xref: /linux/Documentation/filesystems/erofs.rst (revision 6f7e6393d1ce636bb7ec77a7fe7b77458fddf701) 
1.. SPDX-License-Identifier: GPL-2.0
2
3======================================
4EROFS - Enhanced Read-Only File System
5======================================
6
7Overview
8========
9
10EROFS filesystem stands for Enhanced Read-Only File System.  It aims to form a
11generic read-only filesystem solution for various read-only use cases instead
12of just focusing on storage space saving without considering any side effects
13of runtime performance.
14
15It is designed to meet the needs of flexibility, feature extendability and user
16payload friendly, etc.  Apart from those, it is still kept as a simple
17random-access friendly high-performance filesystem to get rid of unneeded I/O
18amplification and memory-resident overhead compared to similar approaches.
19
20It is implemented to be a better choice for the following scenarios:
21
22 - read-only storage media or
23
24 - part of a fully trusted read-only solution, which means it needs to be
25   immutable and bit-for-bit identical to the official golden image for
26   their releases due to security or other considerations and
27
28 - hope to minimize extra storage space with guaranteed end-to-end performance
29   by using compact layout, transparent file compression and direct access,
30   especially for those embedded devices with limited memory and high-density
31   hosts with numerous containers.
32
33Here are the main features of EROFS:
34
35 - Little endian on-disk design;
36
37 - Block-based distribution and file-based distribution over fscache are
38   supported;
39
40 - Support multiple devices to refer to external blobs, which can be used
41   for container images;
42
43 - 32-bit block addresses for each device, therefore 16TiB address space at
44   most with 4KiB block size for now;
45
46 - Two inode layouts for different requirements:
47
48   =====================  ============  ======================================
49                          compact (v1)  extended (v2)
50   =====================  ============  ======================================
51   Inode metadata size    32 bytes      64 bytes
52   Max file size          4 GiB         16 EiB (also limited by max. vol size)
53   Max uids/gids          65536         4294967296
54   Per-inode timestamp    no            yes (64 + 32-bit timestamp)
55   Max hardlinks          65536         4294967296
56   Metadata reserved      8 bytes       18 bytes
57   =====================  ============  ======================================
58
59 - Support extended attributes as an option;
60
61 - Support a bloom filter that speeds up negative extended attribute lookups;
62
63 - Support POSIX.1e ACLs by using extended attributes;
64
65 - Support transparent data compression as an option:
66   LZ4, MicroLZMA, DEFLATE and Zstandard algorithms can be used on a per-file
67   basis; In addition, inplace decompression is also supported to avoid bounce
68   compressed buffers and unnecessary page cache thrashing.
69
70 - Support chunk-based data deduplication and rolling-hash compressed data
71   deduplication;
72
73 - Support tailpacking inline compared to byte-addressed unaligned metadata
74   or smaller block size alternatives;
75
76 - Support merging tail-end data into a special inode as fragments.
77
78 - Support large folios to make use of THPs (Transparent Hugepages);
79
80 - Support direct I/O on uncompressed files to avoid double caching for loop
81   devices;
82
83 - Support FSDAX on uncompressed images for secure containers and ramdisks in
84   order to get rid of unnecessary page cache.
85
86 - Support file-based on-demand loading with the Fscache infrastructure.
87
88The following git tree provides the file system user-space tools under
89development, such as a formatting tool (mkfs.erofs), an on-disk consistency &
90compatibility checking tool (fsck.erofs), and a debugging tool (dump.erofs):
91
92- git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git
93
94For more information, please also refer to the documentation site:
95
96- https://erofs.docs.kernel.org
97
98Bugs and patches are welcome, please kindly help us and send to the following
99linux-erofs mailing list:
100
101- linux-erofs mailing list   <linux-erofs@lists.ozlabs.org>
102
103Mount options
104=============
105
106===================    =========================================================
107(no)user_xattr         Setup Extended User Attributes. Note: xattr is enabled
108                       by default if CONFIG_EROFS_FS_XATTR is selected.
109(no)acl                Setup POSIX Access Control List. Note: acl is enabled
110                       by default if CONFIG_EROFS_FS_POSIX_ACL is selected.
111cache_strategy=%s      Select a strategy for cached decompression from now on:
112
113		       ==========  =============================================
114                         disabled  In-place I/O decompression only;
115                        readahead  Cache the last incomplete compressed physical
116                                   cluster for further reading. It still does
117                                   in-place I/O decompression for the rest
118                                   compressed physical clusters;
119                       readaround  Cache both ends of incomplete compressed
120                                   physical clusters for further reading.
121                                   It still does in-place I/O decompression
122                                   for the rest compressed physical clusters.
123		       ==========  =============================================
124dax={always,never}     Use direct access (no page cache).  See
125                       Documentation/filesystems/dax.rst.
126dax                    A legacy option which is an alias for ``dax=always``.
127device=%s              Specify a path to an extra device to be used together.
128directio               (For file-backed mounts) Use direct I/O to access backing
129                       files, and asynchronous I/O will be enabled if supported.
130fsid=%s                Specify a filesystem image ID for Fscache back-end.
131domain_id=%s           Specify a trusted domain ID for fscache mode so that
132                       different images with the same blobs, identified by blob IDs,
133                       can share storage within the same trusted domain.
134                       Also used for different filesystems with inode page sharing
135                       enabled to share page cache within the trusted domain.
136fsoffset=%llu          Specify block-aligned filesystem offset for the primary device.
137inode_share            Enable inode page sharing for this filesystem.  Inodes with
138                       identical content within the same domain ID can share the
139                       page cache.
140===================    =========================================================
141
142Sysfs Entries
143=============
144
145Information about mounted erofs file systems can be found in /sys/fs/erofs.
146Each mounted filesystem will have a directory in /sys/fs/erofs based on its
147device name (i.e., /sys/fs/erofs/sda).
148(see also Documentation/ABI/testing/sysfs-fs-erofs)
149
150On-disk details
151===============
152
153Summary
154-------
155Different from other read-only file systems, an EROFS volume is designed
156to be as simple as possible::
157
158                                |-> aligned with the block size
159   ____________________________________________________________
160  | |SB| | ... | Metadata | ... | Data | Metadata | ... | Data |
161  |_|__|_|_____|__________|_____|______|__________|_____|______|
162  0 +1K
163
164All data areas should be aligned with the block size, but metadata areas
165may not. All metadata can be now observed in two different spaces (views):
166
167 1. Inode metadata space
168
169    Each valid inode should be aligned with an inode slot, which is a fixed
170    value (32 bytes) and designed to be kept in line with compact inode size.
171
172    Each inode can be directly found with the following formula:
173         inode offset = meta_blkaddr * block_size + 32 * nid
174
175    ::
176
177                                 |-> aligned with 8B
178                                            |-> followed closely
179     + meta_blkaddr blocks                                      |-> another slot
180       _____________________________________________________________________
181     |  ...   | inode |  xattrs  | extents  | data inline | ... | inode ...
182     |________|_______|(optional)|(optional)|__(optional)_|_____|__________
183              |-> aligned with the inode slot size
184                   .                   .
185                 .                         .
186               .                              .
187             .                                    .
188           .                                         .
189         .                                              .
190       .____________________________________________________|-> aligned with 4B
191       | xattr_ibody_header | shared xattrs | inline xattrs |
192       |____________________|_______________|_______________|
193       |->    12 bytes    <-|->x * 4 bytes<-|               .
194                           .                .                 .
195                     .                      .                   .
196                .                           .                     .
197            ._______________________________.______________________.
198            | id | id | id | id |  ... | id | ent | ... | ent| ... |
199            |____|____|____|____|______|____|_____|_____|____|_____|
200                                            |-> aligned with 4B
201                                                        |-> aligned with 4B
202
203    Inode could be 32 or 64 bytes, which can be distinguished from a common
204    field which all inode versions have -- i_format::
205
206        __________________               __________________
207       |     i_format     |             |     i_format     |
208       |__________________|             |__________________|
209       |        ...       |             |        ...       |
210       |                  |             |                  |
211       |__________________| 32 bytes    |                  |
212                                        |                  |
213                                        |__________________| 64 bytes
214
215    Xattrs, extents, data inline are placed after the corresponding inode with
216    proper alignment, and they could be optional for different data mappings.
217    _currently_ total 5 data layouts are supported:
218
219    ==  ====================================================================
220     0  flat file data without data inline (no extent);
221     1  fixed-sized output data compression (with non-compacted indexes);
222     2  flat file data with tail packing data inline (no extent);
223     3  fixed-sized output data compression (with compacted indexes, v5.3+);
224     4  chunk-based file (v5.15+).
225    ==  ====================================================================
226
227    The size of the optional xattrs is indicated by i_xattr_count in inode
228    header. Large xattrs or xattrs shared by many different files can be
229    stored in shared xattrs metadata rather than inlined right after inode.
230
231 2. Shared xattrs metadata space
232
233    Shared xattrs space is similar to the above inode space, started with
234    a specific block indicated by xattr_blkaddr, organized one by one with
235    proper align.
236
237    Each share xattr can also be directly found by the following formula:
238         xattr offset = xattr_blkaddr * block_size + 4 * xattr_id
239
240::
241
242                           |-> aligned by  4 bytes
243    + xattr_blkaddr blocks                     |-> aligned with 4 bytes
244     _________________________________________________________________________
245    |  ...   | xattr_entry |  xattr data | ... |  xattr_entry | xattr data  ...
246    |________|_____________|_____________|_____|______________|_______________
247
248Directories
249-----------
250All directories are now organized in a compact on-disk format. Note that
251each directory block is divided into index and name areas in order to support
252random file lookup, and all directory entries are _strictly_ recorded in
253alphabetical order in order to support improved prefix binary search
254algorithm (could refer to the related source code).
255
256::
257
258                  ___________________________
259                 /                           |
260                /              ______________|________________
261               /              /              | nameoff1       | nameoffN-1
262  ____________.______________._______________v________________v__________
263 | dirent | dirent | ... | dirent | filename | filename | ... | filename |
264 |___.0___|____1___|_____|___N-1__|____0_____|____1_____|_____|___N-1____|
265      \                           ^
266       \                          |                           * could have
267        \                         |                             trailing '\0'
268         \________________________| nameoff0
269                             Directory block
270
271Note that apart from the offset of the first filename, nameoff0 also indicates
272the total number of directory entries in this block since it is no need to
273introduce another on-disk field at all.
274
275Chunk-based files
276-----------------
277In order to support chunk-based data deduplication, a new inode data layout has
278been supported since Linux v5.15: Files are split in equal-sized data chunks
279with ``extents`` area of the inode metadata indicating how to get the chunk
280data: these can be simply as a 4-byte block address array or in the 8-byte
281chunk index form (see struct erofs_inode_chunk_index in erofs_fs.h for more
282details.)
283
284By the way, chunk-based files are all uncompressed for now.
285
286Long extended attribute name prefixes
287-------------------------------------
288There are use cases where extended attributes with different values can have
289only a few common prefixes (such as overlayfs xattrs).  The predefined prefixes
290work inefficiently in both image size and runtime performance in such cases.
291
292The long xattr name prefixes feature is introduced to address this issue.  The
293overall idea is that, apart from the existing predefined prefixes, the xattr
294entry could also refer to user-specified long xattr name prefixes, e.g.
295"trusted.overlay.".
296
297When referring to a long xattr name prefix, the highest bit (bit 7) of
298erofs_xattr_entry.e_name_index is set, while the lower bits (bit 0-6) as a whole
299represent the index of the referred long name prefix among all long name
300prefixes.  Therefore, only the trailing part of the name apart from the long
301xattr name prefix is stored in erofs_xattr_entry.e_name, which could be empty if
302the full xattr name matches exactly as its long xattr name prefix.
303
304All long xattr prefixes are stored one by one in the packed inode as long as
305the packed inode is valid, or in the meta inode otherwise.  The
306xattr_prefix_count (of the on-disk superblock) indicates the total number of
307long xattr name prefixes, while (xattr_prefix_start * 4) indicates the start
308offset of long name prefixes in the packed/meta inode.  Note that, long extended
309attribute name prefixes are disabled if xattr_prefix_count is 0.
310
311Each long name prefix is stored in the format: ALIGN({__le16 len, data}, 4),
312where len represents the total size of the data part.  The data part is actually
313represented by 'struct erofs_xattr_long_prefix', where base_index represents the
314index of the predefined xattr name prefix, e.g. EROFS_XATTR_INDEX_TRUSTED for
315"trusted.overlay." long name prefix, while the infix string keeps the string
316after stripping the short prefix, e.g. "overlay." for the example above.
317
318Data compression
319----------------
320EROFS implements fixed-sized output compression which generates fixed-sized
321compressed data blocks from variable-sized input in contrast to other existing
322fixed-sized input solutions. Relatively higher compression ratios can be gotten
323by using fixed-sized output compression since nowadays popular data compression
324algorithms are mostly LZ77-based and such fixed-sized output approach can be
325benefited from the historical dictionary (aka. sliding window).
326
327In details, original (uncompressed) data is turned into several variable-sized
328extents and in the meanwhile, compressed into physical clusters (pclusters).
329In order to record each variable-sized extent, logical clusters (lclusters) are
330introduced as the basic unit of compress indexes to indicate whether a new
331extent is generated within the range (HEAD) or not (NONHEAD). Lclusters are now
332fixed in block size, as illustrated below::
333
334          |<-    variable-sized extent    ->|<-       VLE         ->|
335        clusterofs                        clusterofs              clusterofs
336          |                                 |                       |
337 _________v_________________________________v_______________________v________
338 ... |    .         |              |        .     |              |  .   ...
339 ____|____._________|______________|________.___ _|______________|__.________
340     |-> lcluster <-|-> lcluster <-|-> lcluster <-|-> lcluster <-|
341          (HEAD)        (NONHEAD)       (HEAD)        (NONHEAD)    .
342           .             CBLKCNT            .                    .
343            .                               .                  .
344             .                              .                .
345       _______._____________________________.______________._________________
346          ... |              |              |              | ...
347       _______|______________|______________|______________|_________________
348              |->      big pcluster       <-|-> pcluster <-|
349
350A physical cluster can be seen as a container of physical compressed blocks
351which contains compressed data. Previously, only lcluster-sized (4KB) pclusters
352were supported. After big pcluster feature is introduced (available since
353Linux v5.13), pcluster can be a multiple of lcluster size.
354
355For each HEAD lcluster, clusterofs is recorded to indicate where a new extent
356starts and blkaddr is used to seek the compressed data. For each NONHEAD
357lcluster, delta0 and delta1 are available instead of blkaddr to indicate the
358distance to its HEAD lcluster and the next HEAD lcluster. A PLAIN lcluster is
359also a HEAD lcluster except that its data is uncompressed. See the comments
360around "struct z_erofs_vle_decompressed_index" in erofs_fs.h for more details.
361
362If big pcluster is enabled, pcluster size in lclusters needs to be recorded as
363well. Let the delta0 of the first NONHEAD lcluster store the compressed block
364count with a special flag as a new called CBLKCNT NONHEAD lcluster. It's easy
365to understand its delta0 is constantly 1, as illustrated below::
366
367   __________________________________________________________
368  | HEAD |  NONHEAD  | NONHEAD | ... | NONHEAD | HEAD | HEAD |
369  |__:___|_(CBLKCNT)_|_________|_____|_________|__:___|____:_|
370     |<----- a big pcluster (with CBLKCNT) ------>|<--  -->|
371           a lcluster-sized pcluster (without CBLKCNT) ^
372
373If another HEAD follows a HEAD lcluster, there is no room to record CBLKCNT,
374but it's easy to know the size of such pcluster is 1 lcluster as well.
375
376Since Linux v6.1, each pcluster can be used for multiple variable-sized extents,
377therefore it can be used for compressed data deduplication.
378