> Date: Fri, 21 Jan 2005 17:49:29 +0100
> From: Erik Trulsson <ertr1013@student.uu.se>
>
> On Fri, Jan 21, 2005 at 08:31:06AM -0800, Kevin Oberman wrote:
> > > Date: Fri, 21 Jan 2005 20:53:12 +1300
> > > From: Mark Kirkwood <markir@paradise.net.nz>
> > > Sender: owner-freebsd-stable@freebsd.org
> > >
> > > Jim C. Nasby wrote:
> > > > Question one: how do I disable write caching on IDE drives?
I know the
> > > > setting is hw.ata.wc=0, but where do I put that? In
loader.conf? This is
> > > > FreeBSD 4.10, btw.
> > > >
> > > In /boot/loader.conf will do it.
> > >
> > > > Also, has any thought been given to making the default 0,
like it is for
> > > > SCSI devices? I'm honestly surprised and disappointed
that the default
> > > > is speed over data integrity.
> > > I think it was trialled in 4.3 then changed for 4.4 (according to
the
> > > handbook, the performance hit was considered to be too high)
> >
> > Having been involved in the 4.x flip-flop, the performance cost on
some
> > systems can be HUGE! Backing up my laptop (40 GB) went from 40 minutes
> > to five hours when the write cache was turned off.
> >
> > On the other hand, it is a real risk, especially when combined with
> > softupdates.
>
> I don't see how softupdates can increase the risk. As I understand it
> the risks with IDE-write chaching is just as large with softupdates as
> without. It is just that all the safety and consistency guarantees
> that softupdates normally make go out of the window when write-caching
> is turned on.
As I understand it (and I'll admit that I probably don't), softupdates
makes some assumptions about the state of metadata vs. data that are not
valid if the metadata is not actually written. I do know that a power
outage can produce some very unpleasant softupdate data consistency
errors when you re-boot the system. Whether the final result is worse
than the errors when softupdates are not enabled, I can't say.
> > For servers that lack solid backup power (not a 10 minute
> > UPS), I would probably turn it off. But for most systems it is
probably
> > worth the risks.
>
> A 10 minute UPS should be plenty for that purpose. All that is needed
> to protect against the risks of write-caching is for the server to be
> able to make an orderly shutdown, which should not take more than a
> couple of minutes. (If you need constant uptime, you need better power
> backup, but that is a different issue.)
10 minutes (or even 1 minute) would be fine IF you have the system
shutdown when the main power fails, but if the system is unattended and
active and power goes out, it will simply keep going until the UPS dies
and will still leave your disk in a bad state.
The right answer is to run nut or other UPS monitor to shutdown the
system when power fails. Or, better still, have generator backed power
with about an hour of UPS to give the generator time to get up to speed
and on-line. But that is still less than perfect. Generators fail, are
often not tested regularly, and will eventually run out of fuel.
It's always a trade-off of reliability vs. overhead and making the call
as to exactly where the line should be is always open to
second-guesses. I make my own calls for my local hardware and 5 hours
for a backup is well over that line. You may have other opinions on the
subject and should run your systems accordingly.
I think a good discussion of the issue in the handbook and in tuning(7)
might be a good idea, though.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634