I'm afraid I agree with Colin Watson and disagree with the approach
taken in the patch. The quote from SuS isn't really helpful since SuS
doesn't ever specify under what circumstances corruption is allowed to
happen after a crash.
Changing update-alternatives to sync is only one small fragment of
this issue: very very many programs do write-to-new-file-and-rename.
If we change them all to do fsync before rename, then the whole system
will become significantly slower when it is doing many of these kind
of operations - for example, during installation and upgrades.
The correct change here is to have the filesystem not write the
metadata until the data is also committed. For example, quoting the
mount(8) manpage, in the section for ext3:
data=journal / data=ordered / data=writeback
Specifies the journalling mode for file data. Metadata is
always journaled. To use modes other than ordered on the root
file system, pass the mode to the kernel as boot parameter, e.g. rootflags=data=journal.
journal All data is committed into the journal prior to being written into the main file system.
ordered This is the default mode. All data is forced directly out to the main file system prior to its metadata being committed to the journal.
writeback Data ordering is not preserved - data may be written into the main file system after its metadata has been commit- ted to the journal. This is rumoured to be the highest- throughput option. It guarantees internal file system integrity, however it can allow old data to appear in files after a crash and journal recovery.
Note that the default mode for ext3 is exactly what is required, and
that update-alternatives works correctly with that. It still isn't
guaranteed, of course, after a crash, that everything is consistent,
but the update-alternatives databases will not be corrupt.
See also similar but slightly gnomic comments in the mount(8) entry
for jfs.
I'm afraid I agree with Colin Watson and disagree with the approach
taken in the patch. The quote from SuS isn't really helpful since SuS
doesn't ever specify under what circumstances corruption is allowed to
happen after a crash.
Changing update-alternatives to sync is only one small fragment of new-file- and-rename.
this issue: very very many programs do write-to-
If we change them all to do fsync before rename, then the whole system
will become significantly slower when it is doing many of these kind
of operations - for example, during installation and upgrades.
The correct change here is to have the filesystem not write the
metadata until the data is also committed. For example, quoting the
mount(8) manpage, in the section for ext3:
data=journal / data=ordered / data=writeback
rootflags= data=journal.
Specifies the journalling mode for file data. Metadata is
always journaled. To use modes other than ordered on the root
file system, pass the mode to the kernel as boot parameter, e.g.
journal
All data is committed into the journal prior to being
written into the main file system.
ordered
This is the default mode. All data is forced directly
out to the main file system prior to its metadata being
committed to the journal.
writeback
Data ordering is not preserved - data may be written into
the main file system after its metadata has been commit-
ted to the journal. This is rumoured to be the highest-
throughput option. It guarantees internal file system
integrity, however it can allow old data to appear in
files after a crash and journal recovery.
Note that the default mode for ext3 is exactly what is required, and
that update-alternatives works correctly with that. It still isn't
guaranteed, of course, after a crash, that everything is consistent,
but the update-alternatives databases will not be corrupt.
See also similar but slightly gnomic comments in the mount(8) entry
for jfs.
Ian.