Excellent. It really solves a problem for me, as I have been
agonising over what format to use for Aquila for a long time now.
Perfect.
:-)
The API would provide an alternative open(), which accepts an inode
number instead of a (path) name.
There would also be an alternative creat(), which does not take a new
(path) name, but which returns the inode number of the created file.
The application program would be responsible for storing the inode
number (possibly in memory, for a temporary file, or in another file
or in a database for longer term storage).

This facility would be quite important to me, I think. AdaOS (which
will be based on CORBA, I think) is going to be an object-oriented OS.
Accessing objects (and perhaps database BLOBs) by inode number (rather
than any name) would be an important capability.
It's a dilemma, because we both know full well that if Joe User
creates a pile of files with '/'s in their names, and then, say, tries
to FTP them onto a Unix system, it's going to go nasty, and naturally
it's the OS or file system that will get the blame.

The problem is, it cuts both ways. If Jane User tries to FTP a pile
of files from her Macintosh (with '/'s in their names) to a ZenFS
system, and it goes belly-up, it's ZenFS that'll get the blame again.

We cannot win :-)
I think I explained this badly. I should probably have said something
like 'important flags' and 'unimportant' flags, instead of 'mandatory'
and 'auxiliary'.

The idea is simply that, by defining some of a set of future potential
flags as 'unimportant', new unimportant flags can be introduced without
requiring a version (or revision) change. A new flag can be deemed
unimportant if software can safely ignore it (innocent of its
existence).

To concoct an example, a new inode flag that means something like
'make access to this file espcially fast' (maybe for use by heavily
accessed files) could probably be considered unimportant. An inode flag
that means 'safety copy of another inode, do not use' would probably
have to be considered important, and its introduction would therefore
require a version change.

This idea is not important, but it might be nice.
Type 1 denotes a 'metafile' containg the inodes (in my own preliminary
design). Unimportant.

Type 522 denotes files which start with the AdaOS 'Native File Common
Header'. There is a field in this header which specfies the (sub-)type
of the file. It is mainly used for AdaOS-specific things (such as
executable modules). Little relevance to ZenFS.
It was really only to define a few low-level file types, so that low-
level software (boot programs, basic devices drivers, etc.) had a way
to distinguish (or check) file types, without recourse to complicated
mechanisms. So probably PNG and JPEG files would not fall into this
category (they would be only be used by high-level application
software). However, some OS-specific files (such as AdaOS executable
modules) would fall into this category.
I thought it might be handy to have a 16-bit type field, where the
upper byte is used to distinguish operating systems (say 0=ZenFS,
1=yourOS, 2=AdaOS, 3=Linux, 4=BSD, etc.), and the lower byte to
specify a basic file type within the OS. Sorry I didn't explain this
better in the first place!
Yes, that's perfect. And so a PNG would be .AdaOS:TYPE=image/png and
a JPEG would be .AdaOS:TYPE=image/jpeg and so on.

However, I think there would be value in having a few conventional
types (defined in a separate specification). It might be pretty handy
to have a conventional file type attribute such as "MIME_TYPE" for
MIME types.

On the subject of attributes, the spiel for Reiser4 raises a couple
of questions.

Supposing we said that any directory can be opened as either a (raw)
datafile or as a directory. If it is opened as a file, we search for
a special entry (named ".DEFAULT" say), and open it. Suppose,
furthermore, that any entry in a directory can be marked as
'inherited': if a search of a subdirectory (down to any level) for
the same name fails, the inherited entry is returned instead. Might
this provide a sufficient basis for attribute storage? Might it also
be sufficient for the storage of streams? (But it might be dangerous
to spend too much time reading about Reiser4 :-)
Aha! Cool.
Sorry, I meant the uint64 data_size in an inode. It would mean
maximum file size was 2.3x10^18 bytes. Personally, I think that's
okay.

If the uint16 data_size in the small_attr region were also in terms
of bits, it would reduce the maximum size to 8191+7/8 bytes. Since
these attributes are meant to be small, isn't that okay?

Actually, I might suggest the offset index need only contain uint16s
(rather than uint32s), and each could be in terms of n/8, where n is
the offset in bytes (from the beginning of the small_attr area).

Not sure how important any of this is.
Indeed!
I think it's extremely unlikely (but I'm not sure). On modern disks,
sectors can be relocated (at the factory); I believe that if a disk
has sector 0 bad, the disk is rejected (scrapped). However, a volume
on a partitioned disk can start anywhere. Modern disks do not use a
jelly substrate any more, and destructive head crashes are very rare.
I've heard of plans to reduce the inter-sector gap to nearly zero for
the next generation of disks, but I think there are ways to maintain
reliability (involving end-of-track redundancy data, I suspect).
Probably just a track, or maybe a few adjacent tracks.
That's not a disaster at all. It is a standard technique (now) in
this situation to boot from another source (e.g. a floppy disk or
CD-ROM) and perform recovery or repair of the volume.
I don't feel what I suggested is all that complex. But it does need
thinking about. Let's avoid introducing any new major problems while
trying to solve a few relatively minor ones!
It's definitely an idea that's been knocking around in computer science
for yonks, but its application to file systems /might/ be unique. I've
not personally come across any file system that does it.
Doh! I'm an idiot! I'm not used to journalling technology yet, and I
tend to forget. Sorry.

In fact, on this subject, the astute may recall that I've written
recently (in alt.os.development) criticising journalling. But I'm
learning more about it, and I'm beginning to think that my criticisms
were hasty. I can see that a log could help speed up safe rewrites, by
allowing them to be reordered.
Hmm. To be honest, I'm not so sure now.
Yes, this is the problem.
Hehe. You're speaking to an Ada programmer (for whom buffer overrun
just doesn't happen). I forgot about that one.
I disagree with this. The bytes are there now, but we may well wish
to use them (for other purposes) in future ZenFS versions.
However, I agree with this. In the end, it's a minor issue. Keep
things as they are.
I'm not quite sure if can call myself a database expert. I am sort
of. Trouble is, you could study databases all your life and not
really be an expert. Hehe ;-)

I think we should provide everything that a SQL-92 CLI (ODBC)
database engine (device driver) would require. That gives us the
following checklist:

* types (char string, bit string, large & small integer, specific
decimal scale exact numeric, single & double float, various
datetimes and time intervals, possibly also BLOBs, references,
OIDs);

* organisational structures (catalogs, schemas);

* basic elements (tables, views, domains, constraints and
assertions, character sets & collations?, character set
translations?);

* permissions on these elements (insert, update, delete, select,
reference, usage) and authorisation (passwords?);

* transactions (roll back on recovery);

* stored procedures? (I don't think so);

* the Definition Schema (containing database metadata).

This checklist leaves out a lot of detail, but also it is only a
list of things that need to be covered by /some/ ZenFS mechanism
(a rose by any other name).

I think this stuff would be so useful, it would be worth
pursuing.
That may be true, but I think it is for all the wrong reasons. The
principal (wrong) reason is that most of the standards and
specifications which specify UTF-8 are being devised by North
Americans (and to a lesser extent, Europeans), such as the IETF
and W3C, for example, who naturally (but foolishly) assume that an
encoding which is efficient only for the characters in the Latin-x
sets will be acceptable to everyone in the world. A Chinese,
Japanese, Korean, Taiwanese, or Thai filename encoded in UTF-8 will
be diabolically inefficient. In most countries in the world, UTF-8
is just irrelevant and silly. For once, Microsoft are right.

I am getting the impression that there is a gradual consensus
accumulating in the standards communities that it is better to
stick to a simple ASCII-based 8-bit character set (encoding) for
names that will be used in programs (file/path names, environment
variable names, configuration item names, database table and field
names, and so on). This way, programs can continue to work in
execution environments for which support of bigger character
repertoires would be inappropriate. I divine that this is the
current thrust of the OMG's thinking wrt CORBA now.

For more sophisticated environments, files and other objects can
be given alternative names or descriptions using Unicode (the UCS),
which can be used for human display purposes. The extensible
attribute mechanism of ZenFS seems to be ideal for this purpose.
I don't want to sound like this is a hobby horse for me. I can see
that a UTF-8 encoding doesn't actually /prevent/ the use of Latin-1
characters only throughout the file system. But would it be
acceptable for some implementations of ZenFS to simply not support
non-Latin-1 characters?

For example, supposing I wanted to write a data recovery tool
suitable for use from a bootable floppy disk. It would have to be a
relatively small program to fit. It would be quite acceptable for
this program to use text mode (no GUI or mouse). But supposing this
program had an option to display directory listings (perhaps to
allow the user to do selective deletion). It would be hard to
support the display of non-Latin-1 characters (and a few Latin-1
characters too, in fact).

There are an awful lot of existing programs that cannot support
encodings other than a simple 8-bit ASCII-based one. These programs
would be at risk of failing if they tried to manipulate a file with
a (path) name that contained exotic characters. Can we expect
systems implementing ZenFS to not support legacy software?

I think this is an important issue, that needs careful
consideration.
There are alternative possible ways to solve the disk usage reporting
problem. Maybe this isn't an important issue at this level (file
system format specification).
But that could be handled in different ways. The user's execution
environment could impose a default behaviour upon all software of
encrypting a file (unless explicitly told not to).
I think just about all of that information could be protected by a
mechanism that permitted encryption of individual directories and
inodes.

I think there is a problem with encrypting an entire volume, if that
volume is to be used by more than one user. It denies users the option
of not encrypting a file, which might be an important efficiency issue
in some cases.

I think individual structures (directories, inodes, indices) should be
inidividually encryptable. In which case, I think it would probably not
be necessary to have an option to encrypt the entire volume.
I'm pretty convinced that a system's API should expose methods to
allow application software to discover the location of holes in
sparse files, for various reasons. As I understand it, applications
running on scientific compute servers need to be able to see (and wait
on) the holes in order to use the sparse file as a communication (and
synchronisation) mechanism. That being the case, I still think that
compression should be left to higher levels of software; I feel sure
that a good algorithm for finding the redundancy in a particular data
set will require knowledge of the data set (which the file system does
not have). An increasing number of file formats these days have their
own specialist compression schemes designed-in (e.g. PNG, JPEG, MPEG).
I use DocBook/XML myself. I would be happy to do most of the conversion
from your current format to DocBook for you, if you wish. (I'd then hand
it back to you for you to finish.)

My e-mail is real (***@acm.org) if you wish to e-mail me.

I think Mark and I have dropped the idea of multiple superblocks, in
fact. I think the necessary redundancy would be achieved by simply
having the information in the superblock repeated.

For example, if the block size is 4 KiB, 2 KiB are reserved as the
(maximum) size of the data stored in a superblock, and whenever the
superblock is updated, that 2 KiB of data is written out twice in
succession.

I imagine we can assume that it is unlikely, on a modern hard disk,
for one of those copies to be lost, so therefore it is acceptably
(extremely) unlikely for both to be lost. I imagine all the data
required will fit into 2 KiB. Of course, this is assuming a block
size of 4 KiB.
Yes, that's quite right. I forgot!
The effect could be achieved at a higher level of software, so that
the file system software (or format) needn't be involved.
Do you mean UTF-8 specifically?
Because, to be efficient and effective, encryption does not require
any knowledge of the (nature of) the data, whereas compression
generally does.

Many common and standard file formats these days include their own
compression schemes, for exactly this reason. The compression
methods they mandate are specially chosen to be suitable for the
kind of data stored in the file. If the file system software also
tries to compress data, I believe much of the time it will just
be making futile efforts to compress data that is already
compressed, and even when this is not the case, the compression it
performs may not be very efficient. I think compression is
therefore best left to higher levels of software.

However, encryption can be done on any data, and it is appropriate
for the file system to do it, because it can hold data unencrypted
in its cache (in memory) and re-encrypt any dirty data just before
flushing it back to disk. Higher level software cannot do this,
because it doesn't have access to the cache.

But it needs only be done when system blocks are read or written,
which won't be that often in most cases. Of course such statements
are dangerous--If a server programmer made heavy use of indices in her
application, she might feel a little differently.

She might argue that most computers are little-endian, and so the
default format should be little-endian, and big-endian machines should
be the ones to byte swap, and complain loudly. I would disagree. The
majority of little-endian machines are x86 based, and intel has a
special instruction for swapping bytes. Big-endian machines, on the
other hand, are mostly RISC, and lack this potential optimization.
Switching to little endian would grant a small speed increase

In addition, the cost of byte swapping really is trivial, when
compared to disk access times, or especially the cost of encryption.
It may take a few cycles from other applications, but what
applications are both disk *and* CPU bound?
Or U+001C, the file separation code. But I think Mr. Gainey's might
be the better solution. The reason I've been hung up on the .target
attribute was that I wanted a way for symbolic links to point across
volumes (e.g. a desktop shortcut to the floppy disk). A data
structure for symbolic links would provide enough leaway for this.
That might be an unnecessary restriction, however. Encrypted user
files should not cause any unnecessary confusion for system software.
In fact, a system which doesn't support encryption should just treat
it like a normal file, that way user-level code can look for
cryptographic attributes and provide their own handling of the issue.

One of the beautiful aspects of encryption as it stands now is that it
is totally non-intrusive. The only issue I can see, like I said, is
if a necessary system file is encrypted. But why would a *system*
file be encrypted, if the system didn't support encryption? It could
be a security risk if the OS handles the situation poorly, but that's
about the only problem I can think of.
In which case the attacker'd just match entries in the .parent index
to entries in the .name index. File names (like all other system
attributes) are not designed to be secure. The solution here is to
rename the user's home directory to a random string, and then store
the (username,homedir) pair in an encrypted file somewhere (or full
volume encryption).

Encrypting directories makes it difficult to get around the file
system, but doesn't actually protect anything. A determined attacker
can still find what they need in the indices (which can't be encrypted
because implementations which do not support encryption still need
access to the indices). What it does do is make life difficult for
everyone else.
No. But is more than 255 bytes necessary? I decided on that limit
before the current index format, when longer strings would actually
have been an issue. But I honestly do think it's a fair limitation.
Most OS's limit name strings to 255 bytes already, so it'll make life
easier for them. Lengths can be represented with a single byte.

But really, when would you use more than 255 bytes? File names 32
bytes long are already too long. More than 80 bytes is absurd. The
longest files I've ever seen are in my music collection:

"Artist - Album - Disk # - Track ## - Title.ogg"

-and even the longest files here are <75 chars in length. Do you
really need more than 255 bytes?
That's correct. It's an extra design requirement on top of sparse
file support. Not every system has to support block deallocation, but
I wanted to ensure that it at least *could* be supported. The
reference implementation will support it.
As you know, zenfs is the file system for the os I'm developing. In
this system the concept of a unified file hierarchy has been removed.
Instead each installed program, module, or user home directory is
given its own fileset. A public FTP server would have a file set for
each of the domains it manages, for example. As you can see, the
number of filesets is not easily bounded in practice.


-mark