'LMDB and fsync failures'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-devel
Subject:    LMDB and fsync failures
From:       Howard Chu <hyc () symas ! com>
Date:       2024-02-09 10:09:04
Message-ID: 7cce887c-c1a1-ecf7-7508-c5abf4eec2a8 () symas ! com
[Download RAW message or body]

If anyone remembers fsync-gate https://danluu.com/fsyncgate/ which showed a \
lot of vulnerabilities in other popular DBMSs, some other research was \
published on the topic as well  \
https://www.usenix.org/conference/atc20/presentation/rebello

I originally discussed this on twitter back in 2020 but wanted to summarize \
again here.

As usual with these types of reports, there are a lot of flaws in their \
test methodology, which invalidates some of their conclusions.

In particular, I question the validity of the failure scenarios their \
CuttleFS simulator produces. Specifically, they claim that multiple systems \
exhibit False Failures after fsync reports a failure, but actually \
(partially) succeeded. In the case of LMDB, where a 1-page synchronous \
write is involved, this is just an invalid test.

They assume that the relevant sector that LMDB cares about is successfully \
written, but an I/O error occurs on some other sector in the page. And so \
while LMDB invalidates the commit in memory, a cache flush and subsequent \
page-in will read the updated sector. But in the real world, if there are \
hard I/O errors on these other sectors, they will most likely also be \
unreadable, and a subsequent page-in will also fail. So at least for LMDB, \
there would be no false failure.

The failure modes they're modeling don't reflect reality.

Leaving that issue aside, there's also the point that modern storage \
devices are now using 4KB sectors, and still guarantee atomic sector \
writes, so the partial success scenario they describe can't even happen. \
This is a bunch of academic speculation, with a total absence of real world \
modeling to validate the failure scenarios they presented.

The other failures they report, on ext4fs with journaled data, are \
certainly disturbing. But we always recommend turning that journaling off \
with LMDB; it's redundant with LMDB's own COW strategy and harms perf for \
no benefit.

Of course, you don't even need to trust the filesystem, you can just use \
LMDB on a raw block device.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic