1.. SPDX-License-Identifier: GPL-2.0 2 3====================================== 4EROFS - Enhanced Read-Only File System 5====================================== 6 7Overview 8======== 9 10EROFS filesystem stands for Enhanced Read-Only File System. It aims to form a 11generic read-only filesystem solution for various read-only use cases instead 12of just focusing on storage space saving without considering any side effects 13of runtime performance. 14 15It is designed to meet the needs of flexibility, feature extendability and user 16payload friendly, etc. Apart from those, it is still kept as a simple 17random-access friendly high-performance filesystem to get rid of unneeded I/O 18amplification and memory-resident overhead compared to similar approaches. 19 20It is implemented to be a better choice for the following scenarios: 21 22 - read-only storage media or 23 24 - part of a fully trusted read-only solution, which means it needs to be 25 immutable and bit-for-bit identical to the official golden image for 26 their releases due to security or other considerations and 27 28 - hope to minimize extra storage space with guaranteed end-to-end performance 29 by using compact layout, transparent file compression and direct access, 30 especially for those embedded devices with limited memory and high-density 31 hosts with numerous containers. 32 33Here are the main features of EROFS: 34 35 - Little endian on-disk design; 36 37 - Block-based distribution and file-based distribution over fscache are 38 supported; 39 40 - Support multiple devices to refer to external blobs, which can be used 41 for container images; 42 43 - 32-bit block addresses for each device, therefore 16TiB address space at 44 most with 4KiB block size for now; 45 46 - Two inode layouts for different requirements: 47 48 ===================== ============ ====================================== 49 compact (v1) extended (v2) 50 ===================== ============ ====================================== 51 Inode metadata size 32 bytes 64 bytes 52 Max file size 4 GiB 16 EiB (also limited by max. vol size) 53 Max uids/gids 65536 4294967296 54 Per-inode timestamp no yes (64 + 32-bit timestamp) 55 Max hardlinks 65536 4294967296 56 Metadata reserved 8 bytes 18 bytes 57 ===================== ============ ====================================== 58 59 - Support extended attributes as an option; 60 61 - Support a bloom filter that speeds up negative extended attribute lookups; 62 63 - Support POSIX.1e ACLs by using extended attributes; 64 65 - Support transparent data compression as an option: 66 LZ4, MicroLZMA and DEFLATE algorithms can be used on a per-file basis; In 67 addition, inplace decompression is also supported to avoid bounce compressed 68 buffers and unnecessary page cache thrashing. 69 70 - Support chunk-based data deduplication and rolling-hash compressed data 71 deduplication; 72 73 - Support tailpacking inline compared to byte-addressed unaligned metadata 74 or smaller block size alternatives; 75 76 - Support merging tail-end data into a special inode as fragments. 77 78 - Support large folios to make use of THPs (Transparent Hugepages); 79 80 - Support direct I/O on uncompressed files to avoid double caching for loop 81 devices; 82 83 - Support FSDAX on uncompressed images for secure containers and ramdisks in 84 order to get rid of unnecessary page cache. 85 86 - Support file-based on-demand loading with the Fscache infrastructure. 87 88The following git tree provides the file system user-space tools under 89development, such as a formatting tool (mkfs.erofs), an on-disk consistency & 90compatibility checking tool (fsck.erofs), and a debugging tool (dump.erofs): 91 92- git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git 93 94For more information, please also refer to the documentation site: 95 96- https://erofs.docs.kernel.org 97 98Bugs and patches are welcome, please kindly help us and send to the following 99linux-erofs mailing list: 100 101- linux-erofs mailing list <linux-erofs@lists.ozlabs.org> 102 103Mount options 104============= 105 106=================== ========================================================= 107(no)user_xattr Setup Extended User Attributes. Note: xattr is enabled 108 by default if CONFIG_EROFS_FS_XATTR is selected. 109(no)acl Setup POSIX Access Control List. Note: acl is enabled 110 by default if CONFIG_EROFS_FS_POSIX_ACL is selected. 111cache_strategy=%s Select a strategy for cached decompression from now on: 112 113 ========== ============================================= 114 disabled In-place I/O decompression only; 115 readahead Cache the last incomplete compressed physical 116 cluster for further reading. It still does 117 in-place I/O decompression for the rest 118 compressed physical clusters; 119 readaround Cache the both ends of incomplete compressed 120 physical clusters for further reading. 121 It still does in-place I/O decompression 122 for the rest compressed physical clusters. 123 ========== ============================================= 124dax={always,never} Use direct access (no page cache). See 125 Documentation/filesystems/dax.rst. 126dax A legacy option which is an alias for ``dax=always``. 127device=%s Specify a path to an extra device to be used together. 128fsid=%s Specify a filesystem image ID for Fscache back-end. 129domain_id=%s Specify a domain ID in fscache mode so that different images 130 with the same blobs under a given domain ID can share storage. 131fsoffset=%llu Specify block-aligned filesystem offset for the primary device. 132=================== ========================================================= 133 134Sysfs Entries 135============= 136 137Information about mounted erofs file systems can be found in /sys/fs/erofs. 138Each mounted filesystem will have a directory in /sys/fs/erofs based on its 139device name (i.e., /sys/fs/erofs/sda). 140(see also Documentation/ABI/testing/sysfs-fs-erofs) 141 142On-disk details 143=============== 144 145Summary 146------- 147Different from other read-only file systems, an EROFS volume is designed 148to be as simple as possible:: 149 150 |-> aligned with the block size 151 ____________________________________________________________ 152 | |SB| | ... | Metadata | ... | Data | Metadata | ... | Data | 153 |_|__|_|_____|__________|_____|______|__________|_____|______| 154 0 +1K 155 156All data areas should be aligned with the block size, but metadata areas 157may not. All metadatas can be now observed in two different spaces (views): 158 159 1. Inode metadata space 160 161 Each valid inode should be aligned with an inode slot, which is a fixed 162 value (32 bytes) and designed to be kept in line with compact inode size. 163 164 Each inode can be directly found with the following formula: 165 inode offset = meta_blkaddr * block_size + 32 * nid 166 167 :: 168 169 |-> aligned with 8B 170 |-> followed closely 171 + meta_blkaddr blocks |-> another slot 172 _____________________________________________________________________ 173 | ... | inode | xattrs | extents | data inline | ... | inode ... 174 |________|_______|(optional)|(optional)|__(optional)_|_____|__________ 175 |-> aligned with the inode slot size 176 . . 177 . . 178 . . 179 . . 180 . . 181 . . 182 .____________________________________________________|-> aligned with 4B 183 | xattr_ibody_header | shared xattrs | inline xattrs | 184 |____________________|_______________|_______________| 185 |-> 12 bytes <-|->x * 4 bytes<-| . 186 . . . 187 . . . 188 . . . 189 ._______________________________.______________________. 190 | id | id | id | id | ... | id | ent | ... | ent| ... | 191 |____|____|____|____|______|____|_____|_____|____|_____| 192 |-> aligned with 4B 193 |-> aligned with 4B 194 195 Inode could be 32 or 64 bytes, which can be distinguished from a common 196 field which all inode versions have -- i_format:: 197 198 __________________ __________________ 199 | i_format | | i_format | 200 |__________________| |__________________| 201 | ... | | ... | 202 | | | | 203 |__________________| 32 bytes | | 204 | | 205 |__________________| 64 bytes 206 207 Xattrs, extents, data inline are placed after the corresponding inode with 208 proper alignment, and they could be optional for different data mappings. 209 _currently_ total 5 data layouts are supported: 210 211 == ==================================================================== 212 0 flat file data without data inline (no extent); 213 1 fixed-sized output data compression (with non-compacted indexes); 214 2 flat file data with tail packing data inline (no extent); 215 3 fixed-sized output data compression (with compacted indexes, v5.3+); 216 4 chunk-based file (v5.15+). 217 == ==================================================================== 218 219 The size of the optional xattrs is indicated by i_xattr_count in inode 220 header. Large xattrs or xattrs shared by many different files can be 221 stored in shared xattrs metadata rather than inlined right after inode. 222 223 2. Shared xattrs metadata space 224 225 Shared xattrs space is similar to the above inode space, started with 226 a specific block indicated by xattr_blkaddr, organized one by one with 227 proper align. 228 229 Each share xattr can also be directly found by the following formula: 230 xattr offset = xattr_blkaddr * block_size + 4 * xattr_id 231 232:: 233 234 |-> aligned by 4 bytes 235 + xattr_blkaddr blocks |-> aligned with 4 bytes 236 _________________________________________________________________________ 237 | ... | xattr_entry | xattr data | ... | xattr_entry | xattr data ... 238 |________|_____________|_____________|_____|______________|_______________ 239 240Directories 241----------- 242All directories are now organized in a compact on-disk format. Note that 243each directory block is divided into index and name areas in order to support 244random file lookup, and all directory entries are _strictly_ recorded in 245alphabetical order in order to support improved prefix binary search 246algorithm (could refer to the related source code). 247 248:: 249 250 ___________________________ 251 / | 252 / ______________|________________ 253 / / | nameoff1 | nameoffN-1 254 ____________.______________._______________v________________v__________ 255 | dirent | dirent | ... | dirent | filename | filename | ... | filename | 256 |___.0___|____1___|_____|___N-1__|____0_____|____1_____|_____|___N-1____| 257 \ ^ 258 \ | * could have 259 \ | trailing '\0' 260 \________________________| nameoff0 261 Directory block 262 263Note that apart from the offset of the first filename, nameoff0 also indicates 264the total number of directory entries in this block since it is no need to 265introduce another on-disk field at all. 266 267Chunk-based files 268----------------- 269In order to support chunk-based data deduplication, a new inode data layout has 270been supported since Linux v5.15: Files are split in equal-sized data chunks 271with ``extents`` area of the inode metadata indicating how to get the chunk 272data: these can be simply as a 4-byte block address array or in the 8-byte 273chunk index form (see struct erofs_inode_chunk_index in erofs_fs.h for more 274details.) 275 276By the way, chunk-based files are all uncompressed for now. 277 278Long extended attribute name prefixes 279------------------------------------- 280There are use cases where extended attributes with different values can have 281only a few common prefixes (such as overlayfs xattrs). The predefined prefixes 282work inefficiently in both image size and runtime performance in such cases. 283 284The long xattr name prefixes feature is introduced to address this issue. The 285overall idea is that, apart from the existing predefined prefixes, the xattr 286entry could also refer to user-specified long xattr name prefixes, e.g. 287"trusted.overlay.". 288 289When referring to a long xattr name prefix, the highest bit (bit 7) of 290erofs_xattr_entry.e_name_index is set, while the lower bits (bit 0-6) as a whole 291represent the index of the referred long name prefix among all long name 292prefixes. Therefore, only the trailing part of the name apart from the long 293xattr name prefix is stored in erofs_xattr_entry.e_name, which could be empty if 294the full xattr name matches exactly as its long xattr name prefix. 295 296All long xattr prefixes are stored one by one in the packed inode as long as 297the packed inode is valid, or in the meta inode otherwise. The 298xattr_prefix_count (of the on-disk superblock) indicates the total number of 299long xattr name prefixes, while (xattr_prefix_start * 4) indicates the start 300offset of long name prefixes in the packed/meta inode. Note that, long extended 301attribute name prefixes are disabled if xattr_prefix_count is 0. 302 303Each long name prefix is stored in the format: ALIGN({__le16 len, data}, 4), 304where len represents the total size of the data part. The data part is actually 305represented by 'struct erofs_xattr_long_prefix', where base_index represents the 306index of the predefined xattr name prefix, e.g. EROFS_XATTR_INDEX_TRUSTED for 307"trusted.overlay." long name prefix, while the infix string keeps the string 308after stripping the short prefix, e.g. "overlay." for the example above. 309 310Data compression 311---------------- 312EROFS implements fixed-sized output compression which generates fixed-sized 313compressed data blocks from variable-sized input in contrast to other existing 314fixed-sized input solutions. Relatively higher compression ratios can be gotten 315by using fixed-sized output compression since nowadays popular data compression 316algorithms are mostly LZ77-based and such fixed-sized output approach can be 317benefited from the historical dictionary (aka. sliding window). 318 319In details, original (uncompressed) data is turned into several variable-sized 320extents and in the meanwhile, compressed into physical clusters (pclusters). 321In order to record each variable-sized extent, logical clusters (lclusters) are 322introduced as the basic unit of compress indexes to indicate whether a new 323extent is generated within the range (HEAD) or not (NONHEAD). Lclusters are now 324fixed in block size, as illustrated below:: 325 326 |<- variable-sized extent ->|<- VLE ->| 327 clusterofs clusterofs clusterofs 328 | | | 329 _________v_________________________________v_______________________v________ 330 ... | . | | . | | . ... 331 ____|____._________|______________|________.___ _|______________|__.________ 332 |-> lcluster <-|-> lcluster <-|-> lcluster <-|-> lcluster <-| 333 (HEAD) (NONHEAD) (HEAD) (NONHEAD) . 334 . CBLKCNT . . 335 . . . 336 . . . 337 _______._____________________________.______________._________________ 338 ... | | | | ... 339 _______|______________|______________|______________|_________________ 340 |-> big pcluster <-|-> pcluster <-| 341 342A physical cluster can be seen as a container of physical compressed blocks 343which contains compressed data. Previously, only lcluster-sized (4KB) pclusters 344were supported. After big pcluster feature is introduced (available since 345Linux v5.13), pcluster can be a multiple of lcluster size. 346 347For each HEAD lcluster, clusterofs is recorded to indicate where a new extent 348starts and blkaddr is used to seek the compressed data. For each NONHEAD 349lcluster, delta0 and delta1 are available instead of blkaddr to indicate the 350distance to its HEAD lcluster and the next HEAD lcluster. A PLAIN lcluster is 351also a HEAD lcluster except that its data is uncompressed. See the comments 352around "struct z_erofs_vle_decompressed_index" in erofs_fs.h for more details. 353 354If big pcluster is enabled, pcluster size in lclusters needs to be recorded as 355well. Let the delta0 of the first NONHEAD lcluster store the compressed block 356count with a special flag as a new called CBLKCNT NONHEAD lcluster. It's easy 357to understand its delta0 is constantly 1, as illustrated below:: 358 359 __________________________________________________________ 360 | HEAD | NONHEAD | NONHEAD | ... | NONHEAD | HEAD | HEAD | 361 |__:___|_(CBLKCNT)_|_________|_____|_________|__:___|____:_| 362 |<----- a big pcluster (with CBLKCNT) ------>|<-- -->| 363 a lcluster-sized pcluster (without CBLKCNT) ^ 364 365If another HEAD follows a HEAD lcluster, there is no room to record CBLKCNT, 366but it's easy to know the size of such pcluster is 1 lcluster as well. 367 368Since Linux v6.1, each pcluster can be used for multiple variable-sized extents, 369therefore it can be used for compressed data deduplication. 370