Who says the only ones who would ever use or consider using thin would
be sysadmins.?

Monitoring Linux is troublesome enough for most people and it really is
a "job".

You seem to be intent on making the job harder rather than easy so you
can be a type of person that has this expert knowledge while others
don't?

I remember a reason to crack down on sysadmins was that they didn't know
how to use "vi" - if you can't use fucking vi, you're not a sysadmin.
This actually is a bloated version of what a system administrator is or
could at all times be expected to do, because you are ensuring that
problems are going to surface one way or another when this sysadmin is
suddenly no longer capable of being this perfect guy at 100% of times.

You are basically ensuring disaster by having that attitude.

That guy that can battle against all odds and still prevail ;-).

More to the point.

No one is getting cuddled because Linux is hard enough and it is usually
the users who are getting cuddled; strangely enough the attitude exists
that the average desktop user never needs to look under the hood. If
something is ugly, who cares, the "average user" doesn't go there.

The average user is oblivious to all system internals.

The system administrator knows everything and can launch a space rocket
with nothing more than matches and some gallons of rocket fuel.

;-).


The autoextend mechanism is designed to prevent calamity when the
filesystem(s) grow to full size. By your reasoning , it should not exist
because it cuddles admins.

A real admin would extend manually.

A real admin would specify the right size in advance.

A real admin would use thin pools of thin pools that expand beyond your
wildest dreams :p.

But on a more serious note, if there is no chance a file system will
grow to full size, then it doesn't need to be that big.

But there are more use cases for thin than hosting VMs for clients.

Also I believe thin pools have a use for desktop systems as well, when
you see that the only alternative really is btrfs and some distros are
going with it full-time. Btrfs also has thin provisioning in a sense but
on a different layer, which is why I don't like it.

Thin pools from my perspective are the only valid snapshotting mechanism
if you don't use btrfs or zfs or something of the kind.

Even a simple desktop monitor, some applet with configured thin pool
data, would of course alleviate a lot of the problems for a "casual
desktop user". If you remotely administer your system with VNC or the
like, that's the same. So I am saying there is no single use case for
thin, and.

Your response mr. patton falls along the lines of "I only want this to
be used by my kind of people".

"Don't turn it into something everyone or anyone can use".

"Please let it be something special and nichie".

You can read coddle in place of cuddle.



It seems to me pretty clear to me that a system that *requires* manual
intervention and monitoring at all times is not a good system,
particularly if the feedback on its current state cannot be retrieved
from, or is usable by, other existing systems that guard against more or
less the same type of things.

Besides, if your arguments here were valid, then
https://bugzilla.redhat.com/show_bug.cgi?id=1189215 would never have
existed.
Alright thanks. But those blocks are manually reserved for a specific
user.

That's what they are for. It is for -u. These blocks are still available
to the filesystem.

You could call it calamity prevention as well. There will always be a
certain amount of space for say the root user.

and by the same measure you can also say the tmpfs overflow mechanism
for /tmp is not required either because a real admin would not see his
rootfs go out of diskspace.

Stuff happens. You ensure you are prepared when it does. Not stick your
head in the sand and claim that real gurus never encounter those
situations.

The real question you should be asking is if it increases the monitoring
aspect (enhances it) if thin pool data is seen through the lens of the
filesystems as well.

Or whether that is going to be a detriment.

Regards.



Erratum:

https://utcc.utoronto.ca/~cks/space/blog/tech/SocialProblemsMatter

There is a widespread attitude among computer people that it is a great
pity that their beautiful solutions to difficult technical challenges
are being prevented from working merely by some pesky social issues
[read: human flaws], and that the problem is solved once the technical
work is done. This attitude misses the point, especially in system
administration: broadly speaking, the technical challenges are the easy
problems.

No technical system is good if people can't use it or if it makes
people's lives harder (my words). One good example of course is Git. The
typical attitude you get is that a real programmer has all the skills of
a git guru. Yet git is a git. Git is an asshole system.

Beside the point here perhaps. But. Let's drop the "real sysadmin"
ideology. We are humans. We like things to work for us. "Too easy" is
not a valid criticism for not having something.

Continuing from previous mail I guess. But I realized something.
Well of course what you describe here are increasingly complex
strategies
that require development and should not be put on invidual
administrators
(or even organisations) to devise and come up with.

Growing filesystems? If you have a platform where continous thin pool
growth is possible (and we are talking of well developed, complex setups
here) then maybe you have in-house tools to take care of all of that.

So you suggest a strategy here that involves both intelligent automatic
administration of the FS layer as well as the block layer.

A concerted strategy where for example you do have a defined thin volume
size but you constrain your FS artificially AND depend its intelligence
on
knowledge of your thin pool size. And then you have created an
intelligence where the "filesystem agent" can request growth, and
perhaps
the "block level agent" may grant or deny it such that FS growth is
staged
and given hard limits at every point. And then you have the same
functionality as what I described other than that it is more sanely
constructed at intervals.

No continuous updating, but staged growth intervals or moments.
So in the end monitoring is important but because you use a thin pool
there are like 3 classes of situations that change:

* Filesystems will generally have more leeway because you are /able/ to
provide them with more (virtual) space to begin with, in the assumption
that you won't readily need it, but it's normally going to be there when
it does.

* Hard limits in the filesystem itself is still a use case that has no
good solution; most applications will start crashing or behaving weirdly
when out of diskspace. Freezing a filesystem (when it is not a system
disk) might be equally well of a good mitigation strategy as anything
that
involves "oh no, I am out of diskspace and now I am going to ensure
endless trouble as processes keep trying to write to that empty space -
that nonexistent space". If anything I don't think most systems
gracefully
recover from that.

Creating temporary filesystems for important parts is not all that bad.

* Thin volumes do allow you to make better use of the available space
(as
per btrfs, I guess) and give many advantages in moving data around.

The only detriment really to thin for a desktop power user, so to speak
is:

1. Unless you monitor it directly in some way, the lack of information
is
going to make you feel rather annoyed and insecure

2. Normally user tools do inform you of system status (a user-run "ls"
or
"df" is enough) but you cannot have lvs information unless run as root.

The system-config-lvm tool just runs as setuid. I can add volumes
without
authenticating as root.

Regular command line tools are not accessible to the user.


So what I have been suggesting obviously seeks to address point 2. I am
more than willing to address point 1 by developing something, but I'm
not
sure I will ever be able to develop again in this bleak sense of decay I
am experiencing life to be currently ;-).

Anyhow, it would never fully satisfy for me.

Even with a perfect LVM monitoring tool, I would experience a consistent
lack of feedback.

Just a simple example: I can adjust "df" to do different stuff. But any
program reporting free diskspace is going to "lie" to me in that sense.
So
yes I've chosen to use thin LVM because it is the best solution for me
right now.

At the same time indeed, I lack information and this information cannot
be
sourced directly from the block layer because that's not how computer
software works. Computer software doesn't interface with the block
layer.
They interface with filesystems and report information from there.

Technically I consider autoextend not that great of a solution either.

It begs the question: why did you not start out with a larger volume in
the first place? You going to keep adding disks as the thing grows?

I mean, I don't know. If I'm some VPS user and I'm running on a
thinly-provisioned host. Maybe it's nice to be oblivious. But unless my
host has a perfect failsafe setup, the only time I am going to be
notified
of failure is if my volume (that I don't know about) drops or freezes.

Would I personally like having a tool that would show at some point
something going wrong at the lower level? I think I would.

An overprovisioned system with individual volumes that individually
cannot
reach their max size is a bad system.

That they can't do it all at the same time is not that much of a
problem.
That is not very important.

Yet considering a different situation -- suppose this is a host with few
clients but high data requirements. Suppose there are only 4 thin
volumes.
And suppose every thin volume is going to be something of 2TB or make it
anything as large as you want.

(I just have 50GB on my vps). Suppose you had a 6TB disk and you
provisioned it for 4 clients x 2TB. Economies of scale only start to
really show their benefit with much higher number of clients. With 200
clients the "averaging" starts to work in your favour giving you a
dependable system that is not going to suddenly do something weird.

But with smaller numbers you do run into the risk of something going
amiss.

The only reason lack of feedback would not be important for your clients
is if you had a large enough pool, and individual volumes would be just
a
small part of that pool, say 50-100 volumes per pool.

So I guess I'm suggesting there may be a use case for thin LVM in which
you do not have this >10 number of volumes sitting in any pool.

And at that point personally even if I'm the client of that system, I do
want to be informed.

And I would prefer to be informed *through* the pipe that already
exists.

Thin pools lie. Yes. But it's not a lie of the space is available. It's
only a lie if the space is no longer available!!!!!!!.

It is not designed to lie.

Let me just write down some thoughts here.

First of all you say that fundamental OS design is about higher layers
trusting lower layers and that certain types of communications should then
always be one way.

In this case it is about block layer vs. file system layer.

But you make certain assumptions about the nature of a block device to
begin with.

A block device is defined by its acess method (ie. data organized in
blocks) rather than its contigiousness or having an unchanging, "single
block" address or access space. I know this goes pretty far but it is the
truth.

In theory there is nothing against a hypothetical block device offering
ranges of blocks to a higher level (that might never change) or to be
dynamically notified of changes to that address pool.

To a process virtual memory is a space that is transparent to it whether
that space is constructed of paged memory (swap file) or not. At the same
time it is not impossible to imagine that an IO scheduler for swap would
take heed of values given by applications, such as using nice or ionice
values. That would be one way communication though.

In general a higher level should be oblivious to what kind of lower level
layer it is running on, you are right. Yet if all lower levels exhibit the
same kind of features, this point becomes moot, because at that point the
higher level will not be able to know, once more, precisely what kind of
layer it is running on, although it would have more information.

So just theoretically speaking the only thing that is required to be
consistent is the API or whatever interface you design for it.

I think there are many cases where some software can run on some libraries
but not on others because those other libraries do not offer the full
feature set of whatever standard is being defined there. An example is
DLNA/UPNP, these are not layers but the standard is ill-defined and the
device you are communicating with might not support the full set.

Perhaps these are detrimental issues but there are plenty of cases where
one type of "lower level" will suffice but another won't, think maybe of
graphics drivers. Across the layer boundary, communication is two-way
anyway. The block device *does* supply endless streams of data to the
higher layer. The only thing that would change is that you would no longer
have this "always one contigious block of blocks" but something that is
slightly more volatile.

When you "mkfs" the tool reads the size of the block device. Perhaps
subsequently the filessytem is unaware and depends on fixed values.

The feature I described (use case) would allow the set of blocks that is
available, to dynamically change. You are right that this would apparently
be a big departure from the current model.

So I'm not saying it is easy, perfect, or well understood. I'm just saying
I like the idea.

I don't know what other applications it might have but it depends entirely
on correct "discard" behaviour from the filesystem.

The filesystem should be unaware of its underlying device but discard is
never required for rotating disks as far as I can tell. This is an option
that assumes knowledge of the underlying device. From discard we can
basically infer that either we are dealing with a flash device or
something that has some smartness about what blocks it retains and what
not (think cache).

So in general this is already a change that reflects changing conditions
of block devices in general or its availability. And its characteristic
behaviour or demands from filesystems.

These are block devices that want more information to operate (well).

Coincidentally, discard also favours or enhances (possibly) lvmcache.

So it's not about doing something wildly strange here, it's about offering
a feature set that a filesystem may or may not use, or a block device may
or may not offer.

Contrary to what you say, there is nothing inherently bad about the idea.
The OS design principle violation you speak of is principle, not practical
reality. It's not that it can't be done. It's that you don't want it to
happen because it violates your principles. It's not that it wouldn't
work. It's that you don't like it to work because it violates your
principles.

At the same time I object to the notion of the system administrator being
this theoretical vastly differing role/person than the user/client.

We have no in-betweens on Linux. For fun you should do a search of your
filesystem with find -xdev based on the contents of /etc/passwd or
/etc/group. You will find that 99% of files are owned by root and the only
ones that aren't are usually user files in the home directory or specific
services in /var/lib.

Here is a script that would do it for groups:

cat /etc/group | cut -d: -f1 | while read g; do printf "%-15s %6d" $g
`find / -xdev -type f -group $g | wc -l`; done

Probably. I can't run it here it might crash my system (live dvd).

Of about 170k files on an OpenSUSE system, 15 were group writable, mostly
due to my own interference probably. Of 170197 files (no xdev) 168161 were
owned by root.

Excluding man and my user, 69 files did not have "root" as the group. Part
of that was again due to my own changes.

At the same time in some debates your are presented with the ludicrous
notion that there is some ideal desktop user who doesn't need to ever see
anything of the internal system. She never opens a shell and certainly
does not come across ethernet device names (for example). The "desktop
user" does not care about the naming of devices from /dev/eth0 to
/sys/class/net/enp3s0.

The desktop user never uses anything other than DHCP, etc. etc. etc.

The desktop user never can configure anything without the help of the
admin, if it is slightly more advanced.

It's that user vs. admin dichotomy that is never true on any desktop
system and I will venture it is not even true on the systems I am a client
of, because you often need to debate stuff with the vendor or ask for
features, offer solutions, etc.

In a store you are a client. There are employees and clients, nothing
else. At the same time I treat these girls as my neighbours because they
work in the block I live in.

You get the idea. Roles can be shifty. A person can use multiple roles at
the same time. He/she can be admin and user simulaneously.

Perhaps you are correct to state that the roles themselves should not be
watered down, that clear delimitations are required.

In your other email you allude to me not ever having done an OS design
course.

Offlist a friendly member suggested strongly I not use personal attacks in
my communications here. But of course this is precisely what you are doing
here, because as a matter of fact I did follow such a course.

I don't remember the book we used because apparently between my house mate
and me we only had one exemplar and he ended up getting it because I was
usually the one borrowing stuff from him.

At the same time university is way beyond my current reach (in living
conditions) so it is just an unwarranted allusion that does not have
anything to do with anything really.

Yes I think it was the dinosaur book:

Operating System Concepts by Silberschatz, Galvin and Gagne

Anyway, irrelevant here.
You do realize you are trying to find ways around the limitation you just
imposed on yourself right?
I don't think thin pools are that risky or should be that risky. They do
incur a management overhead compared to static filesystems because of
adding that second layer you need to monitor. At the same time the burden
of that can be lessened with tools.

As it stands I consider thin LVM the only reasonably way to snapshot a
running system without dedicating specific space to it in advance. I could
expect snaphotting to require stuff to be in the same volume group.
Without LVM thin, snapshotting requires making at least some prior
investment in having a snapshot device ready for you in the same VG,
right?
But btrfs is not without complexity. It uses subvolumes that differ from
distribution to distribution as each makes its own choice. It requires
knowledge of more complicated tools and mechanics to do the simplest (or
most meaningful) of tasks. Working with LVM is easier. I'm not saying LVM
is perfect and....

Using snapshotting as a backup measure is something that seems risky to me
at the first place because it is a "partition table" operation which
really you shouldn't be doing on a consistent basis. So in other to
effectively use it in the first place you require tools that handle the
safeguards for you. Tools that make sure you are not making some command
line mistake. Tools that simply guard against misuse.

Regular users are not fit for being btrfs admins either.

It is going to confuse the hell out of people seeing as that what their
systems run on and if they are introduced to some of the complexity of it.

You say swallow your pride. It has not much to do with pride.

It has to do with ending up in a situation I don't like. That is then
going to "hurt" me for the remainder of my days until I switch back or get
rid of it.

I have seen NOTHING NOTHING NOTHING inspiring about btrfs.

Not having partition tables and sending volumes across space and time to
other systems, is not really my cup of tea.

It is a vendor lock-in system and would result in other technologies being
lesser developed.

I am not alone in this opinion either.

Btrfs feels like a form of illness to me. It is living in a forest with
all deformed trees, instead of something lush and inspiring. If you've
ever played World of Warcraft, the only thing that comes a bit close is
the Felwood area ;-).

But I don't consider it beyond Plaguelands either.

Anyway.

I have felt like btrfs in my life. They have not been the happiest moments
of my life ;-).

I will respond more in another mail, this is getting too long.

Just want to respond to this just to make things clear.
Why would anyone do what you don't want to do. Don't suggest solutions
you don't even want yourself. That goes for all of you (Zdenek mostly).

And it is not second guessing. It is second guessing what it is doing
currently. If you have actual information from the block layer, you
don't NEED to second guess.

Isn't that obvious?
Not necessarily. It could be transparent if these were actual available
features as part of a feature set. The features would individually be
able to be turned on and off, not necessarily calling it "thin".
What Mark suggested is not actually so bad. Preallocating means you have
to communicate in some way to the user that space is going to run out.
My suggestion would have been and still is in that sense to simply do
this by having the filesystem update the amount of free space.
I'm glad you think of solutions.
Again, that is just nonsense. There is not a person alive who wants to
use thin for something that is not overprovisioning, whether it be
snapshots or client sharing.

You are trying to get away with "hey, you chose it! now sucks if we
don't actually listen to you! hahaha."

SUCKER!!!!.

No, the primary use case for thin is overprovisioning.
Block layer doesn't come into play with it.

You are separating "main admin task" and "local admin task".

What I mean is that there are different roles. Even if they are the same
person, they are different tasks.

Someone writing software, his task is to ensure his software keeps
working given failure conditions.

This software writer, even if it is the same person, cannot be expected
to at that point be thinking of LVM block allocation. These are
different things.

You communicate with the layers you communicate with. You don't go
around that.

When you write a system that is supposed to be portable, for instance,
you do not start depending on other features, tools or layers that are
out of reach the moment your system or software is deployed somewhere
else.

Filesystem communication is available to all applications. So any
application designed for a generic purpose of installment is going to be
wanting to depend on filesystem tools, not block layer tools.

You people apparently don't understand layering very well OR you would
never recommend avoiding an intermediate layer (the filesystem) to go
directly to the lower level (the block layer) for ITS admin tools.

I mean are you insane. You (Zdenek mostly) is so much about not mixing
layers but then it is alright to go around them?

A software tool that is meant to be redeployable and should be able to
depend on a minimalist set of existing features in the direct layer it
is interfacing with, but still wants to use whatever is available given
circumstances that dictate that it wouldn't harm its redeployability,
would never choose the acquire and use the more remote and more
uncertain set (such as LVM) when it could also be using directly
available measures (such as free disk space, as a crude measure) that
are available on ANY system provided that yes indeed, there is some
level of sanity to it.

If you ARE deployed on thin and the filesystem cannot know about actual
space then you are left in the dark, you are left blind, and there is
nothing you can do as a systems programmer.
You constantly focus on the admin.

With all of this hotshot and idealist behaviour about layers you are
espousing, you actually advocate going around them completely and using
whatever deepest-layer or most-impact solution that is available (LVM)
in order to troubleshoot issues that should be handled by interfacing
with the actual layer you always have access to.

It is not just about admins. You make this about admins as if they are
solely responsible for the entire system.
A real software engineer doesn't go for the easiest solution or
implementation. I am not approaching this from the perspective of an
admin exclusively. I am also and most and more importantly a software
programmer that wants to use systems that are going to work regardless
of the pecularities of an implementation or system I have to work on ,
and I don't leave it to the admin of said system to do all my tasks.

As a programmer I cannot decide that the admin is going to be a perfect
human being like so you well try to believe in, because that's what you
think you are: you are that amazing admin that never fails taking
account of available disk space.

But that's a moron position.

If I am to write my software, I cannot depend on bigger-scale or
outer-level solutions to always be in place. I cannot offload my
responsibilities to the admin.

You are insisting here that layers (administration layers and tasks) are
mixed and completely destroyed, all in the sense of not doing that to
the software itself?

Really?

Most importantly if I write any system that cannot depend on LVM being
present, then NO THOSE TOOLS ARE NOT AVAILABLE TO ME.

"Why don't you just use LVM?" well fuck off.

I am not that admin. I write his system. I don't do his work.

Yet I still have the responsibility that MY component is going to work
and not give HIM headaches. That's real life for you.

Even if in actually I might be imprisoned with broken feet and arms. I
still care about this and I still do this work in a certain sense.

And yes I utterly care about modularity in software design. I understand
layers much better than you do if you are able or even capable of
suggestion such solutions.

Communication between layers does not necessarily integrate the layers
if those interfaces are well defined and allow for modular "changing" of
the chose solution.

I recognise full well that there is integration and that you do get a
working together. But that is the entire purpose of it. To get the two
things to work together more. But that is the whole gist of having
interfaces and APIs in the first place.

It is for allowing stuff to work together to achieve a higher goal than
they could achieve if they were just on their own.

While recognising where each responbility lies.

BLOCK LAYER <----> BLOCK LAYER ADMIN
FILESYSTEM LAYER <----> FILESYSTEM LAYER ADMIN
APPLICATION LAYER <---> APPLICATON WRITER.

Me, the application writer, cannot be expected to deal with number one,
the block layer.

At the same time I need tools to do my work. I also cannot go to any
random block layer admin my system might get deployed on (who's to say I
will be there?) and beg for him to spend ample amount of time designing
his systems from scratch so that even if my software fails, it won't
hurt anyone.

But without information on available space I might not be able to do
anything.

Then what happens is that I have to design for this uncertainty.

Then what happens is that I (with capital IIIII) start allocating space
in advance as a software developer making applications for systems that
might I don't know, run on banks or whatever. Just saying something.

Yes now this task is left to the software designer making the
application.

Now I have to start allocating buffers to ensure graceful shutdown or
termination, for instance.

I might for instance allocate a block file, and if writes to the
filesystem start to fail or the filesystem becomes read-only, I might
still be in trouble not being able to write to it ;-). So I might start
thinking about kernel modules that I can redeploy with my system that
ensure graceful shutdown or even continued operation. I might decide
that files mounted as loopback are going to stay writable even if the
filesystem they reside on is now readonly. I am going to ensure these
are not sparse blocks and that the entire file is written to and grown
in advance, so that my writes start to look like real block device
writes. Then I'm just going to just patch the filesystem or the VFS to
allow writes to these files even if it comes with a performance hit of
additional checks.

And that hopefully not the entire volume gets frozen by LVM.

But that the kernel or security scripts just remount it ro.

That is then the best way solution for my needs in that circumstance.
Just saying you know.

It's not all exclusively about admins working with LVM directly.
If that is your life I feel sorry for you.

I just do.

Not all of a sudden. From "at work" perspective, LVM thinp as a technology
is relatively recent, and only recently being deployed in more places as we
migrate our systems from RHEL 5 to RHEL 6 to RHEL 7. I didn't consider
thinp an option before RHEL 7, and I didn't consider it stable even in RHEL
7 without significant testing on our part.
was available in a Fedora release. The previous snapshot model was
unusable, and I wished upon a star that a better technology would arrive. I
tried BTRFS and while it did work - it was still marked as experimental, it
did not have the exact same behaviour as EXT4 or XFS from an applications
perspective, and I did encounter some early issues with subvolumes.
Frankly... I was happy to have LVM thinp, and glad that you LVM developers
provided it when you did. It is excellent technology from my perspective.
But, "at home", I was willing to accept some loose edge case behaviour. I
know when I use storage on my server at home, and if it fails, I can accept
the consequences for myself.

"At work", the situation is different. These are critical systems that I am
betting LVM on. As we begin to use it more broadly (after over a year of
success in hosting our JIRA + Confluence instances on local flash using LVM
thinp for much of the application data including PostgreSQL databases). I
am very comfortable with it from a "< 80% capacity" perspective. However,
every so often it passes 80%, and I have to raise the alarm, because I know
that there are edge cases that LVM / DM thinp + XFS don't handle quite so
well. It's never happened in production yet, but I've seen it happen many
times on designer desktops when they are using LVM, and they lock up their
system and require a system reboot to recover from.

I know there are smart people working on Linux, and smart people working on
LVM. Give the opportunity, and the perspective, I think the worst of these
cases are problems that deserve to be addressed, and probably that people
have been working on with or without my contributions to the subject.
Yes. This is exactly the type of solution I was thinking of including
pinning the journal! You used the correct terminology. I can read the terms
but not write them. :-)

You also managed to summarize it in only a few lines of text. As concepts
go, I think that makes it not-too-complex.

But, the devil is often in the details, and you are right that this is a
per-file system cost.

Balancing this, however, I am perhaps presuming that *all* systems will
eventually be thin volume systems, and that correct behaviour and highly
available behaviour will eventually require that *all* systems invest in
technology such as this. My view of the future is that fixed sized thick
partitions are very often a solution which is compromised from the start.
Most systems of significance grow over time, and the pressure to reduce
cost is real. I think we are taking baby steps to start, but that the
systems of the future will be thin volume systems. I see this as a problem
that needs to be understood and solved, except in the most limited of use
cases. This is my opinion, which I don't expect anybody to share.
Interesting to consider. I don't see this as necessarily a problem - or
that it necessitates "RO" as a persistent state. For example, it would be
most practical if sufficient room was reserved to allow for content to be
removed, allowing for the file system to become unwedged and become "RW"
again. Perhaps there is always an edge case that would necessitate a
persistent "RO" state that requires the volume be extended to recover from,
but I think the edge case could be refined to something that will tend to
never happen?
Another interesting idea. I like the idea of automatically shutting down
our applications or PostgreSQL database if the thin pool reaches an unsafe
allocation, such as 90% or 95%. This would ensure the integrity of the
data, at the expense of an outage. This is something we could implement
today. Thanks.
Users will always be irate. :-) I mostly don't consider that as a real
factor in my technical decisions... :-)

Thanks for entertaining this discussion, Matthew and Zdenek. I realize this
is an open source project, with passionate and smart people, whose time is
precious. I don't feel I have the capability of really contributing code
changes at this time, and I'm satisfied that the ideas are being considered
even if they ultimately don't get adopted. Even the mandatory warning about
snapshots exceeding the volume group size is something I can continue to
deal with using scripting and filtering. I mostly want to make sure that my
perspective is known and understood.

Mark's argument was nothing about comparing feature sets or something at
this point. So I don't know what you are responding to. You respond like
a bitten bee.

Read again. Mark Mielke described actual present-day positions. He
described what he thinks is how LVM is positioning itself in conjunction
with and with regards to other solutions in industry. He described that
to his mind the bigger remote storage solutions do not or would not
easily or readily start using LVM for those purposes, while the smaller
scale or more localized systems would.

He described a layering solution, that you seem to be allergic to. He
described a modularized system where thin is being used both at the
remote backend (using a different technology) and at the local end
(using LVM) for different purposes but achieving much of the same
results.

He described how he considered the availability of the remote pool a
responsibility for that remote supplier (and paying good money for it)
while having different uses cases for LVM thin himself or themselves.

And I did think he made a very good case for this. I absolutely believe
his use case is the most dominant and important one for LVM. LVM is for
local systems.

In this case it is a local system running storage on a remote backend.
Yet the local system has different requirements and uses LVM thin for a
different purpose.

And this purpose falls along the lines of having cheap and freely
available snapshots.

And he still feels and believes, apparently, that using the LVM admin
tools for ensuring the stability of his systems might not be the most
attractive and functional thing to do.

You may not agree with that but it is what he believes and feels. It is
a real life data point, if you care about that.

Sometimes people's opinions actually simply just inform you of the
world. It is information. It is not something to fight or disagree with,
it is something to take note of.

The better you are able to respond to these data points, the better you
are aware of the system you are dealing with. That could be real people
paying or not paying you money.

However if you are going to fight every opinion that disagrees with you,
you will never get to the point of actually realizing that they are just
opinions and they are a wealth of information if you'd make use of it.

And that is not a devious thing to do if you're thinking that. It is
being aware. Nothing more, nothing less.

And we are talking about awareness here. Not surprising then that the
people most vehemently opposing this also seem to be the people least
aware of the fact that real people with real uses cases might find the
current situation not practical.

Mr. Zdenek can say all he wants that the current situation is very
practical.

If that is not a data point but an opinion (not of someone experiencing
it, but someone who wants certain people to experience certain things)
then we must listen to actual data points and not what he wants.

Mr. Zdenek (I haven't responded to him here now) also responds like a
bitten bee to simple allusions that Red Hat might be thinking this or
that.

Not just stung by a bee. A bee getting stung ;-).

I mean come on people. You have nothing to lose. Either it is a good
idea or it isn't. If it gets support, maybe someone will implement it
and deliver proof of concept. But if you go about shooting it down the
moment it rears its ugly (or beautiful) head you also ensure that that
developer time is not going to be spend on it even if it were an asset
to you.

Someone discussing a need might not always be that person that in the
end is not going to do anything himself.

You are trying to avoid work but in doing so you avoid work being done
for you as well.

It's give or take, it's plus plus.

Don't kill other people's ideas and maybe they start doing work for you
too.

Oh yeah. Sorry if I'm being judgmental or belligerent (or pedantic):

The great irony and tragedy of the Linux world is this:




Someone comes with a great idea that he/she believes in and wants to
work on.

They shoot it down.

Next they complain why there are so very few volunteers.



They can ban someone on a mailing list one instant and out loud wonder
how they can attract more interest to their system, the next.




Not unrelated.
It is not my block layer. I'm not the fucking system admin.

I can only talk to the FS. Or that might very well be the case for my
purposes here.

It is pretty amazing that any attempt to separate responsibilities in
actuality is met with a rebuttal that insists one use a solution that
mingles everything.

In your ideal world then, everyone is forced to use BTRFS/ZFS because at
least these take the worries away from the software/application
designer.

And you ensure a beautiful world without LVM because it has no purpose.

As as software developer I cannot depend on your magical solution and
assertion that every admin out there is going to be this amazing person
that never makes a mistake.
What if I want him to be able to drop the ball and still survive?

What about designing systems that are actually failsafe and resilient?

What about resilience?

What about goodness?

What about quality?

What about good stuff?

Why do you feed your admins bad stuff just so that they can shine and
consider themselves important?
So you are basically suggesting a solution that you know will fail, but
still you recommend it.

That spells out "I don't know how to achieve my goals" like no other
thing.

But you still think people should follow your recommendations.

What you say is completely anemic to how the open source world works.

You do not ask people to do your work for you.

Why do you even insist on recommending that. And then when you (in your
imagination here) do ask those people to do it for you, they refuse. No
small wonder.

Still you consider that a good way to approach things. To depend on
someone else to do your work for you.

Really.

"Of course not. Just try to get on the EXT developer mailing list and
ask them to..."

Yes I am ridiculing you.

You were sincere in saying those words. You ridicule yourself.

Of course you would start designing patches and creating a workable
solution with yourself as the main leader or catalyst of that project.
There is not other way to do things in life. You should know that.
Maybe we should also retrofit all unknown filesystems and those that
might be designed on different planets. Yeah, that would be a good way
to approach things.

I really want to follow your recommendations here. If I do, I will have
good chances of achieving success.

I don't use Ceph myself. I only listed it as it may be more familiar to
others, and because I was responding to a Red Hat engineer. We use NetApp
and EMC for the most part.
I think you are correct. Based upon experience, I don't recall this ever
happening, but upon reflection, it may just be that our IT team always
caught the situation before it became too bad, and either extended the
storage, or asked permission to delete snapshots.
Right. A good feature. An outage occurs, but the data that was properly
written stays written.


<quote>
I get a bit lost here in the push towards BTRFS and ZFS for people with
these expectations as I see BTRFS and ZFS as having a similar problem. They
can both still fill up. They just might get closer to 100% utilization
before they start to fail.

My use case isn't about reaching closer to 100% utilization. For example,
when I first proposed our LVM thinp model for dealing with host-side
snapshots, there were people in my team that felt that "fstrim" should be
run very frequently (even every 15 minutes!), so as to make maximum use of
the available free space across multiple volumes and reduce churn captured
in snapshots. I think anybody with this perspective really should be
looking at BTRFS or ZFS. Myself, I believe fstrim should run once a week or
less, and not really to save space, but more to hint to the flash device
which blocks are definitely not in use over time, to make the best use of
the flash storage over time. If we start to pass 80%, I raise the alarm
that we need to consider increasing the local storage, or moving more
content out of the thin volumes. Usually we find out that more-than-normal
churn occurred, and we just need to prune a few snapshots to drop below 50%
again. I still made them move the content that doesn't need to be snapshot
out of the thin volume, and to a stand-alone LVM thick volume so as to
entirely eliminate this churn from being trapped in snapshots and
accumulating.


LVM has no obligation to protect careless sysadmins doing dangerous things
Right.
Right.
Bad things happen. Sometimes they happen very quickly. I don't intend to
dare fate, but if fate comes knocking, I prefer to be prepared. For
example, we had two monitoring systems in place for one particularly
critical piece of storage, where the application is particularly poor at
dealing with "out of space". No thin volumes in use here. Thick volumes all
the way. The system on the storage appliance stopped sending notifications
a few weeks prior as a result of some mistake during a reconfiguration or
upgrade. The separate monitoring system using entirely different software
and configuration, on different host, also failed for a different reason
that I no longer recall. The volume became full, and the application data
was corrupted in a bad way that required recovery. My immediate reaction
after best addressing the corruption, was to demand three monitoring
systems instead of two. :-)
I think this relates more closely to your other response, that I will
respond to separately...