libjio - A library for journaled I/O

Introduction

libjio is a library for doing journaled, transaction-oriented I/O, providing atomicity warantees and a simple to use but powerful API.

This document explains the design of the library, how it works internally and why it works that way. You should read it even if you don't plan to do use the library in strange ways, it provides (or at least tries to) an insight view on how the library performs its job, which can be very valuable knowledge when working with it. It assumes that there is some basic knowledge about how the library is used, which can be found in the manpage or in the programmer's guide.

To the user, libjio provides two groups of functions, one UNIX-alike that implements the journaled versions of the classic functions (open(), read(), write() and friends); and a lower-level one that center on transactions and allows the user to manipulate them directly by providing means of commiting and rollbacking. The former, as expected, are based on the latter and interact safely with them. Besides, it's designed in a way that allows efficient and safe interaction with I/O performed from outside the library in case you want to.

The following sections describe different concepts and procedures that the library bases its work on. It's not intended to be a replace to reading the source code: please do so if you have any doubts, it's not big at all (less than 1500 lines, including comments) and I hope it's readable enough. If you think that's not the case, please let me know and I'll try to give you a hand.

General on-disk data organization

On the disk, the file you are working on will look exactly as you expect and hasn't got a single bit different that what you would get using the regular UNIX API. But, besides the working file, you will find a directory named after it where the journaling information lives.

Inside, there are two kind of files: the lock file and transaction files. The first one is used as a general lock and holds the next transaction ID to assign, and there is only one; the second one holds one transaction, which is composed by a header of fixed size and a variable-size payload, and can be as many as in-flight transactions.

This impose some restrictions to the kind of operations you can perform over a file while it's currently being used: you can't move it (because the journal directory name depends on the filename) and you can't unlink it (for similar reasons).

This warnings are no different from a normal simultaneous use under classic UNIX environments, but they are here to remind you that even tho the library warranties a lot and eases many things from its user, you should still be careful when doing strange things with files while working on them.

The transaction file

The transaction file is composed of three main parts: the header, the operations, and the trailer.

The header holds basic information about the transaction itself, including the version, the transaction ID, and its flags.

Then the operation part has all the operations one after the other, prepending the operation data with a per-operation header that includes the length of the data and the offset of the file where it should be applied, and then the data itself.

Finally, the trailer contains the number of operations included in it and a checksum of the whole file. Both fields are used to detect broken or corrupted transactions.

The commit procedure

We call commit to the action of safely and atomically write some given data to the disk.

The former, "safely", means that after a commit has been done we can assume the data will not get lost and can be retrieved, unless of course some major event happens (like a physical hard disk crash). For us, this means that the data was effectively written to the disk and if a crash occurs after the commit operation has returned, the operation will be complete and data will be available from the file.

The latter, "atomically", guarantees that the operation is either completely done, or not done at all. This is a really common word, specially if you have worked with multiprocessing, and should be quite familiar. We implement atomicity by combining fine-grained locks and journaling, which can assure us both to be able to recover from crashes, and to have exclusive access to a portion of the file without having any other transaction overlap it.

Well, so much for talking, now let's get real; libjio applies commits in a very simple and straightforward way, inside jtrans_commit():

  • Lock the file offsets where the commit takes place
  • Open the transaction file
  • Write the header
  • Read all the previous data from the file
  • Write the previous data in the transaction
  • Write the data to the file
  • Mark the transaction as committed by setting a flag in the header
  • Unlink the transaction file
  • Unlock the offsets where the commit takes place

This may seem like a lot of steps, but they're not as much as it looks like inside the code, and allows a recovery from interruptions in every step of the way, and even in the middle of a step.

The rollback procedure

First of all, rollbacking is like "undo" a commit: returns the data to the state it had exactly before a given commit was applied. Due to the way we handle commits, doing this operation becomes quite simple and straightforward.

In the previous section we said that each transaction held the data that was on it before commiting. That data saved is precisely the one we need to be able to rollback.

So, to rollback a transaction all that has to be done is recover the previous data from the transaction we want to rollback, and save it to the disk. In the end, this ends up being a new transaction with the previous data as the new one, and that's how it's done: create a new transaction structure, fill in the data from the transaction we want to rollback, and commit it. All this is performed by jtrans_rollback().

By doing this we can provide the same warranties a commit has, it's really fast, eases the recovery, and the code is simple and clean. What a deal.

But be aware that rollbacking is dangerous. And I really mean it: you should only do it if you're really sure it's ok. Consider, for instance, that you commit transaction A, then B, and then you rollback A. If A and B happen to touch the same portion of the file, the rollback will, of course, not return the state previous to B, but previous to A.

If it's not done safely, this can lead to major corruption. Now, if you add to this transactions that extend the file (and thus rollbacking truncates it back), it gets even worse. So, again, be aware, I can't stress this enough, rollback only if you really really know what you are doing.

The recovery procedure

Recovering from crashes is done by the jfsck() call (or the program jiofsck which is just a simple invocation to that function), which opens the file and goes through all transactions in the journal (remember that transactions are removed from the journal directory after they're applied), loading and rollbacking them if necessary. There are several steps where it can fail: there could be no journal, a given transaction file might be corrupted, incomplete, and so on; but in the end, there are two cases regarding each transaction: either it's complete and can be rollbacked, or not.

In the case the transaction file was not completely written, there is no possibility that it has been partially applied to the disk: remember that, from the commit procedure, we only apply the transaction after saving it in the journal, so there is really nothing left to be done. So if the transaction is complete, we only need to rollback.

UNIX-alike API

We call UNIX-alike API to the functions provided by the library that emulate the good old UNIX file manipulation calls. Most of them are just wrappers around commits, and implement proper locking when operating in order to allow simultaneous operations (either across threads or processes). They are described in detail in the manual pages, we'll only list them here for completion:

  • jopen()
  • jread(), jpread(), jreadv()
  • jwrite(), jpwrite(), jwritev()
  • jtruncate()
  • jclose()

ACID warranties

Database people like ACID (well, that's not news for anybody), which they say mean "Atomicity, Consistency, Isolation, Durability".

So, even when libjio is not a purely database thing, its transactions provide those properties. Let's take a look one by one:

Atomicity
In a transaction involving two or more discrete pieces of information, either all of the pieces are committed or none are. This has been talked before and we've seen how the library achieves this point, mostly based on locks and relying on a commit procedure.
Consistency
A transaction either creates a new and valid state of data, or, if any failure occurs, returns all data to its state before the transaction was started. This, like atomicity, has been discussed before, specially in the recovery section, when we saw how in case of a crash we end up with a fully applied transaction, or no transaction applied at all.
Isolation
A transaction in process and not yet committed must remain isolated from any other transaction. This comes as a side effect of doing proper locking on the sections each transaction affect, and guarantees that there can't be two transactions working on the same section at the same time.
Durability
Committed data is saved by the system such that, even in the event of a failure, the data is available in a correct state. To provide this, libjio relies on the disk as a method of permanent storage, and expects that when it does syncronous I/O, data is safely written and can be recovered after a crash.

Working from outside

If you want, and are careful enough, you can safely use the library and still do I/O using the regular UNIX calls.

This section provides some general guidelines that you need to follow in order to prevent corruption. Of course you can bend or break them according to your use, this is just a general overview on how to interact from outside.

  • Lock the sections you want to use: the library, as we have already exposed, relies on fcntl() locking; so, if you intend to operate on parts on the file while using it, you should lock them.
  • Don't truncate, unlink or rename: these operations have serious implications when they're done while using the library, because the library itself assumes that names don't change, and files don't disappear from underneath it. It could potentially lead to corruption, although most of the time you would just get errors from every call.