Re: [Question] why not flush device cache at _vg_commit_raw

[Demi Marie Obenour <demi@invisiblethingslab.com>]

[-- Attachment #1: Type: text/plain, Size: 2292 bytes --]

On Mon, Jan 22, 2024 at 03:52:57PM +0100, Zdenek Kabelac wrote:
> Dne 22. 01. 24 v 14:46 Anthony Iliopoulos napsal(a):
> > On Mon, Jan 22, 2024 at 01:48:41PM +0100, Zdenek Kabelac wrote:
> > > Dne 22. 01. 24 v 12:22 Su Yue napsal(a):
> > > > Hi lvm folks,
> > > >     Recently We received a report about the device cache issue after vgchange —deltag.
> > > > What confuses me is that lvm never calls fsync on block devices even at the end of commit phase.
> > > > 
> > > > IIRC, it’s common operations for userspace tools to call fsync/O_SYNC/O_DSYNC while writing
> > > > critical data. Yes, lvm2 opens devices with O_DIRECT if they support , but O_DIRECT doesn't
> > > > provide data was persistent to storage when write returns. The data can still be in the device cache,
> > > > If power failure happens in the timing, such critical metadata/data like vg metadata could be lost.
> > > > 
> > > > Is there any particular reason not to flush data cache at VG commit time?
> > > > 
> > > 
> > > Hi
> > > 
> > > It seems the call to 'dev_flush()' function got somehow lost over the time
> > > of conversion to async aio usage - I'll investigate.
> > > 
> > > On the other hand the chance here of losing any data this way would be
> > > really really very specific to some oddly behaving device.
> > 
> > There's no guarantee that data will be persisted to storage without
> > explicitly flushing the device data cache. Those are usually volatile
> > write-back caches, so the data aren't really protected against power
> > loss without fsyncing the blockdev.
> 
> At technical level modern storage devices 'should' have enough energy held
> internally to be able to flush out all the caches in emergency cases to the
> persistent storage. So unless we deal with some 'virtual' storage that may
> fake various responses to IO handling - this should not be causing major
> troubles.

This is only true for enterprise storage with power loss protection.
The vast majority of Qubes OS users use LVM with consumer storage, which
does not have power loss protection.  If this is unsafe, then Qubes OS
should switch to a different storage pool that flushes drive caches as
needed.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]