1.. SPDX-License-Identifier: GPL-2.0 2 3====================================== 4EROFS - Enhanced Read-Only File System 5====================================== 6 7Overview 8======== 9 10EROFS (Enhanced Read-Only File System) is a modern, efficient, and secure 11read-only kernel filesystem designed for various use cases including immutable 12system images, container images, application sandbox images, and dataset 13distribution. 14 15An immutable image filesystem can be regarded as an enhanced archive format 16which allows golden images to be built once and mounted everywhere -- images are 17bit-for-bit identical across all deployments and can be verified, audited, or 18shared without concerns about runtime modifications (in this model, all user 19writes should be redirected into another trusted filesystem, for example, via 20overlayfs for copy-on-write-style redirection, by design). 21 22EROFS is a dedicated implementation of the image filesystem idea above, with a 23flexible, hierarchical on-disk design so that needed features can be enabled on 24demand. Filesystem data in the core format is strictly block-aligned in order 25to perform optimally on all kinds of storage media, including block devices and 26memory-backed devices. The on-disk format is easy to parse and purposely avoids 27the unnecessary metadata redundancy found in generic writable filesystems, which 28can suffer from extra inconsistency issues -- making it ideal for security 29auditing and untrusted remote access. In addition, designs such as inline data, 30inline/shared extended attributes, and optimized (de)compression provide better 31space efficiency while maintaining high performance. 32 33In short, EROFS aims to be a better fit for the following scenarios: 34 35 - As part of a secure immutable storage solution, where it needs to be 36 immutable and bit-for-bit identical to the official golden image for 37 each individual copy, in order to meet security, data sharing, and/or 38 other requirements; 39 40 - Minimizing storage overhead with guaranteed end-to-end performance 41 by using compact (meta)data layout, optimized transparent data compression, 42 deduplication and direct access, especially for those embedded devices with 43 limited memory and high-density hosts with numerous containers. 44 45Here is the list of highlights: 46 47 - Little endian on-disk design with 48-bit block addressing, supporting up 48 to 1 EiB filesystem capacity with 4 KiB block size; 49 50 - Two compact inode metadata layouts for space and performance efficiency: 51 52 ======================== ======== ====================================== 53 compact extended 54 ======================== ======== ====================================== 55 Inode core metadata size 32 bytes 64 bytes 56 Max file size 4 GiB 16 EiB (also limited by max. vol size) 57 Max uids/gids 65536 4294967296 58 Nanosecond timestamps no yes 59 Max hardlinks 65536 4294967296 60 ======================== ======== ====================================== 61 62 - Support tailpacking inline data for better space efficiency and reduce 63 unneeded I/O amplification; 64 65 - Block-based and file-backed distribution are both supported; 66 67 - Multiple devices to reference external data blobs: inode data can be 68 optionally placed into external blobs, which enables image layering and data 69 sharing among different filesystems; 70 71 - Inline and shared extended attributes with an optional bloom filter that 72 speeds up negative extended attribute lookups; 73 74 - POSIX.1e ACLs by using extended attributes; 75 76 - Transparent data compression as an option: Supported algorithms (LZ4, 77 MicroLZMA, DEFLATE and Zstandard) can be selected on a per-inode basis. 78 Both the on-disk metadata and decompression runtime have been heavily 79 optimized to minimize the overhead for better performance. 80 81 - Merging tail-end data into a special inode as fragments; 82 83 - Chunk-based deduplication and rolling-hash compressed data deduplication; 84 85 - Direct I/O and FSDAX support on uncompressed inodes for use cases such as 86 secure containers, loop devices, and ramdisks that do not need page caching; 87 88 - Page cache sharing among inodes with identical content fingerprints on 89 the same machine. 90 91For more detailed information, please refer to our documentation site: 92 93- https://erofs.docs.kernel.org 94 95The following git tree provides the file system user-space tools under 96development, such as a formatting tool (mkfs.erofs), an on-disk consistency & 97compatibility checking tool (fsck.erofs), and a debugging tool (dump.erofs): 98 99- git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git 100 101Bugs and patches are welcome, please kindly help us and send to the following 102linux-erofs mailing list: 103 104- linux-erofs mailing list <linux-erofs@lists.ozlabs.org> 105 106Mount options 107============= 108 109=================== ========================================================= 110(no)user_xattr Setup Extended User Attributes. Note: xattr is enabled 111 by default if CONFIG_EROFS_FS_XATTR is selected. 112(no)acl Setup POSIX Access Control List. Note: acl is enabled 113 by default if CONFIG_EROFS_FS_POSIX_ACL is selected. 114cache_strategy=%s Select a strategy for cached decompression from now on: 115 116 ========== ============================================= 117 disabled In-place I/O decompression only; 118 readahead Cache the last incomplete compressed physical 119 cluster for further reading. It still does 120 in-place I/O decompression for the rest 121 compressed physical clusters; 122 readaround Cache both ends of incomplete compressed 123 physical clusters for further reading. 124 It still does in-place I/O decompression 125 for the rest compressed physical clusters. 126 ========== ============================================= 127dax={always,never} Use direct access (no page cache). See 128 Documentation/filesystems/dax.rst. 129dax A legacy option which is an alias for ``dax=always``. 130device=%s Specify a path to an extra device to be used together. 131directio (For file-backed mounts) Use direct I/O to access backing 132 files, and asynchronous I/O will be enabled if supported. 133domain_id=%s Specify a trusted domain ID. Filesystems sharing the same 134 domain ID can share page cache across mounts when inode 135 page sharing is enabled. (not shown in mountinfo output) 136fsoffset=%llu Specify block-aligned filesystem offset for the primary device. 137inode_share Enable inode page sharing for this filesystem. Inodes with 138 identical content within the same domain ID can share the 139 page cache. 140=================== ========================================================= 141 142Sysfs Entries 143============= 144 145Information about mounted erofs file systems can be found in /sys/fs/erofs. 146Each mounted filesystem will have a directory in /sys/fs/erofs based on its 147device name (i.e., /sys/fs/erofs/sda). 148(see also Documentation/ABI/testing/sysfs-fs-erofs) 149 150On-disk details 151=============== 152 153Summary 154------- 155Different from other read-only file systems, an EROFS volume is designed 156to be as simple as possible:: 157 158 |-> aligned with the block size 159 ____________________________________________________________ 160 | |SB| | ... | Metadata | ... | Data | Metadata | ... | Data | 161 |_|__|_|_____|__________|_____|______|__________|_____|______| 162 0 +1K 163 164All data areas should be aligned with the block size, but metadata areas 165may not. All metadata can be now observed in two different spaces (views): 166 167 1. Inode metadata space 168 169 Each valid inode should be aligned with an inode slot, which is a fixed 170 value (32 bytes) and designed to be kept in line with compact inode size. 171 172 Each inode can be directly found with the following formula: 173 inode offset = meta_blkaddr * block_size + 32 * nid 174 175 :: 176 177 |-> aligned with 8B 178 |-> followed closely 179 + meta_blkaddr blocks |-> another slot 180 _____________________________________________________________________ 181 | ... | inode | xattrs | extents | data inline | ... | inode ... 182 |________|_______|(optional)|(optional)|__(optional)_|_____|__________ 183 |-> aligned with the inode slot size 184 . . 185 . . 186 . . 187 . . 188 . . 189 . . 190 .____________________________________________________|-> aligned with 4B 191 | xattr_ibody_header | shared xattrs | inline xattrs | 192 |____________________|_______________|_______________| 193 |-> 12 bytes <-|->x * 4 bytes<-| . 194 . . . 195 . . . 196 . . . 197 ._______________________________.______________________. 198 | id | id | id | id | ... | id | ent | ... | ent| ... | 199 |____|____|____|____|______|____|_____|_____|____|_____| 200 |-> aligned with 4B 201 |-> aligned with 4B 202 203 Inode could be 32 or 64 bytes, which can be distinguished from a common 204 field which all inode versions have -- i_format:: 205 206 __________________ __________________ 207 | i_format | | i_format | 208 |__________________| |__________________| 209 | ... | | ... | 210 | | | | 211 |__________________| 32 bytes | | 212 | | 213 |__________________| 64 bytes 214 215 Xattrs, extents, data inline are placed after the corresponding inode with 216 proper alignment, and they could be optional for different data mappings. 217 _currently_ total 5 data layouts are supported: 218 219 == ==================================================================== 220 0 flat file data without data inline (no extent); 221 1 fixed-sized output data compression (with non-compacted indexes); 222 2 flat file data with tail packing data inline (no extent); 223 3 fixed-sized output data compression (with compacted indexes, v5.3+); 224 4 chunk-based file (v5.15+). 225 == ==================================================================== 226 227 The size of the optional xattrs is indicated by i_xattr_count in inode 228 header. Large xattrs or xattrs shared by many different files can be 229 stored in shared xattrs metadata rather than inlined right after inode. 230 231 2. Shared xattrs metadata space 232 233 Shared xattrs space is similar to the above inode space, started with 234 a specific block indicated by xattr_blkaddr, organized one by one with 235 proper align. 236 237 Each share xattr can also be directly found by the following formula: 238 xattr offset = xattr_blkaddr * block_size + 4 * xattr_id 239 240:: 241 242 |-> aligned by 4 bytes 243 + xattr_blkaddr blocks |-> aligned with 4 bytes 244 _________________________________________________________________________ 245 | ... | xattr_entry | xattr data | ... | xattr_entry | xattr data ... 246 |________|_____________|_____________|_____|______________|_______________ 247 248Directories 249----------- 250All directories are now organized in a compact on-disk format. Note that 251each directory block is divided into index and name areas in order to support 252random file lookup, and all directory entries are _strictly_ recorded in 253alphabetical order in order to support improved prefix binary search 254algorithm (could refer to the related source code). 255 256:: 257 258 ___________________________ 259 / | 260 / ______________|________________ 261 / / | nameoff1 | nameoffN-1 262 ____________.______________._______________v________________v__________ 263 | dirent | dirent | ... | dirent | filename | filename | ... | filename | 264 |___.0___|____1___|_____|___N-1__|____0_____|____1_____|_____|___N-1____| 265 \ ^ 266 \ | * could have 267 \ | trailing '\0' 268 \________________________| nameoff0 269 Directory block 270 271Note that apart from the offset of the first filename, nameoff0 also indicates 272the total number of directory entries in this block since it is no need to 273introduce another on-disk field at all. 274 275Chunk-based files 276----------------- 277In order to support chunk-based data deduplication, a new inode data layout has 278been supported since Linux v5.15: Files are split in equal-sized data chunks 279with ``extents`` area of the inode metadata indicating how to get the chunk 280data: these can be simply as a 4-byte block address array or in the 8-byte 281chunk index form (see struct erofs_inode_chunk_index in erofs_fs.h for more 282details.) 283 284By the way, chunk-based files are all uncompressed for now. 285 286Long extended attribute name prefixes 287------------------------------------- 288There are use cases where extended attributes with different values can have 289only a few common prefixes (such as overlayfs xattrs). The predefined prefixes 290work inefficiently in both image size and runtime performance in such cases. 291 292The long xattr name prefixes feature is introduced to address this issue. The 293overall idea is that, apart from the existing predefined prefixes, the xattr 294entry could also refer to user-specified long xattr name prefixes, e.g. 295"trusted.overlay.". 296 297When referring to a long xattr name prefix, the highest bit (bit 7) of 298erofs_xattr_entry.e_name_index is set, while the lower bits (bit 0-6) as a whole 299represent the index of the referred long name prefix among all long name 300prefixes. Therefore, only the trailing part of the name apart from the long 301xattr name prefix is stored in erofs_xattr_entry.e_name, which could be empty if 302the full xattr name matches exactly as its long xattr name prefix. 303 304All long xattr prefixes are stored one by one in the packed inode as long as 305the packed inode is valid, or in the meta inode otherwise. The 306xattr_prefix_count (of the on-disk superblock) indicates the total number of 307long xattr name prefixes, while (xattr_prefix_start * 4) indicates the start 308offset of long name prefixes in the packed/meta inode. Note that, long extended 309attribute name prefixes are disabled if xattr_prefix_count is 0. 310 311Each long name prefix is stored in the format: ALIGN({__le16 len, data}, 4), 312where len represents the total size of the data part. The data part is actually 313represented by 'struct erofs_xattr_long_prefix', where base_index represents the 314index of the predefined xattr name prefix, e.g. EROFS_XATTR_INDEX_TRUSTED for 315"trusted.overlay." long name prefix, while the infix string keeps the string 316after stripping the short prefix, e.g. "overlay." for the example above. 317 318Data compression 319---------------- 320EROFS implements fixed-sized output compression which generates fixed-sized 321compressed data blocks from variable-sized input in contrast to other existing 322fixed-sized input solutions. Relatively higher compression ratios can be gotten 323by using fixed-sized output compression since nowadays popular data compression 324algorithms are mostly LZ77-based and such fixed-sized output approach can be 325benefited from the historical dictionary (aka. sliding window). 326 327In details, original (uncompressed) data is turned into several variable-sized 328extents and in the meanwhile, compressed into physical clusters (pclusters). 329In order to record each variable-sized extent, logical clusters (lclusters) are 330introduced as the basic unit of compress indexes to indicate whether a new 331extent is generated within the range (HEAD) or not (NONHEAD). Lclusters are now 332fixed in block size, as illustrated below:: 333 334 |<- variable-sized extent ->|<- VLE ->| 335 clusterofs clusterofs clusterofs 336 | | | 337 _________v_________________________________v_______________________v________ 338 ... | . | | . | | . ... 339 ____|____._________|______________|________.___ _|______________|__.________ 340 |-> lcluster <-|-> lcluster <-|-> lcluster <-|-> lcluster <-| 341 (HEAD) (NONHEAD) (HEAD) (NONHEAD) . 342 . CBLKCNT . . 343 . . . 344 . . . 345 _______._____________________________.______________._________________ 346 ... | | | | ... 347 _______|______________|______________|______________|_________________ 348 |-> big pcluster <-|-> pcluster <-| 349 350A physical cluster can be seen as a container of physical compressed blocks 351which contains compressed data. Previously, only lcluster-sized (4KB) pclusters 352were supported. After big pcluster feature is introduced (available since 353Linux v5.13), pcluster can be a multiple of lcluster size. 354 355For each HEAD lcluster, clusterofs is recorded to indicate where a new extent 356starts and blkaddr is used to seek the compressed data. For each NONHEAD 357lcluster, delta0 and delta1 are available instead of blkaddr to indicate the 358distance to its HEAD lcluster and the next HEAD lcluster. A PLAIN lcluster is 359also a HEAD lcluster except that its data is uncompressed. See the comments 360around "struct z_erofs_vle_decompressed_index" in erofs_fs.h for more details. 361 362If big pcluster is enabled, pcluster size in lclusters needs to be recorded as 363well. Let the delta0 of the first NONHEAD lcluster store the compressed block 364count with a special flag as a new called CBLKCNT NONHEAD lcluster. It's easy 365to understand its delta0 is constantly 1, as illustrated below:: 366 367 __________________________________________________________ 368 | HEAD | NONHEAD | NONHEAD | ... | NONHEAD | HEAD | HEAD | 369 |__:___|_(CBLKCNT)_|_________|_____|_________|__:___|____:_| 370 |<----- a big pcluster (with CBLKCNT) ------>|<-- -->| 371 a lcluster-sized pcluster (without CBLKCNT) ^ 372 373If another HEAD follows a HEAD lcluster, there is no room to record CBLKCNT, 374but it's easy to know the size of such pcluster is 1 lcluster as well. 375 376Since Linux v6.1, each pcluster can be used for multiple variable-sized extents, 377therefore it can be used for compressed data deduplication. 378