| |
| The Second Extended Filesystem |
| ============================== |
| |
| ext2 was originally released in January 1993. Written by R\'emy Card, |
| Theodore Ts'o and Stephen Tweedie, it was a major rewrite of the |
| Extended Filesystem. It is currently still (April 2001) the predominant |
| filesystem in use by Linux. There are also implementations available |
| for NetBSD, FreeBSD, the GNU HURD, Windows 95/98/NT, OS/2 and RISC OS. |
| |
| Options |
| ======= |
| |
| Most defaults are determined by the filesystem superblock, and can be |
| set using tune2fs(8). Kernel-determined defaults are indicated by (*). |
| |
| bsddf (*) Makes `df' act like BSD. |
| minixdf Makes `df' act like Minix. |
| |
| check=none, nocheck (*) Don't do extra checking of bitmaps on mount |
| (check=normal and check=strict options removed) |
| |
| debug Extra debugging information is sent to the |
| kernel syslog. Useful for developers. |
| |
| errors=continue Keep going on a filesystem error. |
| errors=remount-ro Remount the filesystem read-only on an error. |
| errors=panic Panic and halt the machine if an error occurs. |
| |
| grpid, bsdgroups Give objects the same group ID as their parent. |
| nogrpid, sysvgroups New objects have the group ID of their creator. |
| |
| nouid32 Use 16-bit UIDs and GIDs. |
| |
| oldalloc Enable the old block allocator. Orlov should |
| have better performance, we'd like to get some |
| feedback if it's the contrary for you. |
| orlov (*) Use the Orlov block allocator. |
| (See http://lwn.net/Articles/14633/ and |
| http://lwn.net/Articles/14446/.) |
| |
| resuid=n The user ID which may use the reserved blocks. |
| resgid=n The group ID which may use the reserved blocks. |
| |
| sb=n Use alternate superblock at this location. |
| |
| user_xattr Enable "user." POSIX Extended Attributes |
| (requires CONFIG_EXT2_FS_XATTR). |
| See also http://acl.bestbits.at |
| nouser_xattr Don't support "user." extended attributes. |
| |
| acl Enable POSIX Access Control Lists support |
| (requires CONFIG_EXT2_FS_POSIX_ACL). |
| See also http://acl.bestbits.at |
| noacl Don't support POSIX ACLs. |
| |
| nobh Do not attach buffer_heads to file pagecache. |
| |
| xip Use execute in place (no caching) if possible |
| |
| grpquota,noquota,quota,usrquota Quota options are silently ignored by ext2. |
| |
| |
| Specification |
| ============= |
| |
| ext2 shares many properties with traditional Unix filesystems. It has |
| the concepts of blocks, inodes and directories. It has space in the |
| specification for Access Control Lists (ACLs), fragments, undeletion and |
| compression though these are not yet implemented (some are available as |
| separate patches). There is also a versioning mechanism to allow new |
| features (such as journalling) to be added in a maximally compatible |
| manner. |
| |
| Blocks |
| ------ |
| |
| The space in the device or file is split up into blocks. These are |
| a fixed size, of 1024, 2048 or 4096 bytes (8192 bytes on Alpha systems), |
| which is decided when the filesystem is created. Smaller blocks mean |
| less wasted space per file, but require slightly more accounting overhead, |
| and also impose other limits on the size of files and the filesystem. |
| |
| Block Groups |
| ------------ |
| |
| Blocks are clustered into block groups in order to reduce fragmentation |
| and minimise the amount of head seeking when reading a large amount |
| of consecutive data. Information about each block group is kept in a |
| descriptor table stored in the block(s) immediately after the superblock. |
| Two blocks near the start of each group are reserved for the block usage |
| bitmap and the inode usage bitmap which show which blocks and inodes |
| are in use. Since each bitmap is limited to a single block, this means |
| that the maximum size of a block group is 8 times the size of a block. |
| |
| The block(s) following the bitmaps in each block group are designated |
| as the inode table for that block group and the remainder are the data |
| blocks. The block allocation algorithm attempts to allocate data blocks |
| in the same block group as the inode which contains them. |
| |
| The Superblock |
| -------------- |
| |
| The superblock contains all the information about the configuration of |
| the filing system. The primary copy of the superblock is stored at an |
| offset of 1024 bytes from the start of the device, and it is essential |
| to mounting the filesystem. Since it is so important, backup copies of |
| the superblock are stored in block groups throughout the filesystem. |
| The first version of ext2 (revision 0) stores a copy at the start of |
| every block group, along with backups of the group descriptor block(s). |
| Because this can consume a considerable amount of space for large |
| filesystems, later revisions can optionally reduce the number of backup |
| copies by only putting backups in specific groups (this is the sparse |
| superblock feature). The groups chosen are 0, 1 and powers of 3, 5 and 7. |
| |
| The information in the superblock contains fields such as the total |
| number of inodes and blocks in the filesystem and how many are free, |
| how many inodes and blocks are in each block group, when the filesystem |
| was mounted (and if it was cleanly unmounted), when it was modified, |
| what version of the filesystem it is (see the Revisions section below) |
| and which OS created it. |
| |
| If the filesystem is revision 1 or higher, then there are extra fields, |
| such as a volume name, a unique identification number, the inode size, |
| and space for optional filesystem features to store configuration info. |
| |
| All fields in the superblock (as in all other ext2 structures) are stored |
| on the disc in little endian format, so a filesystem is portable between |
| machines without having to know what machine it was created on. |
| |
| Inodes |
| ------ |
| |
| The inode (index node) is a fundamental concept in the ext2 filesystem. |
| Each object in the filesystem is represented by an inode. The inode |
| structure contains pointers to the filesystem blocks which contain the |
| data held in the object and all of the metadata about an object except |
| its name. The metadata about an object includes the permissions, owner, |
| group, flags, size, number of blocks used, access time, change time, |
| modification time, deletion time, number of links, fragments, version |
| (for NFS) and extended attributes (EAs) and/or Access Control Lists (ACLs). |
| |
| There are some reserved fields which are currently unused in the inode |
| structure and several which are overloaded. One field is reserved for the |
| directory ACL if the inode is a directory and alternately for the top 32 |
| bits of the file size if the inode is a regular file (allowing file sizes |
| larger than 2GB). The translator field is unused under Linux, but is used |
| by the HURD to reference the inode of a program which will be used to |
| interpret this object. Most of the remaining reserved fields have been |
| used up for both Linux and the HURD for larger owner and group fields, |
| The HURD also has a larger mode field so it uses another of the remaining |
| fields to store the extra more bits. |
| |
| There are pointers to the first 12 blocks which contain the file's data |
| in the inode. There is a pointer to an indirect block (which contains |
| pointers to the next set of blocks), a pointer to a doubly-indirect |
| block (which contains pointers to indirect blocks) and a pointer to a |
| trebly-indirect block (which contains pointers to doubly-indirect blocks). |
| |
| The flags field contains some ext2-specific flags which aren't catered |
| for by the standard chmod flags. These flags can be listed with lsattr |
| and changed with the chattr command, and allow specific filesystem |
| behaviour on a per-file basis. There are flags for secure deletion, |
| undeletable, compression, synchronous updates, immutability, append-only, |
| dumpable, no-atime, indexed directories, and data-journaling. Not all |
| of these are supported yet. |
| |
| Directories |
| ----------- |
| |
| A directory is a filesystem object and has an inode just like a file. |
| It is a specially formatted file containing records which associate |
| each name with an inode number. Later revisions of the filesystem also |
| encode the type of the object (file, directory, symlink, device, fifo, |
| socket) to avoid the need to check the inode itself for this information |
| (support for taking advantage of this feature does not yet exist in |
| Glibc 2.2). |
| |
| The inode allocation code tries to assign inodes which are in the same |
| block group as the directory in which they are first created. |
| |
| The current implementation of ext2 uses a singly-linked list to store |
| the filenames in the directory; a pending enhancement uses hashing of the |
| filenames to allow lookup without the need to scan the entire directory. |
| |
| The current implementation never removes empty directory blocks once they |
| have been allocated to hold more files. |
| |
| Special files |
| ------------- |
| |
| Symbolic links are also filesystem objects with inodes. They deserve |
| special mention because the data for them is stored within the inode |
| itself if the symlink is less than 60 bytes long. It uses the fields |
| which would normally be used to store the pointers to data blocks. |
| This is a worthwhile optimisation as it we avoid allocating a full |
| block for the symlink, and most symlinks are less than 60 characters long. |
| |
| Character and block special devices never have data blocks assigned to |
| them. Instead, their device number is stored in the inode, again reusing |
| the fields which would be used to point to the data blocks. |
| |
| Reserved Space |
| -------------- |
| |
| In ext2, there is a mechanism for reserving a certain number of blocks |
| for a particular user (normally the super-user). This is intended to |
| allow for the system to continue functioning even if non-priveleged users |
| fill up all the space available to them (this is independent of filesystem |
| quotas). It also keeps the filesystem from filling up entirely which |
| helps combat fragmentation. |
| |
| Filesystem check |
| ---------------- |
| |
| At boot time, most systems run a consistency check (e2fsck) on their |
| filesystems. The superblock of the ext2 filesystem contains several |
| fields which indicate whether fsck should actually run (since checking |
| the filesystem at boot can take a long time if it is large). fsck will |
| run if the filesystem was not cleanly unmounted, if the maximum mount |
| count has been exceeded or if the maximum time between checks has been |
| exceeded. |
| |
| Feature Compatibility |
| --------------------- |
| |
| The compatibility feature mechanism used in ext2 is sophisticated. |
| It safely allows features to be added to the filesystem, without |
| unnecessarily sacrificing compatibility with older versions of the |
| filesystem code. The feature compatibility mechanism is not supported by |
| the original revision 0 (EXT2_GOOD_OLD_REV) of ext2, but was introduced in |
| revision 1. There are three 32-bit fields, one for compatible features |
| (COMPAT), one for read-only compatible (RO_COMPAT) features and one for |
| incompatible (INCOMPAT) features. |
| |
| These feature flags have specific meanings for the kernel as follows: |
| |
| A COMPAT flag indicates that a feature is present in the filesystem, |
| but the on-disk format is 100% compatible with older on-disk formats, so |
| a kernel which didn't know anything about this feature could read/write |
| the filesystem without any chance of corrupting the filesystem (or even |
| making it inconsistent). This is essentially just a flag which says |
| "this filesystem has a (hidden) feature" that the kernel or e2fsck may |
| want to be aware of (more on e2fsck and feature flags later). The ext3 |
| HAS_JOURNAL feature is a COMPAT flag because the ext3 journal is simply |
| a regular file with data blocks in it so the kernel does not need to |
| take any special notice of it if it doesn't understand ext3 journaling. |
| |
| An RO_COMPAT flag indicates that the on-disk format is 100% compatible |
| with older on-disk formats for reading (i.e. the feature does not change |
| the visible on-disk format). However, an old kernel writing to such a |
| filesystem would/could corrupt the filesystem, so this is prevented. The |
| most common such feature, SPARSE_SUPER, is an RO_COMPAT feature because |
| sparse groups allow file data blocks where superblock/group descriptor |
| backups used to live, and ext2_free_blocks() refuses to free these blocks, |
| which would leading to inconsistent bitmaps. An old kernel would also |
| get an error if it tried to free a series of blocks which crossed a group |
| boundary, but this is a legitimate layout in a SPARSE_SUPER filesystem. |
| |
| An INCOMPAT flag indicates the on-disk format has changed in some |
| way that makes it unreadable by older kernels, or would otherwise |
| cause a problem if an old kernel tried to mount it. FILETYPE is an |
| INCOMPAT flag because older kernels would think a filename was longer |
| than 256 characters, which would lead to corrupt directory listings. |
| The COMPRESSION flag is an obvious INCOMPAT flag - if the kernel |
| doesn't understand compression, you would just get garbage back from |
| read() instead of it automatically decompressing your data. The ext3 |
| RECOVER flag is needed to prevent a kernel which does not understand the |
| ext3 journal from mounting the filesystem without replaying the journal. |
| |
| For e2fsck, it needs to be more strict with the handling of these |
| flags than the kernel. If it doesn't understand ANY of the COMPAT, |
| RO_COMPAT, or INCOMPAT flags it will refuse to check the filesystem, |
| because it has no way of verifying whether a given feature is valid |
| or not. Allowing e2fsck to succeed on a filesystem with an unknown |
| feature is a false sense of security for the user. Refusing to check |
| a filesystem with unknown features is a good incentive for the user to |
| update to the latest e2fsck. This also means that anyone adding feature |
| flags to ext2 also needs to update e2fsck to verify these features. |
| |
| Metadata |
| -------- |
| |
| It is frequently claimed that the ext2 implementation of writing |
| asynchronous metadata is faster than the ffs synchronous metadata |
| scheme but less reliable. Both methods are equally resolvable by their |
| respective fsck programs. |
| |
| If you're exceptionally paranoid, there are 3 ways of making metadata |
| writes synchronous on ext2: |
| |
| per-file if you have the program source: use the O_SYNC flag to open() |
| per-file if you don't have the source: use "chattr +S" on the file |
| per-filesystem: add the "sync" option to mount (or in /etc/fstab) |
| |
| the first and last are not ext2 specific but do force the metadata to |
| be written synchronously. See also Journaling below. |
| |
| Limitations |
| ----------- |
| |
| There are various limits imposed by the on-disk layout of ext2. Other |
| limits are imposed by the current implementation of the kernel code. |
| Many of the limits are determined at the time the filesystem is first |
| created, and depend upon the block size chosen. The ratio of inodes to |
| data blocks is fixed at filesystem creation time, so the only way to |
| increase the number of inodes is to increase the size of the filesystem. |
| No tools currently exist which can change the ratio of inodes to blocks. |
| |
| Most of these limits could be overcome with slight changes in the on-disk |
| format and using a compatibility flag to signal the format change (at |
| the expense of some compatibility). |
| |
| Filesystem block size: 1kB 2kB 4kB 8kB |
| |
| File size limit: 16GB 256GB 2048GB 2048GB |
| Filesystem size limit: 2047GB 8192GB 16384GB 32768GB |
| |
| There is a 2.4 kernel limit of 2048GB for a single block device, so no |
| filesystem larger than that can be created at this time. There is also |
| an upper limit on the block size imposed by the page size of the kernel, |
| so 8kB blocks are only allowed on Alpha systems (and other architectures |
| which support larger pages). |
| |
| There is an upper limit of 32768 subdirectories in a single directory. |
| |
| There is a "soft" upper limit of about 10-15k files in a single directory |
| with the current linear linked-list directory implementation. This limit |
| stems from performance problems when creating and deleting (and also |
| finding) files in such large directories. Using a hashed directory index |
| (under development) allows 100k-1M+ files in a single directory without |
| performance problems (although RAM size becomes an issue at this point). |
| |
| The (meaningless) absolute upper limit of files in a single directory |
| (imposed by the file size, the realistic limit is obviously much less) |
| is over 130 trillion files. It would be higher except there are not |
| enough 4-character names to make up unique directory entries, so they |
| have to be 8 character filenames, even then we are fairly close to |
| running out of unique filenames. |
| |
| Journaling |
| ---------- |
| |
| A journaling extension to the ext2 code has been developed by Stephen |
| Tweedie. It avoids the risks of metadata corruption and the need to |
| wait for e2fsck to complete after a crash, without requiring a change |
| to the on-disk ext2 layout. In a nutshell, the journal is a regular |
| file which stores whole metadata (and optionally data) blocks that have |
| been modified, prior to writing them into the filesystem. This means |
| it is possible to add a journal to an existing ext2 filesystem without |
| the need for data conversion. |
| |
| When changes to the filesystem (e.g. a file is renamed) they are stored in |
| a transaction in the journal and can either be complete or incomplete at |
| the time of a crash. If a transaction is complete at the time of a crash |
| (or in the normal case where the system does not crash), then any blocks |
| in that transaction are guaranteed to represent a valid filesystem state, |
| and are copied into the filesystem. If a transaction is incomplete at |
| the time of the crash, then there is no guarantee of consistency for |
| the blocks in that transaction so they are discarded (which means any |
| filesystem changes they represent are also lost). |
| Check Documentation/filesystems/ext3.txt if you want to read more about |
| ext3 and journaling. |
| |
| References |
| ========== |
| |
| The kernel source file:/usr/src/linux/fs/ext2/ |
| e2fsprogs (e2fsck) http://e2fsprogs.sourceforge.net/ |
| Design & Implementation http://e2fsprogs.sourceforge.net/ext2intro.html |
| Journaling (ext3) ftp://ftp.uk.linux.org/pub/linux/sct/fs/jfs/ |
| Hashed Directories http://kernelnewbies.org/~phillips/htree/ |
| Filesystem Resizing http://ext2resize.sourceforge.net/ |
| Compression (*) http://www.netspace.net.au/~reiter/e2compr/ |
| |
| Implementations for: |
| Windows 95/98/NT/2000 http://uranus.it.swin.edu.au/~jn/linux/Explore2fs.htm |
| Windows 95 (*) http://www.yipton.demon.co.uk/content.html#FSDEXT2 |
| DOS client (*) ftp://metalab.unc.edu/pub/Linux/system/filesystems/ext2/ |
| OS/2 http://perso.wanadoo.fr/matthieu.willm/ext2-os2/ |
| RISC OS client ftp://ftp.barnet.ac.uk/pub/acorn/armlinux/iscafs/ |
| |
| (*) no longer actively developed/supported (as of Apr 2001) |