[pbs-devel] [PATCH proxmox 2/2] pbs api types: add option to set GC chunk cleanup wait period

[Christian Ebner]

On 3/4/25 17:49, Thomas Lamprecht wrote:
> Am 04.03.25 um 17:37 schrieb Christian Ebner:
>> On 3/4/25 17:01, Thomas Lamprecht wrote:
>>> Would be fine by me to reducing the minimum to zero. And the extra 5
>>> minutes are "just to be sure" safety-margin, not a requirement for
>>> anything IIRC.
>>
>> Discussed this with Fabian rather extensively today. Only reason to keep
>> a small safety margin here is for small time drift in case of remote
>> storages (if they use their local time for timestamps).
> 
> Ah, you mean network attached remote storage, but while your reasons
> below are fine, doing this for time drifts is IMO not really strong
> argumentation, as if one allows for no time synchronisation then there
> won't be a limit to the drift amount, but ...
> 
> 
>> But this can be much lower, would opt for 1 minute to stay within the
>> minute range.
>>
>> Also, atime always uses the coarse resolution for timestamp updates,
>> that will also not change with the multi-grained timestamp resolutions
>> in https://origin.kernel.org/doc/html/v6.13/filesystems/multigrain-ts.html
>> So this has to be taken into account for the atime update check, and
>> since setting the atime into the past will introduce other error modes
>> (permissions, fs impl, ...), a short wait of a 1 second in-between must
>> be used.
>>
>> Also, there is no distinction to be made between filesystems mounted
>> with atime and relatime, if the explicit atime update fails, the GC
> 
> ... this actually is a strong argument, so I'm fine with a Minute as
> minimum.
>>> Maybe something with "cutoff", like just gc_cutoff or gc_atime_cutoff,
>>> as a cut-off of which chunks we even consider for removal is basically
>>> what this is.
>>
>> I would opt for gc-atime-safety-check and gc-atime-safety-margin, to
>> show that they are related and their implicit function
> 
> meh, do not find safety-check/margin very telling and safety is a bit too
> generic and also slightly overused term IMO. What's wrong with cutoff?

Nothing wrong with it, but Fabian pointed out that naming the opt-out 
flag for the check `gc-atime-check` is a bit to generic, as atimes are 
always checked by the GC, the better naming was `gc-atime-safety-check`, 
and therefore the `gc-atime-safety-margin` might make the correlation 
more clear, as it will only be allowed to set the latter, if the former 
is enabled. But I can of course go with the `gc-atime-cutoff`.

>> Also, there will be no upper limit for the gc-atime-safety-margin, as
>> Fabian pointed out correctly, setting this to large values might be
>> desired to avoid data loss if something is off, and one notices from
>> e.g. the pending removals.
> 
> I'm rather a fan of _some_ limits even if only to be proven wrong by user
> demand to go over that, but then we actually know the use case. As until
> now we got no request at all for this to be higher, IIRC, I'd go for two
> days.
> 
> Data loss is prevented by additional copies on other servers and mediums
> (keyword: tape or soon s3)

Yes, agreed! Although still a lot of work ahead for the latter one...