Let me add one important use case: have fast, flexible snapshots.

In the past I used classic LVM to build our virtualization servers, but
this means I was basically forced to use a separate volume for each VM:
using a single big volume and filesystem for all the VMs means that,
while snapshotting it for backup purpose, I/O become VERY slow on ALL
virtual machines.

On the other hand, thin pools provide much faster snapshots. On the
latest builds, I begin using a single large thin volume, on top of a
single large thin pool, to host a single filesystem that can be
snapshotted with no big slowdown on the I/O part.

I understand that it is a tradeoff - classic LVM mostly provides
contiguous blocks, so fragmentation remain quite low, while thin
pools/volumes are much more prone to fragament, but with large enough
chunks it is not such a big problem.

Regards.

But you see if my landlord tells me I can use the entire container room,
except that I have to share it with others, does he lie?

I *can* use the entire container room. I just have to ensure it is empty
again by the end of the day (or even sooner).

Those ISPs do not say "Every client can use the full bandwidth all at
the same time." They don't say that. They say "Fair use policies apply".
That's what they say. And they mean that no, you can't do that stuff
24/7/365.

So let's talk then about two things you can lie about:
* available space
* the thought that all of the space is available to everyone at all
times.

In a normal use case, only the latter would be a lie. But that's not
what companies tell their clients. Maybe implicitly, at times. But not
explicitly at all (hence fair use policy).

The former is not a lie. If you have a 1000 customers, and each has 50GB
available total, and the average use at this point is 25GB, and you have
provisioned for ~35GB each, meaning 35000 GB is available and 25000 is
in use, then it is not a lie to say to any individual customer: you can
use 50GB if you want.

The guarantee that everyone can do it all at the same time, just doesn't
hold, but that is never communicated.

As a customer you are not aware of how many other clients there are, or
how many other thin volumes (ordinarily) or what the max capacity is
across all the volumes. So you are not being lied to.

For it to be a lie, you would have to be concerned about the total
picture. You would have to have an awareness of other clients and then
you would need to make the assumption that all of these clients at the
same time can use all of that bandwidth/data/space.

But your personal scenario doesn't extend that far.

Just as a funny example. Nearby there was a supermarket that advertized
with that (to my mind) stupid thought "if there are more than 4
customers in line, and you are the 5th, you get your groceries for
free".

What did a local student's house do? They went to the supermarket with
about 20 people and got a lot of stuff free.

I mean in statistics you have queue calculations too but it gets
defeated if people start doing that stuff (thwarting the mechanism on
purpose). For example, the traditional statistics example is that of
customers at a hairsalon. Based on a certain distribution and an average
number of new arrivals, a conclusion is reached and certain data is
found.

But this data is thwarted the moment customers on purpose start to pile
up just to thwart this data, you get what I mean?

Any /intentional/ purpose to thwart the average, means it is no longer
the average.

Normal people wanting a haircut do not show up at a salon to thwart the
salons calculations. Ordinary use cases do not apply to this.

If you can expect a command normal amount of use, then there is no
"intent" with those clients to be doing anything out of the ordinary.

Just like that "hairsalon" can normally depend on those "calculations"
(you could, you know) and provision for that (number of employees
present) so too can a thin provisioning setup depend on expected
averages (in a distribution, the "expected" value of a stochast is the
expected average) (as a prediction in that sense).

There's no lying in that. If this hairsalon now says "You can get cut
within 10 minutes without an appointment" then yes people could thwart
that by suddenly all showing up at the same time.

Doesn't work like that in reality when people do not have such
intentions.

We call that "innocence" ;-) not doing something on purpose.

That hairsalon is not lying if it guarantees 10 minute wait time in
general. It just cannot guarantee it if people start to bugger.

Statistics is all about averages and large numbers.

"A "law of large numbers" is one of several theorems expressing the idea
that as the number of trials of a random process increases, the
percentage difference between the expected and actual values goes to
zero."

That means that if you have enough numbers (enough thin volumes) the
likelihood in actuality between what you promise and what you can
deliver, the difference goes to zero and in effect you are always
speaking the truth.

Remember: you are speaking the truth given normal expected reality.
You are no longer speaking the truth if people start to mess with you on
purpose.

If you have 10.000 clients and 5.000 of them are one person intending to
bug you out, just like in the supermarket example, well, then you've
lost. But, that is an intentional devious thing to do just in order to
make use of some monetary loophole in the system, so to speak.

And in general your terms of use could guard against that (and many
companies do, I'm sure).
Presently maximizing space efficiency across a small number of volumes,
as well as access to superior snapshotting ability.
You mean there'd not be any use for thin, right. I agree. The whole idea
is to be more efficient with space.

If the presented space is smaller than you HAVE room for those
snapshots. But with thin, you don't need to care.

Space is always there.
True but let's call it "sharing" resources.

Sharing resources is the whole idea of any advanced society.

Our western mindset doesn't work in the sense of everyone needing to be
able to possess everything.

The example was given that everyone owns a car, that they may not use
every day, a washing machine, that they may use 5 hours a week, a vacuum
cleaner, that they may use 1 hour a week, and so on and so on. The
example was given that a commercial airliner could *never* do something
like that.

Commercial airplanes are in operation pretty much 24/7. Disuse is way
too costly. They cannot afford to not use their machines 24/7.

Our society cannot either, but the way we live and operate with each
other currently ensures vasts amounts of wasted materials, energy and so
on.

Resource sharing is an advanced concept in that sense. Let's just call
thin pools an advanced concept :p.

And let's not call it a lie just like that :) :P.
My reason exactly.
I know. But that is the reverse thing.

DM/LVM takes dispersed stuff and presents a whole.

In this case we were talking about presenting holes.

That's because in this case .....

If you are that barber/haircutter and suddenly you get an influx of
clients you cannot handle.

Are you going to put up a sign saying "sorry, too busy" or are you going
to try to keep your "promise" to each and every one of them? I hope you
didn't offer financial compensation in that sense ;-).

Personally I think that as a client you making use of such "financial
promises" is very intolerant and unforgiving and greedy and even
avaricious ;-).

So what if your thin pool does fill up and you have no measure in place
to handle it?

Are you going to be honest?

This question is not whether thin is currently lying. This is about
whether you will continue to choose for it to lie.

It is not about the present. It is about the choice you are going to
make.

Do you choose to lie or not?

Traditionally companies have always tried to keep up the pretense until
all hell broke loose so badly that it spilled out like a tidal wave.

You can find any number of examples in the history of our world. I am
currently thinking of the Exxon Valdez, and Enron. I don't know if that
is applicable. Also thinking of that platform in recent times, of BP.
Deepwater Horizon, which was said to have been deeply undermaintained.

I mean you can keep pretending everything is going just perfect, or you
can own up a little sooner. That is a choice to make for each individual
I guess.

One useful case for "presented space equal to physical space" with thin volumes
is that it simplifies security issues.

With raw LVM volumes I generally need to zero out the whole volume prior to
deleting it (to avoid leaking the contents to other users). This takes time,
and also seriously hammers the disks when you have multiple volumes being zeroed
in parallel.

With thin, deletion is essentially instantaneous, and the zeroing penalty is
paid when the disk block is actually written. Any disk blocks which have not
been written are simply read as all-zeros.

Chris

Executive summary: you shouldn't just take a wild guess and then turn
your back on a thin-provisioned setup; you must understand your
consumers and monitor your resources.

It's reasonable in certain circumstances for a service provider to
over-subscribe his hardware. He would be well advised to monitor
actual allocation closely, to keep some cash or ready credit on hand
for quick expansion of his real hardware, and to respond promptly by
adding capacity when usage nears real hardware limits. He is taking a
risk, betting that most customers won't max out their promised
storage, and should manage that risk. Indeed, he should first gather
statistics to understand the behavior of typical customers and
determine whether he would be taking a *foolish* risk.

Failure to adequately manage resources to redeem contracted promises
is the provider's lie, not LVM's. Failure to plan is planning to
fail.

If that's too scary, don't use thin provisioning.
--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

Why don't you do it for me and then report back? I could use a slave
like you are trying to make me.
It almost seems like you want me to succeed.
Then what is the issue here? That means my assumptions were all entirely
correct and that Zdenek has said must have been false.

But what you are saying now is extent assignments to LVs, do you imply
this is also true of assignment to thin volumes?

Yes, when you say "written to" you clearly mean thin pools.

I never alluded that it needed to know or care about the actual usage of
its blocks (extents).

If a filesystem DISCARDs blocks, then with enough blocks it could
discard an extent.

I don't even know what will happen if a filesystem stops using the data
that's on it, but I will test that now. And of course it should just
free those blocks. It didn't work with mkswap just now, but creating a
new filesystem causes lvs to report a lower thin pool usage.

Of course, common and commonsensical. So these extents are being
librated right? And it knows exactly how many are in use?
It is saying that e.g. lvs creates this free-map.

But LVM needs to know at every moment in time what extents are
available. It also needs to runtime liberate them.

So it needs to be able to at least search for free ones and if none is
found, to report that or do something with it. Of course that is
different from having a map.

But in-the-moment update operations to filesystems would not require a
map. They would require mutations being communicated. Mutations that LVM
already knows about.

So it is nothing special. You don't need those "maps". You need to
communicate (to other thin volumes) which extents have become
unavailable. And which have become available once more.

Then the thin volume translates this (possibly) to whatever block system
the underlying filesystem uses.

Logical blocks, physical blocks.

The main organisation principle is the extent. It is not the LVM that
needs to maintain a map. It is the filesystem.

It needs to know about its potential for further allocation of the block
space.
You know those contentions issues are everywhere and in the kernel also
and they are always taken care of.

Don't confront me with a situation that has already been solved by
numerous other people.

You forget, for once, that real software systems running on the
filesystem would be aware of the lack of space to begin with. You are
now approaching a corner case where the last free extent is being
contended for. I am sure there would be an elegant solution to that.

This corner case is not what it's all about. What it's about is that the
filesystem has the means to predict what is going to happen, or at least
the software running on it.

If the situation you are describing is really an issue, you could simply
reserve a last block (extent) for this scenario that is only written to
if all other blocks are taken, and each filesystem (volume) has this
free block of its own.

PROBLEM SOLVED.

You sound like Einstein when he tried to disprove Bohr's theory at that
convention. In the end Bohr refuted everything and he (Einstein) had to
accept he was right.

A filesystem will simply reserve the equivalent of an extent. More
importantly, the thin volume (logical volume) will. The thin LV will
reserve one last extent in advance from the thin pool that is only
really given to the filesystem under conditions that the entire thin
pool is already taken now and the filesystem is still issueing a write
to a new block because of a race condition that prevented it from
knowing about the space issue.

These are not difficult engineering problems.
If you write to a full extent, you are guaranteed to get a new one. It's
not more difficult than that. Don't make everything so difficult.

I have not talked about reservations myself (prior to this). As we just
said, if it is only about the very last block of the entire thin pool?
Reserve it in advance and don't let the FS do it?

If the race condition is such that larger amounts are needed for safety,
do it? Reserve 200MB in advance if you need it?

You could configure a thin pool / volume to reserve a certain amount of
free space that is only going to be used if the thin pool is 100% filled
and it wasn't possible to inform the file systems fast enough.

Proportional to the size of the volume (LV). Who cares if you reserve 1%
in each volume for this. Or less. A 2TB volume with 1GB of reserved
space is not so bad, is it?

That's just 0.05% give or take.

If then free space is reported to the filesystem, it can:

1) simply inform programs by way of its normal operation
2) stop writing when the space known to it is gone
3) not have to worry about anything else because race conditions are
taken care of.

In the event that a filesystem starts randomly writing a single byte to
every possible block in order to defeat this system.

The filesystem can redirect these writes to other blocks when the LVM
starts reporting no block for you and the filesystem still has space in
the blocks it has.

It will just have to invalidate some of its own blocks (extents). IT
needs to maintain a map, not LVM.

It can deduce its own free space from its own map.

It would be like allocating a thin (sparse) file but then writing to
every possible address of it along the range. Yes the system is going to
bug but you can take care of it. Some writes will just fail when out of
blocks, but the filesystem can redirect it, or in the end just fail
writing / allocating.

Any block being invalidated would instantly update its free space
calculations.

You don't need to communicate full maps unless you were creating a new
filesystem or trying to recover from corruption. You would query "is
this block available" for instance. That would require a new command. It
would take a while but that way the filesystem could reconstruct the
blockmap.

Or it could query about ranges of blocks.

This querying is the first thing you'd introduce. Blocks N to M, are
they available? Yes or not. Or a list of the ones that are and the ones
that aren't (a bitmap).

To query 2000 extents you only need 2000 bits. That's 250 bytes, not a
whole lot. A 2 TB volume would have a free map of 64k bytes.
Do you imagine how small this is?

How would maintaining free maps be an expensive operation, really?

You need a fucking 64k field with a xor operation. That fits inside a
16-bit 8086 segment.

I mean don't bullshit me here. There is no way it could be hard to
maintain free maps.

I'm a programmer too, you know. And I have been doing it since 1989 too.

I have programmed in pascal and assembler and I have studied Java's
BitMap class for instance. It can be done very elegantly.

Any free map the thin LV would conjure up would be a lie in that sense,
a choice. Because you would arbitrarily invalidate blocks at the end of
the space.

At the end of the virtual space.

The pool communicates to the volume the acquisition and release of new
and old extents.

The volume at that point doesn't care which they are. It only needs to
know the number.

With every mutation it randomly invalidates a single block if it needs
to (or enables it again).

It sets a bit flag in a 64k field. So let's assume we have a 1PB volume.
A petabyte. That's 2^50 / 2^20 / 4 number of extents, is 2^28 bits is
2^25 bytes. Is 2^5 megabytes is 32MB worth of data.

For a volume with 1125899906842624 bytes. Just needs 33554432 bytes to
maintain a map, if done in 4MB extents.

If done in 4KB blocks the extent communication remains the same but it
could amount to 1024x that number of bytes needed, is 32GB for a PB
volume.

Is still 1/32678 of its available address space, so to speak.

But the filesystem could maintain maps of extents and not individual
'blocks'.

Maybe 32GB is hard to communicate, but 32MB is not. And there are
systems that have a terabyte of ram.
I don't know how it is done currently, because clearly the system knows,
right?

As you say this is perfeclty possible.
Unused blocks need to be made available anyway. A filesystem on which
80% of data is deleted, and still using all those blocks in the thin
pool? Please tell me this isn't reality (I know it isn't).


So I make this test right I am just curious what will happen:

1. Create thin pool on other hard disk 400M
2. Create 3 thin volumes totalling 600M
3. Create filesystems (ext3) and mount them.
4. Copy 90MB file to them. After 4 files 360MB of pool is used.
5. Copy 5th file. Nothing happens. No errors, nothing.
6. Copy 6th file. Nothing happens. No errors, nothing.

7. I check volumes. Nothing seems the matter. Lvdisplay no unusual.

df works and appears as though everything is normal. All volumes now 97%
filled and pool 100% filled.

Can't last right. I see kernel block device page errors come by.

I go to one of the files that should have been successfully written (the
4th file). I try to copy it to my main disk.

cp hangs. Terminal (tty) switching still works. Vim (I had vim open in 2
ttys or 3) stops responding. Alt-7 (should open KDE) nothing happens.
Cannot switch back, ie. cannot switch TTYs anymore. System hangs
completely.

Mind you this was on a harddisk with no used volumes. No other volumes
were mounted other than those 3 although of course they were loaded in
LVM.

There are no dropped volumes. There are no frozen volumes. The system
just crashes. Very graceful I must say.

I mean if this is the best you can do?

No wonder you are suggesting every admin needs to hire a drill
instructor to get him through the day.
BTRFS is spelled "monopoly" and "wants to be all" and "I'm friends with
SystemD" ;-).

ZFS I don't know, I haven't cared about it. All I see on IRC is people
talking about it like some new toy they desperately can't live without
even though it doesn't serve them any real purpose.

A bit like a toy drone worth 4k dollars.

The only thing that changes is that filesystems maintain bitmaps of
available sectors/blocks or of extents, and are capable of intelligently
allocating to the ones they have and that are available.

That's it!

You can still choose what filesystem to use. You could even choose what
volume manager to use.

We have seen how little data it costs if the extent size is at least
4MB.
We have seen how easy it would be to query again with the underlying
layer in case you're not sure.

If you want a block to have more bits, easy too! If you have only 4
possible states, you can put it in 2 bits.

That would probably be enough for any probably use case. A 2TB volume
costs 128k bytes for this bitmap with 4 states. That's something you can
achieve on a 286 if you are crazy enough.
Why won't you?
I am being called by name :O! I think she likes me.

Hey sweet Linda,

this is beyond me at the moment. You go very far with this.
I think there is a point to that, but for me the concordance is in the
idea that filesystems should perhaps have different modes of requesting
memory (space) as you detail below.

Virtual memory typically cannot be expanded (automatically) although you
could.

Even with virtual memory there is normally a hard limit, and unless you
include shared memory, there is not really any relation with
overprovisioned space, unless you started talking about prior allotment,
and promises being given to processes (programs) that a certain amount
of (disk) space is going to be available when it is needed.

So what you are talking about here I think is expectation and
reservation.

A process or application claims a certain amount of space in advance.
The system agrees to it. Maybe the total amount of claimed space is
greater than what is available.

Now processes (through the filesystem) are notified whether the space
they have reserved is actually going be there, or whether they need to
wait for that "robot cartridge retrieval system" and whether they want
to wait or will quit.

They knew they needed space and they reserved it in advance. The system
had a way of knowing whether the promises could be met and the requests
could be met.

So the concept that keeps recurring here seems to be reservation of
space in advance.

That seems to be the holy grail now.

Now I don't know but I assume you could develop a good model for this
like you are trying here.

Sparse files are difficult for me, I have never used them.

I assume they could be considered sparse by nature and not likely to
fill up.

Filling up is of the same nature as expanding.

The space they require is virtual space, their real space is the
condensed space they actually take up.

It is a different concept. You really need two measures for reporting on
these files: real and virtual.

So your filesystem might have 20G real space.
Your sparse file is the only file. It uses 10G actual space.
Its virtual file size is 2T.

Free space is reported as 10G.

Used space is given two measures: actual used space, and virtual used
space.

The question is how you store these. I think you should store them
condensed.

As such only the condensed blocks are given to the underlying block
layer / LVM.

I doubt you would want to create a virtual space from LVM such that your
sparse files can use a huge filesystem in a non-condensed state sitting
on that virtual space?

But you can?

Then the filesystem doesn't need to maintain blocklists or whatever, but
keep in mind that normally a filesystem will take up a lot of space in
inode structres and the like, when the filesystem is huge but the actual
volume is not.

If you create one thin pool, and a bunch of filesystems (thin volumes)
of the same size, with default parameters, your entire thin pool will
quickly fill up with just metadata structures.

I don't know. I feel that sparse files are weird anyway, but if you use
them, you'd want them to be condensed in the first place and existing in
a sort of mapped state where virtual blocks are mapped to actual blocks.
That doesn't need to be LVM and would feel odd there. That's not its
purpose right.

So for sparse you need a mapping at some point but I wouldn't abuse LVM
for that primarily. I would say that is 80% filesystem and 20% LVM, or
maybe even 60% custom system, 20% filesystem and 20% LVM.

Many games pack their own filesystems, like we talked about earlier
(when you discussed inefficiency of many small files in relation to 4k
block sizes).

If I really wanted sparse personally, as an application data storage
model, I would first develop this model myself. I would probably want to
map it myself. Maybe I'd want a custom filesystem for that. Maybe a
loopback mounted custom filesystem, provided that its actual block file
could grow.

I would imagine allocating containers for it, and I would want the
"real" filesystem to expand my containers or to create new instances of
them. So instead of mapping my sectors directly, I would want to map
them myself first, in a tiered system, and the filesystem to map the
higher hierarchy level for me. E.g. I might have containers of 10G each
allocated in advance, and when I need more, the filesystem allocates
another one. So I map the virtual sectors to another virtual space, such
that my containers

container virtual space / container size = outer container addressing
container virtual space % container size = inner container addressing

outer container addressing goes to filesystem structure telling me (or
it) where to write my data to.

inner container addressing follows normal procedure, and writes "within
a file".

so you would have an overflow where the most significant bits cause
container change.

At that point I've already mapped my "real" sparse space to container
space, its just that the filesystem allows me to address it without
breaking a beat.

What's the difference with a regular file that grows? You can attribute
even more significant bits to filesystem change as well. You can have as
many tiers as you want. You would get "falls outside of my jurisdiction"
behaviour, "passing it on to someone else".

LVM thin? Hardly relates to it.

You could have addressing bits that reach to another planet ;-) :).
Well that makes sense. But that's the same as saying that a thin pool is
still "integrous" even though it is over-allocated. You are saying the
same thing here, almost.

You are basically saying: v-space > r-space == ok?

Which is the basic premise of overprovisioning to begin with.

With the added distinction of "assumed possible intent to go and fill up
that space".

Which comes down to:

"I have a total real space of 2GB, but my filesystem is already 8GB.
It's a bit deceitful, but I expect to be able to add more real space
when required."

There are two distinct cases:

- total allotment > real space, but individual allotments < real space
- total allotment > real space, AND individual allotments > real space

I consider the first acceptable. The second is spending money you don't
have.

I would consider not ever creating an indvidual filesystem (volume) that
is actually bigger (ON ITS OWN) than all the space that exists.

I would never consider that. I think it is like living on debt.

You borrow money to buy a house. It is that system.

You borrow future time.

You get something today but you will have to work for it for a long
time, paying for something you bought years ago.

So how do we deal with future time? That is the question. Is it
acceptable to borrow money from the future?

Is it acceptable to use space now, that you will only have tomorrow?
If your sparse file has no intent to become non-sparse, then it is no
issue.

If your sparse file already tells you it is going to get you in trouble,
it is different.

This system is integrous depending on planned actions.

Same is true for LVM now. The system is safe until some program decides
to allocate the entire filesystem.

And there are no checks and balances, the system will just crash.

The peculiar condition is that you have built a floor. You have a floor,
like a circular area of a certain surface area. But 1/3 of the floor is
not actually there.

You keep telling yourself not to go there.

The entire circle appears to be there. But you know some parts are
missing.

That is the current nature of LVM thin.

You know that if you step on certain zones, you will fall through and
crash to the ground below.

(I have had that happen as a kid. We were in the attic and we had
covered the ladder gap with cardboard. Then, we (or at least I) forgot
that the floor was not actually real and I walked on it, instantly
falling through and ending on a step on the ladder below.)

[ People here keep saying that a real admin would not walk on that
ladder gap. A real admin would know where the gap was at all times. He
would not step on it, and not fall though.

But I've had it happen that I forgot where the gap was and I stepped on
it anyway. ]
Does make some sense, certainly, to me at least, no matter if I
understand little or are of no real importance here, but, I don't really
understand the implications at this point.
That is almost a calamity mode. I need to shower, but I was actually
just painting the walls. Need to stop painting that shower, so I can use
it for something else.

I think it makes sense to lay a claim to some uncovered land, but when
someone else also claims it, you discuss who needs it most, whether you
feel like letting the other one have it, whose turn it is now, will it
hurt you to let go of that.

It is almost the same as reserving classrooms.

So like I said, reservation. And like you say, only temporary space that
you need for jobs. In a normal user system that is not computationally
heavy, these things do not really arise, except maybe for video editing
and the like.

If you have large data jobs like you are talking about, I think you
would need a different kind of scheduling system anyway. But not so much
automatic. Running out of space is not a serious issue if the
administrator system allots space to jobs. Doesn't have to be a
filesystem doing that.

But I guess your proposed daemon is just a layer above that, knowing
about space constraints, and then allotting space to jobs based on
priority queues. Again doesn't really have much to do with thin, unless
every "job" would have its own "thin volume". And the "thin pool-volume
system" would get used to "allot space" (the V-size of the volume) but
if too much space was allotted, the system would get in trouble
(overprovisioning) if all jobs run. Again, borrowing money from the
future.

The premise of LVM is not that every volume is going to be able to use
all its space. It's not that it should, has to, or is going to fill up
as a matter of course, as an expected and normal thing.

You see thin LVM only works if the volumes are independent.

In that job system they are not independent. The independence entails an
expected growth that does happen on purpose. It involves a probability
distribution in which the average of expected space usage to be less
than the maximum.

LVM thin is really a statistical thing basing itself on the laws of
large numbers, averaging, and the expectation that if ONE volume is
going to be max, another one won't.

If you are going to allot jobs that are expected to completely fill up
the reserved space, you are talking about an entirely different thing.

You should provision based on average, but if average is max, it makes
no sense anymore and you should just proportion according to available
real space. You do not need thin volumes or a thin pool to do that sort
of thing: just regular fixed-size filesystem with jobs and space
requests.

In other words, the amount of sane overprovisioning you can do is
related to the difference between max and average.

The different (max - average) is the amount you can safely overprovision
given normal circumstances.

You do not "on purpose" and willfully provision less than the average
you expect. Average is your criterium. Max is the individual max size.
Overprovisioning is the ability of an individual volume to grow beyond
average towards max. If the calculations hold, some other volume will be
below average.

However if your numbers are smaller (not 1000s of volumes, but just a
few) the variance grows enormously. And with the growth in variance you
can no longer predict what is going to happen. But the real question is
whether there is going to be any covariance, and in a real thin system,
there should be none (independent).

For instance, if there is some hype and all your clients suddenly start
downloading the next best movie from 200G television, you already have
covariance.

Social unrest always indicates covariance. People stop making their own
choices, and your predications and business and usual no longer hold
true. Not because your values weren't sane. More like because people
don't act naturally in those circumstances.

Covariance indicates that there is a tertiary factor, causing (for
instance) growth in (volumes) across the line.

John buys a car, and Mary buys a house, but actually it is because they
are getting married.

Or, John buys a car, and Mary buys a house, but the common element is
that they have both been brainwashed by contemporary economists working
at the World Bank.

All in all the insanity happens when you start to borrow from the
future, which causes you to have to work your ass off to meet the
demands you placed on yourself earlier, always having to rush, panic,
and be under pressure.

Better not overprovision beyond your average, in the sense of not even
having enough for what you expect to happen.
Sounds like the gold standard and having money that has no gold behind
it or anything else of value.