[Qemu-devel] [RFC] Disk integrity in QEMU

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [RFC] Disk integrity in QEMU

From:	Anthony Liguori
Subject:	[Qemu-devel] [RFC] Disk integrity in QEMU
Date:	Thu, 09 Oct 2008 12:00:41 -0500
User-agent:	Thunderbird 2.0.0.17 (X11/20080925)

Hi,

There's been a lot of discussion recently mostly in other places aboutdisk integrity and performance in QEMU. I must admit, my own thinkinghas changed pretty recently in this space. I wanted to try and focusthe conversation on qemu-devel so that we could get everyone involvedand come up with a plan for the future.

Right now, QEMU can open a file in two ways. It can open it without anyspecial caching flags (the default) or it can open it O_DIRECT.O_DIRECT implies that the IO does not go through the host page cache.This is controlled with cache=on and cache=off respectively.

When cache=on, read requests may not actually go to the disk. If aprevious read request (by some application on the system) has read thesame data, then it becomes a simple memcpy(). Also, the host IOscheduler may do read ahead which means that the data may be availablefrom that. In general, the host knows the most about the underlyingdisk system and the total IO load on the system so it is far bettersuited to optimize these sort of things than the guest.

Write requests end up being simple memcpy()s too as the data is justcopied into the page cache and the page is scheduled to be eventuallywritten to disk. Since we don't know when the data is actually writtento disk, we tell the guest the data is written before it actually is.

If you assume that the host is stable, then there isn't an integrityissue. This assumes that you have backup power and that the host OS hasno bugs. It's not a totally unreasonable assumption but for a largenumber of users, it's not a good assumption.

A side effect of cache=off is that data integrity only depends on theintegrity of your storage system (which isn't always safe, btw) which isprobably closer to what most users expect. There many other sideeffects though.

An alternative to cache=off that addresses the data integrity problemdirectly is to open all disk images with O_DSYNC. This will still usethe host page cache (and therefore get all the benefits of it) but willonly signal write completion when the data is actually written to disk.The effect of this is to make the integrity of the VM equal theintegrity of the storage system (no longer relying on the host). Bystill going through the page cache, you still get the benefits of thehost's IO scheduler and read-ahead. The only place affected byperformance is writes (reads are equivalent). If you run a writebenchmark in a guest today, you'll see a number that is higher thannative. The implication here is that data integrity is not beingmaintained if you don't trust the host. O_DSYNC takes care of this.

Read performance should be unaffected by using O_DSYNC. O_DIRECT willsignificantly reduce read performance. I think we should use O_DSYNC bydefault and I have sent out a patch that contains that. We will followup with benchmarks to demonstrate this.

There are certain benefits to using O_DIRECT. One argument for usingO_DIRECT is that you have to allocate memory in the host page cache toperform IO. If you are not sharing data between guests, and the guesthas a relatively large amount of memory compared to the host, and youhave a simple disk in the host, going through the host page cache wastessome memory that could be used to cache other IO operations on thesystem. I don't really think this is the typical case so I don't thinkthis is an argument for having it on by default. However, it can beenabled if you know this is going to be the case.

The biggest benefit to using O_DIRECT, is that you can potentially avoidever bringing data into the CPUs cache. Once data is cached, copying itis relatively cheap. If you're never going to touch the data (think,disk DMA => nic DMA via sendfile()), then avoiding the CPU cache can bea big win. Again, I don't think this is the common case but the optionis there in case it's suitable.

An important point is that today, we always copy data internally in QEMUwhich means practically speaking, you'll never see this benefit.

So to summarize, I think we should enable O_DSYNC by default to ensurethat guest data integrity is not dependent on the host OS, and thatpractically speaking, cache=off is only useful for very specializedcircumstances. Part of the patch I'll follow up with includes changesto the man page to document all of this for users.


Thoughts?

Regards,

Anthony Liguori

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [RFC] Disk integrity in QEMU, Anthony Liguori <=
- Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Gerd Hoffmann, 2008/10/10
  - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Mark McLoughlin, 2008/10/10
    - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Jamie Lokier, 2008/10/12
    - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Avi Kivity, 2008/10/14
  - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Avi Kivity, 2008/10/10
    - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Jamie Lokier, 2008/10/12
- Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Aurelien Jarno, 2008/10/10
  - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Anthony Liguori, 2008/10/10
    - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Paul Brook, 2008/10/10
    - Re: [Qemu-devel] [RFC] Disk integrity in QEMU, Anthony Liguori, 2008/10/10

Prev by Date: [Qemu-devel] [PATCH] [v2] scsi-disk: correct SCSI error reporting
Next by Date: [Qemu-devel] [RFC] Use O_DSYNC by default and update documentation to explain IO integrity in QEMU
Previous by thread: [Qemu-devel] [PATCH] [v2] scsi-disk: correct SCSI error reporting
Next by thread: Re: [Qemu-devel] [RFC] Disk integrity in QEMU
Index(es):
- Date
- Thread