Re: [Qemu-devel] [RFC] qed: Add QEMU Enhanced Disk format

[Anthony Liguori]

On 09/12/2010 10:56 AM, Avi Kivity wrote:
> No, the worst case is 0.003% allocated disk, with the allocated 
> clusters distributed uniformly.  That means all your L2s are 
> allocated, but almost none of your clusters are.

But in this case, you're so sparse that your metadata is pretty much 
co-located which means seek performance won't matter much.

> > But since you have to boot before you can run any serious test, if it 
> > takes 5 seconds to do an fsck(), it's highly likely that it's not 
> > even noticeable.
>
> What if it takes 300 seconds?

That means for a 1TB disk you're taking 500ms per L2 entry, you're fully 
allocated and yet still doing an fsck.  That seems awfully unlikely.

> >    if l2.committed:
> >        if l2.dirty
> >            l2.write()
> >            l2.dirty = False
> >        l2.mutex.unlock()
> >     else:
> >        l2.mutex.lock()
> >        l2cache[l2.pos] = l2
> >        l2.mutex.unlock()
>
> The in-memory L2 is created by defaultdict().  I did omit linking L2 
> into L1, by that's a function call.  With a state machine, it's a new 
> string of states and calls.

But you have to write the L2 to disk first before you link it so it's 
not purely in memory.

> > > > It's far easier to just avoid internal snapshots altogether and 
> > > > this is exactly the thought process that led to QED.  Once you drop 
> > > > support for internal snapshots, you can dramatically simplify.
> > >
> > > The amount of metadata is O(nb_L2 * nb_snapshots).  For qed, 
> > > nb_snapshots = 1 but nb_L2 can be still quite large.  If fsck is too 
> > > long for one, it is too long for the other.
> >
> > nb_L2 is very small.  It's exactly n / 2GB + 1 where n is image 
> > size.  Since image size is typically < 100GB, practically speaking 
> > it's less than 50.
> >
> > OTOH, nb_snapshots in qcow2 can be very large.  In fact, it's not 
> > unrealistic for nb_snapshots to be >> 50.  What that means is that 
> > instead of metadata being O(n) as it is today, it's at least O(n^2).
>
> Why is in n^2?  It's still n*m.  If your image is 4TB instead of 
> 100GB, the time increases by a factor of 40 for both.

It's n*m but either n ~= m in which case it's n^2 or m << n, in which 
case, it's just n, or m >> n in which case, it's just O(m).

This is where asymptotic complexity ends up not being terribly helpful :-)

Let me put this another way though, if you support internal snapshots, 
what's a reasonable number of snapshots to expect reasonable performance 
with?  10?  100?  1000? 10000?

> > > > Not doing qed-on-lvm is definitely a limitation.  The one use case 
> > > > I've heard is qcow2 on top of clustered LVM as clustered LVM is 
> > > > simpler than a clustered filesystem.  I don't know the space well 
> > > > enough so I need to think more about it.
> > >
> > > I don't either.  If this use case survives, and if qed isn't changed 
> > > to accomodate it, it means that that's another place where qed can't 
> > > supplant qcow2.
> >
> > I'm okay with that.  An image file should require a file system.  If 
> > I was going to design an image file to be used on top of raw storage, 
> > I would take an entirely different approach.
>
> That spreads our efforts further.

No.  I don't think we should be in the business of designing on top of 
raw storage.  Either assume fixed partitions, LVM, or a file system.  We 
shouldn't reinvent the wheel at every opportunity (just the carefully 
chosen opportunities).

> > > > Refcount table.  See above discussion  for my thoughts on refcount 
> > > > table.
> > >
> > > Ok.  It boils down to "is fsck on startup acceptable".  Without a 
> > > freelist, you need fsck for both unclean shutdown and for UNMAP.
> >
> > To rebuild the free list on unclean shutdown.
>
> If you have an on-disk compact freelist, you don't need that fsck.

"If you have an on-disk compact [consistent] freelist, you don't need 
that fsck."

Consistency is the key point.  We go out of our way to avoid a 
consistent freelist in QED because it's the path to best performance.  
The key goal for a file format should be to have exactly as much 
consistency as required and not one bit more as consistency always means 
worse performance.

> On the other hand, allocating a cluster in qcow2 as it is now requires 
> scanning the refcount table.  Not very pretty.  Kevin, how does that 
> perform?
>
> > > (an aside: with cache!=none we're bouncing in the kernel as well; we 
> > > really need to make it work for cache=none, perhaps use O_DIRECT for 
> > > data and writeback for metadata and shared backing images).
> >
> > QED achieves zero-copy with cache=none today.  In fact, our 
> > performance testing that we'll publish RSN is exclusively with 
> > cache=none.
>
> In this case, preallocation should really be cheap, since there isn't 
> a ton of dirty data that needs to be flushed.  You issue an extra 
> flush once in a while so your truncate (or physical image size in the 
> header) gets to disk, but that doesn't block new writes.
>
> It makes qed/lvm work, and it replaces the need to fsck for the next 
> allocation with the need for a background scrubber to reclaim storage 
> (you need that anyway for UNMAP).  It makes the whole thing a lot more 
> attractive IMO.

For a 1PB disk image with qcow2, the reference count table is 128GB.  
For a 1TB image, the reference count table is 128MB.   For a 128GB 
image, the reference table is 16MB which is why we get away with it today.

Anytime you grow the freelist with qcow2, you have to write a brand new 
freelist table and update the metadata synchronously to point to a new 
version of it.  That means for a 1TB image, you're potentially writing 
out 128MB of data just to allocate a new cluster.

s/freelist/refcount table/ to translate to current qcow2 nomenclature.  
This is certainly not fast.  You can add a bunch of free blocks each 
time you mitigate the growth but I can't of many circumstances where a 
128MB write isn't going to be noticeable.  And it only gets worse as 
time moves on because 1TB disk images are already in use today.

NB, with a 64-bit refcount table, the size of the refcount table is 
almost exactly the same size as the L1/L2 table in QED.  IOW, the cost 
of transversing the refcount table to allocate a cluster is exactly the 
cost of transversing all of the L1/L2 metadata to build a freelist.  
IOW, you're doing the equivalent of an fsck everytime you open a qcow2 
file today.

It's very easy to neglect the details in something like qcow2.  We've 
been talking like the refcount table is basically free to read and write 
but it's absolutely not.  With large disk images, you're caching an 
awful lot of metadata to read the refcount table in fully.

If you reduce the reference count table to exactly two bits, you can 
store that within the L1/L2 metadata since we have an extra 12 bits 
worth of storage space.  Since you need the L1/L2 metadata anyway, we 
might as well just use that space as the authoritative source of the 
free list information.

The only difference between qcow2 and qed is that since we use an 
on-demand table for L1/L2, our free list may be non-contiguous.  Since 
we store virtual -> physical instead of physical->virtual, you have to 
do a full transversal with QED whereas with qcow2 you may get lucky.  
However, the fact that the reference count table is contiguous in qcow2 
is a design flaw IMHO because it makes growth extremely painful with 
large images to the point where I'll claim that qcow2 is probably 
unusable by design with > 1TB disk images.

We can optimize qed by having a contiguous freelist mapping 
physical->virtual (that's just a bitmap, and therefore considerably 
smaller) but making the freelist not authoritative.  That makes it much 
faster because we don't add another sync and let's us fallback to the 
L1/L2 table for authoritative information if we had an unclean shutdown.

It's a good compromise for performance and it validates the qed 
philosophy.  By starting with a correct and performant approach that 
scales to large disk images, we can add features (like unmap) without 
sacrificing either.

Regards,

Anthony Liguori

> > > > Yes, you'll want to have that regardless.  But adding new things to 
> > > > qcow2 has all the problems of introducing a new image format.
> > >
> > > Just some of them.  On mount, rewrite the image format as qcow3.  On 
> > > clean shutdown, write it back to qcow2.  So now there's no risk of 
> > > data corruption (but there is reduced usability).
> >
> > It means on unclean shutdown, you can't move images to older 
> > versions.  That means a management tool can't rely on the mobility of 
> > images which means it's a new format for all practical purposes.
> >
> > QED started it's life as qcow3.  You start with qcow3, remove the 
> > features that are poorly thought out and make correctness hard, add 
> > some future proofing, and you're left with QED.
> >
> > We're fully backwards compatible with qcow2 (by virtue that qcow2 is 
> > still in tree) but new images require new versions of QEMU.  That 
> > said, we have a conversion tool to convert new images to the old 
> > format if mobility is truly required.
> >
> > So it's the same story that you're telling above from an end-user 
> > perspective.
>
> It's not exactly the same story (you can enable it selectively, or you 
> can run fsck before moving) but I agree it isn't a good thing.
>
> > > > > > They are once you copy the image.  And power loss is the same 
> > > > > > thing as unexpected exit because you're not simply talking about 
> > > > > > delaying a sync, you're talking staging future I/O operations 
> > > > > > purely within QEMU.
> > > > >
> > > > > qed is susceptible to the same problem.  If you have a 100MB write 
> > > > > and qemu exits before it updates L2s, then those 100MB are 
> > > > > leaked.  You could alleviate the problem by writing L2 at 
> > > > > intermediate points, but even then, a power loss can leak those 
> > > > > 100MB.
> > > > >
> > > > > qed trades off the freelist for the file size (anything beyond the 
> > > > > file size is free), it doesn't eliminate it completely.  So you 
> > > > > still have some of its problems, but you don't get its benefits.
> > > >
> > > > I think you've just established that qcow2 and qed both require an 
> > > > fsck.  I don't disagree :-)
> > >
> > > There's a difference between a background scrubber and a foreground 
> > > fsck.
> >
> > The difference between qcow2 and qed is that qed relies on the file 
> > size and qcow2 uses a bitmap.
> >
> > The bitmap grows synchronously whereas in qed, we're not relying on 
> > synchronous file growth.  If we did, there would be no need for an fsck.
> >
> > If you attempt to grow the refcount table in qcow2 without doing a 
> > sync(), then you're going to have to have an fsync to avoid corruption.
> >
> > qcow2 doesn't have an advantage, it's just not trying to be as 
> > sophisticated as qed is.
>
> The difference is between preallocation and leaking, on one hand, and 
> uncommitted allocation and later rebuilds, on the other.  It isn't a 
> difference between formats, but between implementations.