PostgreSQL File System 1 • File system reactions to fsync failures • Ext4, XFS, Btrfs Disk 7

  8. File System Results • All file systems mark dirty pages clean on fsync failure • Retries are ineffective • File systems do not handle errors during fsync uniformly • Content in pages is different • Latest data (ext4, XFS), Old data (Btrfs) • Failure notifications not always immediate • Ext4 data mode reports errors later • In-memory data structures are not entirely reverted after fsync failure • Garbage/Zeroes in the files • Free space and block allocation unaltered (ext4, XFS) • User-space file descriptor offset unaltered (Btrfs) 8

  9. Application Results • Simple strategies fail • Retries are ineffective • Crash/Restart can be incorrect • False Failures: Indicate failure but actually succeed • Incorrect recovery from WAL using the page cache • Defenseless against late error reporting • Ext4 data mode • Every application faced data loss • Most faced corruption (all except PostgreSQL) • Copy-on-write is good, but not invincible • Btrfs is bad for rollback strategies • But seems good for WAL recovery 9

  10. Outline • Introduction • File Systems • Methodology (dm-loki, workloads) • Results • Applications • Methodology (CuttleFS) • Results • Challenges and Directions • Summary 10

  11. File System | Methodology: Fault Injection • Goal: Understand file system reactions to fsync failures without modifying the kernel Applications • Intercept all block requests that go to disk • Custom device mapper target – dm-loki • Trace bio requests • Fail i th write to sector/block File System dm-loki: intercepts bio requests Disk 11

  12. File System | Methodology: Workloads • Common write patterns in applications • Reduced to simplest form • Single Block Update A B C A X C • Modify a single block in a file • Examples: A A B C X C • LMDB, PostgreSQL, SQLite • Multi Block Append • Add new blocks to the end of a file A A B C • Examples: • Redis append-only file A A B C • Write-ahead logs • PostgreSQL, LevelDB, SQLite 12

  13. File System | Result #1: Clean Pages • Dirty page is marked clean after fsync failure on all three file systems A B C A * C A * C A A A B C B C B C fsync( ) fails 1 Modify middle page 2 3 Page is marked clean • Feature, not bug • Avoids memory leaks when user removes USB stick • Retries are ineffective • No more dirty pages on the next fsync 13

  14. File System | Result #2a: Page Content • File systems do not handle fsync errors uniformly A X C • Page content depends on file system A B C A X C A ? C Ext4 and XFS 2a Keep latest data A A B C B C A B C Middle page fsync( ) fails 1 2 modified Page is marked clean A B C 2b Btrfs reverts state • Cannot reliably depend on page cache content after an fsync failure 14

  15. File System | Result #2b: Notifications • File systems do not report fsync failures uniformly • Ext4 data mode reports failures later • Ext4 ordered mode, XFS, Btrfs report immediately A X C A X C A X C Journal Journal A B C X Middle page 1 A B C A B C modified fsync( ) succeeds Failure when writing Fails next fsync( ) 2 3 Data written to journal journal to disk • Ext4 data mode reports success too early • Two fsyncs can solve the problem 15

  16. File System | Result #3: In-memory state • In-memory data structures are not entirely reverted • Free space and block allocation unaltered in ext4, XFS A B Non-overwritten Block allocated block A B A B Link only in memory A ? No block allocated Link persisted after 3a A A ? some time or unmount Write to end fsync( ) fails 2 1 of file No metadata persisted A B C A ? C • On EXT4 and XFS - Link persisted if future 3b • Applications read block’s old contents - corruption writes + fsync succeeds 16

  17. File System | Result #3: In-memory state • In-memory data structures are not entirely reverted • Holes in Btrfs as file descriptor offset is not reverted Hole in place of B A B A A A C C No block allocated A A A A ? C Write to end fsync( ) fails Next write is at fsync( ) persists at 4 2 1 3 of file State is reverted updated offset updated offset • On Btrfs - • Application reads zeroes at the hole offset - corruption 17

  18. File System | Results Summary After fsync failure … • Dirty pages are marked clean • Retries are ineffective • Errors are not handled uniformly • Page content varies across file systems • Notifications are not always immediate • In-memory data structures are not correct • Future operations cause non-overwritten blocks (ext4, XFS), holes (Btrfs) • Both are corruptions to the application 18

  19. Applications

  20. Applications • Five widely used applications Key Value Store Relational Database Embedded v1.22 LMDB v0.9.24 v3.30.1 Server v5.0.7 v12.0 20

  21. Applications | Methodology • Goal: Are application strategies effective when fsync fails • Simple workload • Insert/Update a key-value pair • Use two-column table for RDBMS • Make fsync fail • Dump all key-value pairs • When running • On application restart • On page eviction • On machine restart 21

  22. Applications | Methodology: CuttleFS • Deterministic fault injection with Applications configurable post-failure reactions CuttleFS (FUSE) • Fail file offsets, not block numbers Intercepts file system requests • User-space page cache File System • Easy to simulate different post-failure reactions • Dirty or clean pages • New or old content • Immediate or late error reporting • Fine grained control over page eviction Disk 22

  23. Applications | Results: Overview Ext4 Ext4 XFS Btrfs Ordered Mode Data Mode Data Data Data Redis Corruption Corruption Loss Loss Loss LMDB LevelDB Corruption SQLite Data False False Rollback False False Loss Corruption Corruption Failures Failures Failures Failures WAL 3 PostgreSQL Default DirectIO 1 (Same as ext4 ordered) 2 23

  24. Applications | Results #1: Crash/Restart • Simple strategies fail • Crash/restart is incorrect: recovers wrong data from page cache • Example: PostgreSQL False Failure fsync( ) fails Key Val Key Val Key Val A 1 A 1 A 2 Table WAL Table WAL WAL Table WAL App Crash A 1 A 1 A 1 A 1 A = 0 A = 0 A = 0 + A 2 A 2 A 2 Restart A 1 A 1 A 1 A 1 A = 0 A = 0 A = 0 3 2b SET A = 2 2a 1 24

  25. Applications | Results #1: False Failures • False Failures: Indicate failure but actually succeed Expected State Actual State Initially A=100 A=100 UPDATE Table SET A = A - 1 Reports failure A=100 A=99 False Failure Retry… UPDATE Table SET A = A - 1 A=99 A=98 Double Decrement • PostgreSQL, SQLite, LevelDB WAL are affected 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue

Reliability In case of a crash, recover to a consistent (or correct state) and continue processing. Types of Failures Node failure 1. Communication line of failure 2. Loss of a message (or transaction) 3. Network partition 4. Any

559 views • 21 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
Accept Partial Failures, Minimize Service Loss Daxin Wang Baidu SRE Diversified products

Accept Partial Failures, Minimize Service Loss Daxin Wang Baidu SRE Diversified products

Accept Partial Failures, Minimize Service Loss Daxin Wang Baidu SRE Diversified products Promote Experienced team Too complicated to recover rapidly Network & Infrastructure Operation Mistake Software Bug Basic model of reduce

230 views • 18 slides
Preventing & Identifying Failures of Dead Break Elbows Wind Farm Applications 1

Preventing & Identifying Failures of Dead Break Elbows Wind Farm Applications 1

Preventing & Identifying Failures of Dead Break Elbows Wind Farm Applications 1 Introduction Brian Peyres, Senior High Voltage Reliability Engineer, EDP Renewables. Level 2 Thermographer with 20 Years in the generating and utility

987 views • 44 slides
Relax and Recover Relax and Recover (ReaR) The Ultimate Disaster Recovery Framework

Relax and Recover Relax and Recover (ReaR) The Ultimate Disaster Recovery Framework

Relax and Recover Relax and Recover (ReaR) The Ultimate Disaster Recovery Framework http://rear.sourceforge.net by Gratien D'haese What is Relax and Recover Relax and Recover (abbreviated rear) is a highly modular disaster recovery

879 views • 12 slides
TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer,

TOLERATING BUSINESS FAILURES IN HOSTED APPLICATIONS Jean-Sbastien Lgar Dutch T. Meyer, Mark Spear, Alexandru Totolici, Sara Bainbridge, Kalan MacRow, Robert Sumi, Quinlan Jung, Dennis Tjandra, David Williams-King, William Aiello, Andrew

567 views • 29 slides
Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

SYSC 5801 Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path failures Link failures Node failures Results: packet losses, waste of resources, and higher delay. What IGP does in the event

721 views • 35 slides
Let it Recover: Multiparty Protocol-Induced Recovery 1 Fail fast and recover quickly

Let it Recover: Multiparty Protocol-Induced Recovery 1 Fail fast and recover quickly

Let it Recover: Multiparty Protocol-Induced Recovery 1 Fail fast and recover quickly Erlang proverb Fail fast and recover quickly and safely OPCT proverb (after this talk) 2 Part One Background 3 The Erlang programming

803 views • 28 slides
Checkpointing HPC Applications Thomas Ropars thomas.ropars@imag.fr Universit e Grenoble Alpes

Checkpointing HPC Applications Thomas Ropars thomas.ropars@imag.fr Universit e Grenoble Alpes

Checkpointing HPC Applications Thomas Ropars thomas.ropars@imag.fr Universit e Grenoble Alpes 1 2016 Failures in supercomputers Fault tolerance is a serious problem Systems with millions of components Failures cannot be ignored

1.14k views • 109 slides
Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to

Failures and Consensus Failures and Consensus Coordination Coordination If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency update

712 views • 36 slides
Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk

Software Failures Perdita Stevens perdita@inf.ed.ac.uk http://www.inf.ed.ac.uk/teaching/courses/sapm/ Original slides: Dr James A. Bednar & Dr David Robertson, changes by Dr Massimo Felici, Mr Conrad Hughes, me SAPM Spring 2010: Failures

771 views • 27 slides
s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore

s rsrt Market failures Tyler Moore When markets fail Market failures occur when the free-market outcome is inefficient Monopolies/oligopolies Public goods Information

301 views • 15 slides
Cycle Time Approximations for the G/G/m Queue Subject to Server Failures and Cycle Time Offsets

Cycle Time Approximations for the G/G/m Queue Subject to Server Failures and Cycle Time Offsets

IEEE/SEMI Advanced Semiconductor Manufacturing Conference Cycle Time Approximations for the G/G/m Queue Subject to Server Failures and Cycle Time Offsets with Applications James R. Morrison Central Michigan University Department of Engineering

614 views • 17 slides
WebSee: A Tool for Debugging HTML Presentation Failures Sonal Mahajan and William G. J. Halfond

WebSee: A Tool for Debugging HTML Presentation Failures Sonal Mahajan and William G. J. Halfond

WebSee: A Tool for Debugging HTML Presentation Failures Sonal Mahajan and William G. J. Halfond Department of Computer Science University of Southern California Web Applications It takes users only 50 ms to form opinion about your website

329 views • 12 slides
MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability

MySQL High Availability Solutions Alex Poritskiy Percona The Five 9s of Availability Clustering & disasters Geographical Redundancy power failures network failures Clustering Technologies hardware failures software failures

593 views • 47 slides
Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/

Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/

Availability models Dr. Jnos Tapolcai tapolcai@tmit.bme.hu http://opti.tmit.bme.hu/~tapolcai/ / 1 Failure sources HW failures Network element failures Type failures Manufacturing or design failures Turns out at the testing

553 views • 31 slides
Enterprise Storage Architecture Fall 2018 Data recovery and forensics Tyler Bletsch Duke

Enterprise Storage Architecture Fall 2018 Data recovery and forensics Tyler Bletsch Duke

ECE590-03 Enterprise Storage Architecture Fall 2018 Data recovery and forensics Tyler Bletsch Duke University The problem Recovery : Restoring data without backups after loss Goal: get our data back Challenges: Damaged media

277 views • 17 slides
The Recovery Audit Program and Medicare The Who, What, When, Where, How and Why? 1 Agenda

The Recovery Audit Program and Medicare The Who, What, When, Where, How and Why? 1 Agenda

The Recovery Audit Program and Medicare The Who, What, When, Where, How and Why? 1 Agenda What Is A Recovery Auditor? Will The Recovery Auditors Affect Me? Why Recovery Auditors? What Does A Recovery Auditor Do? What Are The

444 views • 19 slides
Disas Dis aster R Recovery an and Gr Gran ant t Re Reporting g (DRGR) ) System m DRGR

Disas Dis aster R Recovery an and Gr Gran ant t Re Reporting g (DRGR) ) System m DRGR

Disas Dis aster R Recovery an and Gr Gran ant t Re Reporting g (DRGR) ) System m DRGR Release 8.1 | Overview | CDBG-DR and CDBG-MIT Webinar Series Summer 2020 Presenters Presenters HUD Steven Edwards, DRGR Specialist Hana

240 views • 22 slides
Argosy: Verifying layered storage systems with recovery refinement Tej Chajed , Joseph Tassarotti,

Argosy: Verifying layered storage systems with recovery refinement Tej Chajed , Joseph Tassarotti,

Argosy: Verifying layered storage systems with recovery refinement Tej Chajed , Joseph Tassarotti, Frans Kaashoek, Nickolai Zeldovich MIT logical disk disk 1 disk 2 Bob writes a replication system 2 logical disk write 1 write 2 disk 1 disk

1.08k views • 75 slides
Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding

Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding

Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding Conference March 2020 The Cost of Doing Business Direct Costs Federal grants fund specific and limited activities related to meeting the

727 views • 38 slides
Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services

Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services

Developing Checkpointing and Recovery Procedures with the Storage Services of Amazon Web Services Luan Teylo 1 , Rafaela C. Brum 1 , Luciana Arantes 2 , Pierre Sens 2 and Lcia M. A. Drummond 1 1 Federal Fluminense University - IC/UFF 2 Sorbonne

861 views • 28 slides
Community Recovery in Graphs with Locality Yuxin Chen , Govinda Kamath , Changho Suh ,

Community Recovery in Graphs with Locality Yuxin Chen , Govinda Kamath , Changho Suh ,

Community Recovery in Graphs with Locality Yuxin Chen , Govinda Kamath , Changho Suh , David Tse Stanford KAIST Community recovery / graph clustering Community structures are common in many social networks Credit: The

848 views • 46 slides
Learning a Compressed Sensing Measurement Matrix via Gradient Unrolling Shanshan Wu 1 , Alex

Learning a Compressed Sensing Measurement Matrix via Gradient Unrolling Shanshan Wu 1 , Alex

Learning a Compressed Sensing Measurement Matrix via Gradient Unrolling Shanshan Wu 1 , Alex Dimakis 1 , Sujay Sanghavi 1 , Felix Yu 2 , Dan Holtmann-Rice 2 , Dmitry Storcheus 2 , Afshin Rostamizadeh 2 , Sanjiv Kumar 2 1 University of Texas at

340 views • 18 slides

More recommend