recon verifying file system
play

Recon: Verifying File System Consistency at Runtime Daniel Fryer, - PowerPoint PPT Presentation

Aug 21, 2022 •411 likes •676 views

Recon: Verifying File System Consistency at Runtime Daniel Fryer, Jack (Kuei) Sun, Rahat Mahmood, TingHao Cheng, Shaun Benjamin, Angela Demke Brown and Ashvin Goel University of Toronto October 4, 2011 Metadata Integrity is Crucial D Kernel

  1. Recon: Verifying File System Consistency at Runtime Daniel Fryer, Jack (Kuei) Sun, Rahat Mahmood, TingHao Cheng, Shaun Benjamin, Angela Demke Brown and Ashvin Goel University of Toronto October 4, 2011

  2. Metadata Integrity is Crucial D Kernel D D M M M File System a D D t D D Block Layer a D D You don’t know what Storage you’ve got ’til it’s gone… 2

  3. File Systems Have Bugs Bugs in Linux Ext3 File System Closed panic/ext3 fs corruption with RHEL4-U6-re20070927.0 2007-11 Re: [2.6.27] filesystem (ext3) corruption (access beyond end) 2008-06 linux-2.6: ext3 filesystem corruption 2008-09 linux-image-2.6.29-2-amd64: occasional ext3 filesystem 2009-06 corruption ENOSPC during fsstress leads to filesystem corruption on ext2, 2010-03 ext3, and ext4 ext3: Fix fs corruption when make_indexed_dir() fails 2011-06 Data corruption: resume from hibernate always ends up with Not yet EXT3 fs errors Why can’t existing solutions handle this problem? 3

  4. “Solutions” Existing approaches assume file systems are correct Kernel File System Checksums? Journals? Block Layer RAID? Storage None of these protect against bugs in file systems 4

  5. Offline Checking • Check consistency offline, e.g., fsck • Consistency properties necessary for correctness FS1: No double FS2: Refcount-based allocation sharing M M M M metadata data D D D Ref: 2 5

  6. Problems with Offline Checking • Slow, getting slower with larger disks • Requires taking file system offline • After the fact, repair is error prone M M metadata data D 6

  7. Outline • Problem • Metadata can be corrupted by bugs and existing techniques are inadequate • Our Solution: Recon • a system for protecting metadata from bugs • Key idea • Runtime consistency checking • Design • Evaluation 7

  8. Runtime Consistency Checking • Ensure every update results in a consistent file system • Makes repair unnecessary! • “What happens in DRAM stays in DRAM” BUT • Consistency properties are global • Global properties require full scan • We can’t run fsck at every write 8

  9. Consistency Invariants • We transform global consistency properties to fast, local consistency invariants • Assume initial consistent state • New file system is clean • Use checksums/redundancy to handle errors below FS • At runtime, check only what is changing • Do so before changes become persistent • Resulting new state is consistent 9

  10. Example: Block Allocation in Ext3 • Ext3 maintains a block bitmap – every allocated block is marked in the bitmap Block Bitmap inode 5 6 7 8 9 Updated Block size time 7 Block 7 Updated Block 8 8 Block 8 10

  11. Example: Block Allocation in Ext3 • Consistency Invariant Bitmap bit X flip Block pointer from “0” to “1” set to X • Invariant fails if either update is missing • Should not mark allocated without setting block pointer • Should not set block pointer without marking allocated • Can any consistency property be transformed? • File systems should maintain consistency efficiently 11

  12. When to Check Invariants • Invariants involve changes to multiple blocks • When should they be consistent? • Transactions are used for crash consistency • Consistency can be checked at transaction boundaries Transaction Memory Must check transaction just before commit block reaches disk Disk 12

  13. Outline • Problem • Metadata corruption cause by bugs • Solution • Recon • Key idea • Runtime checking • Design • Metadata interpretation • Logical change generation • Evaluation 13

  14. The Recon Design File System FS Recon Interface Block Layer Recon Ext3_Recon Metadata Write Cache Metadata Btrfs_Recon Read Cache Metadata interpretation Logical change generation Ye Olde Disk 14

  15. Metadata Interpretation • To check invariants, we need to determine the type of a block on a read or write • Take advantage of tree structure of metadata • Superblock is the root of the tree • Parents are read before children • For example, inode is read before indirect blocks • We see the pointer to the block before the block, and • The pointer within the parent determines the type of the child block 15

  16. Logical Change Generation • Invariants are expressed in terms of logical changes to structures, e.g., bitmaps, pointers Bitmap bit X flip Block pointer from “0” to “1” set to X • Recon generates these changes based on • Block types • Comparing the blocks in the write and read cache • Logical changes to metadata structures are represented as a set of change records: [type, id, field, old, new] 16

  17. Checking with Change Records type id field oldval newval inode 12 blockptr[1] 0 501 inode 12 i_size 4096 8192 inode 12 i_blocks 8 16 Bitmap 501 -- 0 1 BGD 0 free_blocks 1500 1499 Transaction appends a new block to inode 12 Bitmap bit X flip Block pointer from “0” to “1” set to X 17

  18. Outline • Problem • Metadata corruption cause by bugs • Solution • Recon • Key idea • Runtime checking • Design • Evaluation • Complexity • Corruption detection • Performance overhead 18

  19. Complexity • Much simpler than FS code • Only need to verify result of file system operations • Each invariant can be checked independently • Code divided into three sections • Generic Recon framework: 1.5 kLOC • Ext3 metadata interpretation: 1.5kLOC • 31 Ext3 invariants: 800 LOC 19

  20. Corruption Detection 1 25 8 23 100% 31 Corruptions 4 2 Caught 79 112 2 17 72 352 59 52 31 0% inode inode inode ibm dir bbm random bgd (blk ptr) (stat) (others) Detected by both e2fsck only Recon only Recon matches e2fsck 20

  21. Performance Evaluation • Used Linux port of Sun’s FileBench • Used 5 different emulated workloads • webserver, webproxy, varmail, fileserver, ms_nfs • ms_nfs configured to match metadata characteristics from Microsoft study (FAST’11) • 3 GHz dual core Xeon CPUs, 2 GB RAM • 1 TB ext3 file system 21

  22. Performance Evaluation Cache Size = 128MB webserver webproxy varmail fileserver ms_nfs For reasonable cache sizes, performance impact is modest 22

  23. Handling Violations Several options • Prevent all writes, remount read-only • Preserves correctness • Reduces availability • Take snapshot of filesystem and continue • Minimal availability impact, snapshot is correct • Requires repair afterwards • Micro-reboot file system or kernel • Transparent to applications • Overcomes transient failures 23

  24. Conclusion • All consistency properties of fsck can be enforced on updates without full disk scan • Checking can be done outside the file system, entirely at the block layer • Preventing corruption from being committed is a huge win over after-the-fact repair! 24

  25. Thanks! • To our anonymous reviewers • To our shepherd, Junfeng Yang • To the Systems Software Reading Group @ U of T For their many insightful comments & suggestions! • To Vivek Lakshmanan For early insights that helped start the project! This work was supported by NSERC through the Discovery Grants program 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej

Verifying a high-performance crash-safe file system using a tree specifica6on Haogang Chen, Tej Chajed , Stephanie Wang, Alex Konradi, Atalay leri, Adam Chlipala, M. Frans Kaashoek, Nickolai Zeldovich File systems are difficult to make correct

1.19k views • 100 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
An Integrated Formal Methods Tool-Chain and its Application to Verifying a File System Model From

An Integrated Formal Methods Tool-Chain and its Application to Verifying a File System Model From

An Integrated Formal Methods Tool-Chain and its Application to Verifying a File System Model From Miguel A. Ferreira and Jos e N. Oliveira Thematic Seminar - Paper Recitation July 21, 2012 Skeleton Brief Introduction Tool-chain

272 views • 9 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System

FILE SYSTEM IMPLEMENTATION Sunu Wibirama Outline File-System Structure File-System Implementation Directory Implementation Allocation Methods Free-Space Management Discussion 11. Outline File-System Structure

516 views • 51 slides
Week 10: File Management What is a file? Elements of file management File

Week 10: File Management What is a file? Elements of file management File

CPSC 410 / 611 : Operating Systems Week 10: File Management What is a file? Elements of file management File organization Directories File allocation UNIX file system Reading: Silberschatz, Chapter 10, 11

498 views • 13 slides
Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary

Speeding up file system checks in ext4 Theodore Ts'o Why File System Checks Are Necessary Software is not perfect Bugs in kernel (File system, VM, Device Driver code) Hardware is not perfect Disk errors Memory errors File

613 views • 24 slides
Alleged Assassins Bjrn Jespersen & Giuseppe Primiero Department of Computer Science,

Alleged Assassins Bjrn Jespersen & Giuseppe Primiero Department of Computer Science,

Alleged Assassins Bjrn Jespersen & Giuseppe Primiero Department of Computer Science, Technical University of Ostrava & Department of Logic, Czech Academy of Sciences, Prague FWO & Centre for Logic and Philosophy of Science, Ghent

639 views • 34 slides
An Integrated Code Generator for the Glasgow Haskell Compiler Jo ao Dias, Simon Marlow,

An Integrated Code Generator for the Glasgow Haskell Compiler Jo ao Dias, Simon Marlow,

An Integrated Code Generator for the Glasgow Haskell Compiler Jo ao Dias, Simon Marlow, Simon Peyton Jones, Norman Ramsey Harvard University, Microsoft Research, and Tufts University Classic Dataflow Optimization, Purely

1.06k views • 72 slides
Secure and Fair Enforcement for Mortgage Licensing (SAFE Act) - Background The Secure and

Secure and Fair Enforcement for Mortgage Licensing (SAFE Act) - Background The Secure and

SAFE Act, RESPA, and ECOA Requirements for the HOME Program Administered by The information provided in this document is provided for general information only. TDHCA endeavors to ensure the accuracy and validity of all information contained

649 views • 32 slides
Im Impl plementing ementing GM M La Labo borat atori ories es Labs should share

Im Impl plementing ementing GM M La Labo borat atori ories es Labs should share

Im Impl plementing ementing GM M La Labo borat atori ories es Labs should share genomic data; many clinical labs willing but requires resources Dont put in clinical lab til well- established but WGS/WES breaks that

327 views • 11 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Working Together to Improve Community Health MIKELLE MOORE - VICE PRESIDENT, COMMUNITY BENEFIT

Working Together to Improve Community Health MIKELLE MOORE - VICE PRESIDENT, COMMUNITY BENEFIT

Working Together to Improve Community Health MIKELLE MOORE - VICE PRESIDENT, COMMUNITY BENEFIT Grant opportunity to help cities adopt active lifestyles 16 week DPP curriculum Personalized health coaching Small-group support

477 views • 12 slides
Banks as Liquidity Provider of Second to Last Resort Til Schuermann* Federal Reserve Bank of New

Banks as Liquidity Provider of Second to Last Resort Til Schuermann* Federal Reserve Bank of New

Banks as Liquidity Provider of Second to Last Resort Til Schuermann* Federal Reserve Bank of New York Q-Group, October 2008 * Any views expressed represent those of the author only and not necessarily those of the Federal Reserve Bank of New

606 views • 35 slides
When talents comes in many different shapes NOCA April 2019 Laila Gyldenhj, Danske Bank 1

When talents comes in many different shapes NOCA April 2019 Laila Gyldenhj, Danske Bank 1

When talents comes in many different shapes NOCA April 2019 Laila Gyldenhj, Danske Bank 1 Millennials will be more than 50% of the global workforce by 2020. The generation will demand that hierarchies go away in favor of flatter

413 views • 10 slides

More recommend