Advances in file systems combine partitioning technology withjournaling technology to raise the bar in file system availability anddata consistency without compromising real-time responsiveness. A newtype of partitioning “journaling – provides security and quality ofservice guarantees by assigning resources, such as disk blocks andblock cache space, to specific applications.
Journaling file systems ensure data consistency across sudden powerfailures by writing file system changes first to a replayable journallog and then writing the changes to their actual location on apersistent storage device. More advanced journaling file systemscollect and store both file data and file system metadata in a journaland atomically commit updates to the disk.
File systems that employ both modern partitioning and completejournaling are ideal for systems such as avionics, automotive, secure systems, andmedical devices , where fast and reliable startup, robustness,and isolation of critical applications are required.
The need for consistency andavailability
Many embedded systems rely on information stored in files andorganization provided by a file structure. They need file data to beboth correct and available when they need it.
In a common run-time environment, the data in these files changesand some files are moved, copied or deleted, as part of a healthydynamic system. The file system is responsible for updating each fileand the information about the file when changes that affect that fileare made. This keeps the data available for use by the rest of theembedded system as permitted.
When this data is lost or damaged, the system falls into aninconsistent state. It can be difficult to diagnose where theinconsistency first occurred and what area to quarantine when thesystem tumbles into a chain of failures as it continues to run.Incorrect file sizes or permissions can lead to incorrect overwrites ofother file system information or the content in the files themselves.The rest of the system will not be able to access the information itneeds without correct file data.
Inconsistency is particularly apparent in deployed systems thatencounter power dips or failures, or other types of systems that can beabruptly shutdown. Loss of file data availability often causes delaysin the rest of the system. To preserve critical functionality, dynamicfile systems require the ability to maintain file system integrity andavailability in the event of a system crash or power loss.
In many embedded systems, data security is also very important. Afile system that can be made inconsistent by a system failure couldactually result in the incorrect linking of a file with potentially noaccess restriction to file data with highly restricted access. Such afailure may never be detected and may not cause other system failures,but it could still provide unrestricted access to sensitive data,presenting a significant security breach.
An atomic update is one which is done all at one time, regardless ofthe complexity of the series of transactions that make up the change.Atomic updates ensure that regardless of failure, the system will beconsistent because either all of the change will be made or none of itwill be made.
Basic file systems use a sequential, non-atomic update process wherea specific sequence of operations is necessary to modify a file or itsattributes. For example, in response to a request to append data to afile, the file system would typically do the following:
1. Clear a bit in the freeblock bitmask so as to allocate a block
2. Modify the file's inode(such as that used in many UNIX operating systems) block by changingthe size and modification time, and by storing a pointer to the newlyallocated block
3. Zero and then write theappended data into the newly allocated block
A sudden power failure between steps 1 and 2 results in a memoryleak ” the loss of a block of data. A sudden power failure betweensteps 2 and 3 results in the appending of incorrect data, most likelythe contents of the last file to use that block, which could be thecontents of security sensitive data.
Because the changes to disk are made sequentially instead ofatomically, after the system is restarted, the booting sequence wouldneed to run a file system consistency checking program that isknowledgeable about the structure of a correct file system, such asfsck or chkdsk, to try to recover consistency.
This program would scan the disk and repair the file system and thencontinue booting the system. Eliminating the need to run a file systemrepair program can increase the availability of the system. Ideally,the file system would be completely consistent with minimal delay afterthe system is restarted.
Improved file system consistencythrough journaling
Some file systems implement a “journal” to address the problem of theinterruption of a sequence of operations required for an update by asudden power failure. A journal is a separate log of those sequentialtransactions that need to be committed to storage in order to completea file system operation correctly.
The purpose of the journal is to guarantee that each set oftransactions associated with a change are committed atomically. In thecase of a system crash, the atomic transactional journal serves as away for the file system to either finish the operations it had begunbefore the restart, or undo those changes to restore the file system tothe state prior to the operation that was started right before systemcrash.
Journaling also maintains system availability because the system nolonger needs to run consistency check programs upon restart. After acrash, the system will function predictably — new data in the journalwould be restored and completed transactions will be stored to diskatomically before making the file system available to applications,consequently preserving file system consistency.
Full journaling versusmetadata-only journaling
In a simple file system, file system metadata is used to store variousattributes about each file and each directory. The metadata for asingle file is commonly used to store critical information about thatfile, such as its size, owner, location within the storage device,modification timestamps, and user access information or mode.
Hierarchical layers of metadata are commonly used for describingcomplex file systems. A directory entry in many operating systems is anexample of how metadata can be hierarchical, as it describes the filesit contains by name and also references other metadata (file metadataof the files it contains for example). Metadata is in essence theinternal, complex bookkeeping that describes the content in the filesystem. Problems in file system metadata can make the file systemunusable or minimally cause it to become unreliable.
File data is used to store file content, such as text or graphics.File data is arguably the most critical part of the file system as itis the information that is actively used by the rest of the system forexecution. File data preservation is often overlooked in file systemdesign and results in a less reliable system.
Many journaling file systems, with the goal to reducejournaling-related overhead, journal file system metadata, but notdata. In the previous example of the sequential append operation, apower failure between steps 2 and 3, the modification of the file'sinode and the data append, would result in incorrect appended data,possibly creating garbage files and security breaches. File systemsthat employ only metadata journaling can lead to direct data loss andinconsistency of content. File system inconsistency can jeopardize thefunctionality of the entire system by eradicating the integrity of thedata.
Fortunately, new technology created by Green Hills Software hasshown that full journaling of both file system metadata and data can beaccomplished with minimal performance overhead. In the sequentialappend example, a power loss between steps 2 and 3 would result in thereconstruction of a consistent system upon restart.
The many uses of partitioning
Advances in partitioning techniques enable new quality of serviceguarantees at the file system level by protecting access to resources.Applications depend on the vital but finite resources of memory andprocessing power to function correctly. As with any finite resource,the supply of memory can be exhausted, resulting in a denial of servicefor applications that require the use of these resources.
A denial of service attack caused by an errant or maliciousapplication could exhaust the storage space that is required in orderto run other applications, starving other applications and causingsystem malfunction. To guarantee availability of these resources, apartitioning technique can be applied.
As shown in the Figure below ,partitioning involves dividing resources and assigning applications tothose resources. Disks or other storage devices can be divided intovolumes, each with a fixed allocation of blocks. Partitioning devicesinto several volumes helps to protect against damage to the blocks. Anyapplication that has access to a volume has an intrinsic limit of howmuch overall storage space it can use. This limit protects againstdenial of service attacks on storage space.
|Figure- Partitioned access from application to blocks protects file systemdata|
A set of applications can be grouped into a “partition” in order toenforce high level access controls. Inclusion in a partition implieswhich volumes are accessible with which kinds of operations. Forinstance, with the new Green Hills Software file system implementation,a partitioning file system server can be configured so that certainapplication clients have read access and others have both read andwrite access to specific volumes.
A robust system infrastructure can facilitate this protection byusing the file system server to guard client access. Many modern filesystems run within partitions on hard drives, but the delegation ofaccess to partitions is more complex and error-prone in the operatingsystems that use these file systems.
In addition to applications, the journal itself needs to beprotected from unauthorized access and errant references. Partitionscan be applied to journals to restrict outside access to the blocksused to store journal contents.
The ability to protect the journals using partitioning techniquesgreatly increases system reliability by preventing erroneous alterationof both the file system data and metadata. Unauthorized access topartitioned volumes, including the volume containing the journal, isstrictly denied by the file system. Such elevated levels of accesscontrol contribute to an increased level of system security.
New scalability brings new possibilities to resource-constrainedsystemsJournaling has historically been used mostly for server classworkstations, due to the complexity and size it brings to a file systemand application. Embedded devices could not take advantage of thebenefits of journaling because they typically cannot allocate largeamounts of memory to file systems. Some embedded devices are requiredto undergo in-depth analysis before deployment, which would not befeasible if large complex file systems were included.
However, recent implementations reduce size and complexityconsiderably to allow this functionality to be used in a moreconstrained embedded environment. Some embedded versions have afootprint as small as 35 kilobytes, and are implemented using less than2% of the number of lines of code used for most existing file systemswith comparable features. The reduced complexity allows a system usinga partitioning and journaling file system to be certified the highestlevels of assurance standards, such as the DO-178B safety standard inavionics.
The benefits of increased reliability, availability, security andscalability make partitioning and journaling file systems indispensablefor a variety of industry applications, including:
*Security-critical applications , such as those used in financialsystems and those with a MILS (Multiple Independent Layers of Security)requirement.
* Safety-criticalapplications , such as those used in avionics, industrialautomation, or medical devices.
*Resource-constrained applications, such as those used forlow-power or memory-limited consumer devices.
* Remoteapplications where failures are commonly unrecoverable, such asapplications used in aerospace.
* Any application with Quality of Service concerns.
The concepts of journaling and partitioning are not new to filesystems, but they have recently been expanded with additionalfunctionality that enables system designers to meet new levels ofreliability, availability, and security in their systems. Journalingimproves reliability and availability by logging transactions that canbe committed atomically to disk.
The underlying concepts of journaling have been extended to includefile system data as well as file system metadata across multipledevices and applications, ensuring greater consistency and integrity incomplex systems.
Partitioning guarantees the availability of file system resources tothose applications they are assigned. Similarly, it provides securityguarantees for applications by protecting disk volumes fromunauthorized access. The reduced memory requirements and efficientdesign of new partitioning and journaling file systems allow them to beused effectively in resource-constrained systems.
Michele Mixteris product manager at Green HillsSoftware, Inc.