Fist: A Language For Stackable File Systems: Computer Science Department, Columbia University

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

FiST: A Language for Stackable File Systems

Erez Zadok and Jason Nieh


Computer Science Department, Columbia University
fezk,[email protected]

Abstract Media Common Avg. Code Size


Type File System (C lines)
Traditional file system development is difficult. Stack- Hard Disks UFS, FFS, EXT2FS 5,000–20,000
able file systems promise to ease the development of file Network NFS 6,000–30,000
systems by offering a mechanism for incremental develop- CD-ROM HSFS, ISO-9660 3,000–6,000
ment. Unfortunately, existing methods often require writ- Floppy PCFS, MS-DOS 5,000–6,000
ing complex low-level kernel code that is specific to a sin-
gle operating system platform and also difficult to port. Table 1: Common Native Unix File Systems and Code Sizes for
Each Medium
We propose a new language, FiST, to describe stackable
file systems. FiST uses operations common to file system
interfaces. From a single description, FiST’s compiler pro- performance is poor due to the extra context switches these
duces file system modules for multiple platforms. The gen- file systems must incur. These context switches can affect
erated code handles many kernel details, freeing developers performance by as much as an order of magnitude[26, 27].
to concentrate on the main issues of their file systems. Stackable file systems[19] promise to speed file system
This paper describes the design, implementation, and development by providing an extensible file system inter-
evaluation of FiST. We extended file system functionality face. This extensibility allows new features to be added
in a portable way without changing existing kernels. We incrementally. Several new extensible interfaces have been
built several file systems using FiST on Solaris, FreeBSD, proposed and a few have been implemented[8, 15, 18, 22].
and Linux. Our experiences with these examples shows the To improve performance, these stackable file systems were
following benefits of FiST: average code size over other designed to run in the kernel. Unfortunately, using these
stackable file systems is reduced ten times; average devel- stackable interfaces often requires writing lots of complex
opment time is reduced seven times; performance overhead C kernel code that is specific to a single operating system
of stacking is 1–2%. platform and also difficult to port.
More recently, we introduced a stackable template sys-
1 Introduction tem called Wrapfs[27]. It eases up file system development
by providing some built-in support for common file system
File systems have proven to be useful in enriching system activities. It also improves portability by providing kernel
functionality. The abstraction of folders with files contain- templates for several operating systems. While working
ing data is natural for use with existing file browsers, text with Wrapfs is easier than with other stackable file systems,
editors, and other tools. Modifying file systems became developers still have to write kernel C code and port it using
a popular method of extending new functionality to users. the platform-specific templates.
However, developing file systems is difficult and involved. In previous approaches, performance and portability
Developers often use existing code for native in-kernel file could not be achieved together. To perform well, a file sys-
systems as a starting point[15, 23]. Such file systems are tem should run in the kernel, not at user level. Kernel code,
difficult to write and port because they depend on many op- however, is much more difficult to write and port than user-
erating system specifics, and they often contain many lines level code. To ease the problems of developing and port-
of complex operating systems code, as seen in Table 1. ing stackable file systems that perform well, we propose a
User-level file systems are easier to develop and port be- high-level language to describe such file systems. There
cause they reside outside the kernel[16]. However, their are three benefits to using a language:

1
1. Simplicity: A file system language can provide fa- Our focus in this paper is to demonstrate how FiST sim-
miliar higher-level primitives that simplify file system plifies the development of file systems, provides write-once
development. The language can also define suitable run-anywhere portability across UNIX systems, and re-
defaults automatically. These reduce the amount of duces stacking overhead through file system specialization.
code that developers need to write, and lessen their The rest of this paper is organized as follows. Section 2 de-
need for extensive knowledge of kernel internals, al- tails the design of FiST, and describes the FiST language,
lowing even non-experts to develop file systems. fistgen, and Basefs. Section 3 discusses key implemen-
2. Portability: A language can describe file systems us- tation and portability details. Section 4 describes several
ing an interface abstraction that is common to oper- example file systems written using FiST. Section 5 evalu-
ating systems. The language compiler can bridge the ates the ease of development, the portability, and the perfor-
gaps among different systems’ interfaces. From a sin- mance of our file systems. Section 6 surveys related work.
gle description of a file system, we could generate file Finally, Section 7 concludes and explores future directions.
system code for different platforms. This improves
portability considerably. At the same time, however,
the language should allow developers to take advan-
2 Design
tage of system-specific features.
FiST is a high level language providing a file system ab-
3. Specialization: A language allows developers to cus- straction. Figure 1 shows the hierarchy for different file
tomize the file system to their needs. Instead of having system abstractions. At the lowest level reside file sys-
one large and complex file system with many features tems native to the operating system, such as disk based and
that may be configured and turned on or off, the com- network based file systems. They are at the lowest level
piler can produce special-purpose file systems. This because they interact directly with device drivers. Above
improves performance and memory footprint because native file systems are stackable file systems such as the
specialized file systems include only necessary code. examples in Section 4, as well as Basefs. These file sys-
tems provide a higher abstraction than native file systems
This paper describes the design and implementation of because stackable file systems interact only with other file
FiST, a File System Translator language for stackable file systems through a well defined virtual file system interface
systems. FiST lets developers describe stackable file sys- (VFS)[11]. The VFS provides virtual nodes (vnodes), an
tems at a high level, using operations common to file sys- abstraction of files across different file systems. However,
tem interfaces. With FiST, developers need only describe both these levels are system specific.
the core functionality of their file systems. The FiST lan-
guage code generator, fistgen, generates kernel file system FiST Language
modules for several platforms using a single description. Stackable (VFS) File Systems
Basefs templates
We currently support Solaris, FreeBSD, and Linux. (lofs, cryptfs, aclfs, unionfs, etc.)
To assist fistgen with generating stackable file sys- Low-Level File Systems (UFS, NFS, etc.)
tems, we created a minimal stackable file system template
called Basefs. Basefs adds stacking functionality missing Figure 1: FiST Structural Diagram. Stackable file systems, in-
cluding Basefs, are at the VFS level, and are above low-level file
from systems and relieves fistgen from dealing with many
systems. FiST descriptions provide a higher abstraction than that
platform-dependent aspects of file systems. Basefs does
provided by the VFS.
not require changes to the kernel or existing file systems.
Its main function is to handle many kernel details relating At the highest level, we define the FiST language. FiST
to stacking. Basefs provides simple hooks for fistgen to abstracts the different vnode interfaces across different op-
insert code that performs common tasks desired by file sys- erating systems into a single common description language,
tem developers, such as modifying file data or inspecting because it is easier to write file systems this way. We found
file names. That way, fistgen can produce file system code that while vnode interfaces differ from system to system,
for any platform we port Basefs to. The hooks also allow they share many similar features. Our experience shows
fistgen to include only necessary code, improving perfor- that similar file system concepts exist in other non-Unix
mance and reducing kernel memory usage. systems, and our stacking work can be generalized to in-
We built several example file systems using FiST. Our clude them. Therefore, we designed the FiST language
experiences with these examples shows the following ben- to be as general as possible: we mirror existing platform-
efits of FiST compared with other stackable file systems: specific vnode interfaces, and extend them through the
average code size is reduced ten times; development time FiST language in a platform independent way. This al-
is reduced seven times; performance overhead of stacking lows us to modify vnode operations and the arguments they
is less than 2%, and unlike other stacking systems, there is pass in an arbitrary way, providing great design flexibil-
no performance overhead for native file systems. ity. At the same time, this abstraction means that stackable

2
file systems cannot easily access device drivers and control, The one place where such a check should be made is in
for example, block layout of files on disks and the existing the lookup routine that is used to find a file in a directory.
structure of meta-data (inodes). To do so without FiST, the developer has to do the follow-
FiST does not require that applications be changed. The ing:
default behavior of produced code maintains compatibility
with existing file system APIs. FiST does allow, however, 1. locate an operating system with available sources for
the creation of special-purpose file systems that can extend one file system
new functionality to applications. 2. read and understand the code for that file system and
any associated kernel code
FiST Input File
3. make a copy of the sources, and carefully modify them
to include the new functionality
Basefs Templates fistgen 4. compile the sources into a new file system, possibly
rebuilding a new kernel and rebooting the system
Stackable File System Sources 5. mount the new file system, test, and debug as needed
Figure 2: FiST Operational Diagram. Fistgen reads a FiST input After completing this, the developer is left with one mod-
file, and with the Basefs templates, produces sources for a new ified file system for one operating system. The amount of
file system. code that has to be read and understood ranges in the thou-
The overall operation of the FiST system is shown in sands of lines (Table 1). The process has to be repeated for
Figure 2. The figure illustrates how the three parts of FiST each new port to a new platform. In addition, changes to
work together: the FiST language, fistgen, and Basefs. File native file system are unlikely to be accepted by operating
system developers write FiST input files to implement file system maintainers, and have to be maintained indepen-
systems using the FiST language. Fistgen, the FiST lan- dently.
guage code parser and file system code generator, reads In contrast, the normal procedure for developing code
FiST input files that describe the new file system’s func- with FiST is:
tionality. Fistgen then uses additional input files, the Basefs
1. write the code in FiST once
templates. These templates contain the stacking support
2. run fistgen on the input file
code for each operating system and hooks to insert devel-
oper code. Fistgen combines the functionality described 3. compile the produced sources into a loadable kernel
in the FiST input file with the Basefs templates, and pro- module, and load it into a running system
duces new kernel C sources as output. The latter imple- 4. mount the new file system, test, and debug as needed
ment the functionality of the new file system. Developers
Debugging code can be turned on in FiST to assist in the
can, for example, write simple FiST code to manipulate
development of the new file system. There is no need to
file data and file names. Fistgen, in turn, translates that
have kernel sources or be familiar with them; there is no
FiST code into C code and inserts it at the right place in the
need to write or port code for each platform; and there is
templates, along with any additional support code that may
no need to rebuild or reboot the kernel. Furthermore, the
be required. Developers can also turn on or off certain file
same developer can write Snoopfs using a small number of
system features, and fistgen will conditionally include code
lines of FiST code:
that implements those features.
%op:lookup:postcall f
if ((fistLastErr() == EPERM ||
2.1 A Quick Example: Snoopfs fistLastErr() == ENOENT) &&
$0.owner != %uid && %uid != 0)
To illustrate the FiST development process, we contrast it fistPrintf("snoopfs detected access by uid %d,n
pid %d, to file %snn", %uid, %pid, $name);
with traditional file system development methods using a g
simple example similar to Watchdogs[2]. Suppose a file
system developer wants to write a file system that will warn This short FiST code inserts an “if” statement after the
of any possible unauthorized access to users’ files. The normal call to the lookup routine. The code checks if the
main idea is that only the files’ owner or the root user are previous lookup call failed with one of two particular er-
allowed access. Any other user who might be attempting to rors, who the owner of the directory is, who the effective
find files that belong to another user, would normally get a running user is, and then decides whether to print the warn-
“permission denied” error code. However, the system does ing message.
not produce an alert when such an attempt is made. This This single FiST description is portable, and can be com-
new snooping file system (Snoopfs) will log these failed piled on each platform that we have ported our templates to
attempts. (currently three).

3
2.2 The File System Model system data using the mount system call. In addition,
mounted file systems may return arbitrary (even new) er-
A FiST-produced file system runs in the kernel, as seen in ror codes back to user processes.
Figure 3. FiST file systems mirror the vnode interface both
Since a FiST-produced stackable file system is the caller
above and below. The interface to user processes is the
of other file systems, it has a lot of control over what tran-
system call interface. FiST does not change either the sys-
spires between it and the ones below through the vnode
tem call interface or the vnode interface. Instead, FiST can
interface. FiST allows access to multiple mounts and files.
change information passed and returned through the inter-
Each mount or file may have multiple attributes that FiST
faces.
can access. Also, FiST can determine how to apply vnode
A user process generally accesses a file system by exe- functions on each file. For maximum flexibility, FiST
cuting a system call, which traps into the kernel. The ker- allows the developer full control over mounts and files,
nel VFS then translates the system call to a vnode opera- their data, their attributes, and the functions that operate
tion, and calls the corresponding file system. If the latter on them; they may be created or removed, data and at-
is a FiST-produced file system, it may call another stacked tributes can be changed, and functions may be augmented,
file system below. Once the execution flow has reached replaced, reordered, or even ignored.
the lowest file system, error codes and return values begin
Ioctls (I/O Controls) have been used as an operating sys-
flowing upwards, all the way to the user process.
tem extension mechanism as they can exchange arbitrary
user process information between user processes and the kernel, as well
as in between file system layers, without changing inter-
System Call system calls
mount() data error codes
faces. FiST allows developers to define new ioctls and de-
Interface ioctl() data
User fine the actions to take when they are used; this can be used
to create application-specific file systems. FiST also pro-
vides functions for portable copying of ioctl data between
Virtual File System (VFS) user and kernel spaces. For example, our encryption file
Vnode Kernel system (Section 4.1) uses an ioctl to set cipher keys.
file system data
and error codes. Traditional stackable file systems create a single linear
Interface
stack of mounts, each one hiding the one file system below
FiST−produced file system it. More general stacking allows for a tree-like mount struc-
ture, as well as for direct access to any layer[8, 18]. This
Vnode file system data,
interesting aspect of stackable file systems is called fan-
operations, and
Interface error codes. ning, as shown in Figure 4. A fan-out allows the mounted
file system to access two or more mounts below. A fan-
Lower File System out is useful for example in replicated, load-balancing,
unifying[15], or caching file systems[22].

Figure 3: Information and execution flow in a stackable system. $0 X $0 X


FiST does not change the system call or vnode interfaces, but al-
lows for arbitrary data and control operations to flow in both di-
rections. $1 Y $1 Y Z $2

In FiST, we model a file system as a collection of Fan-In Fan-Out


mounts, files, and user processes, all running under one Figure 4: Fanning in stackable file systems
system. Several mounts, mounted instances of file systems,
can exist at any time. A FiST-produced file system can A fan-in allows a process to access lower level mounts
access and manipulate various mounts and files, data as- directly. This can be useful when fast access to the lower
sociated with them, their attributes, and the functions that level data is needed. For example, in an encryption file sys-
operate on them. Furthermore, the file system can access tem, a backup utility can backup the data faster (and more
attributes that correspond to the run-time execution envi- securely) by accessing the ciphertext files in the lower level
ronment: the operating system and the user process cur- file system. If fan-in is not used, the mounted file system
rently executing. will overlay the mounted directory with the mount point.
Information (both data and control) generally flows be- An overlay mount hides the lower level file system. This
tween user processes and the mounted file system through can be useful for some security applications. For example,
the system call interface. For example, file data flows our ACL file system (Section 4.2) hides certain important
between user processes and the kernel via the read and files from normal view and is able to control who can ma-
write system calls. Processes can pass specific file nipulate those files and how.

4
2.3 The FiST Language operation, or even a portion of a vnode operation. Rules
allow developers to control the behavior of one or more file
The FiST language is a high-level language that uses file system functions in a portable manner. The FiST rules sec-
system features common to several operating systems. It tion is the primary section, where most of the actions for the
provides file system specific language constructs for sim-
produced code are written. In this section, for example, we
plifying file system development. In addition, FiST lan- can choose to change the behavior of unlink to rename
guage constructs can be used in conjunction with additional the target file, so it might be restored later. We separated
C code to offer the full flexibility of a system programming the declarations and rules sections for programming ease:
language familiar to file system developers. The ability to developers know that global declarations go in the former,
integrate C and FiST code is reflected in the general struc-
and actions that affect vnode operations go in the latter.
ture of FiST input files. Figure 5 shows the four main sec-
Additional C Code includes additional C functions that
tions of a FiST input file.
might be referenced by code in the rest of the file system.
%f We separated this section from the rules section for code
1 C Declarations modularity: FiST rules are actions to take for a given vnode
%g function, while the additional C code may contain arbitrary
2 FiST Declarations code that could be called from anywhere. This section pro-
%% vides a flexible extension mechanism for FiST-based file
3 FiST Rules systems. Code in this section may use any basic FiST prim-
%% itives (discussed in Section 2.3.1) which are helpful in writ-
4 Additional C Code
ing portable code. We also allow developers to write code
that takes advantage of system-specific features; this flexi-
Figure 5: FiST Grammar Outline bility, however, may result in non-portable code.
The FiST grammar was modeled after yacc[9] input The remainder of this section introduces the FiST lan-
files, because yacc is familiar to programmers and the pur- guage primitives, the various participants in a file system
pose for each of its four sections (delimited by “%%”) (such as files, mounts, and processes), their attributes and
matches with four different subdivisions of desired file sys- how to extend them and store them persistently, and how to
tem code: raw included header declarations, declarations control the execution flow in a file system. The examples
that affect the produced code globally, actions to perform in Section 4 are also helpful because they further illustrate
when matching vnode operations, and additional code. the FiST language.
C Declarations (enclosed in “f% %g”) are used to in-
clude additional C headers, define macros or typedefs, list 2.3.1 FiST Syntax
forward function prototypes, etc. These declarations are
used throughout the rest of the code. FiST syntax allows referencing mounted file systems and
FiST Declarations define global file system properties files, accessing attributes, and calling FiST functions.
that affect the overall semantics of the produced code and Mount references begin with $vfs, while file references
how a mounted file system will behave. These properties use a shorter “$” syntax because we expect them to appear
are useful because they allow developers to make common more often in FiST code. References may be followed by
global changes in a simple manner. In this section we de- a name or number that distinguishes among multiple in-
clare if the file system will be read-only or not, whether or stances (e.g., $1, $2, etc.) especially useful when fan-out
not to include debugging code, if fan-in is allowed or not, is used (Figure 4). Attributes of mounts and files are speci-
and what level (if any) of fan-out is used. fied by appending a dot and the attribute name to the refer-
FiST Declarations can also define special data structures ence (e.g., $vfs.blocksize, $1.name, $2.owner,
used by the rest of the code for this file system. We can de- etc.) The scope of these references is the current vnode
fine mount-time data that can be passed with the mount(2) function in which they are executing.
system call. A versioning file system, for example, can be There is only one instance of a running operating sys-
passed a number indicating the maximum number of ver- tem. Similarly, there is only one process context executing
sions to allow per file. FiST can also define new error codes that the file system has to be concerned with. Therefore
that can be returned to user processes, for the latter to un- FiST need only refer to their attributes. These read-only at-
derstand additional modes of failure. For example, an en- tributes are summarized in Table 2. The scope of all read-
cryption file system can return a new error code indicating only “%” attributes is global.
that the cipher key in use has expired. FiST code can call FiST functions from anywhere in the
FiST Rules define actions that generally determine the file system, some of which are shown in Table 3. The scope
behavior for individual files. A FiST rule is a piece of code of FiST functions is global in the mounted file system.
that executes for a selected set of vnode operations, for one These functions form a comprehensive library of portable

5
Global Meaning to access the file as $0.user and $0.group, respec-
%blocksize native disk block size tively. The expiration time is accessed as $0.expire.
%gid effective group ID The per vnode declaration defines new attributes for
%pagesize native page size files, but those attributes are only kept in memory. FiST
%pid process ID also provides different methods to define, store, and access
%time current time (seconds since epoch) additional attributes persistently. This way, a file system
%uid effective user ID developer has the flexibility of deciding if new attributes
need only remain in memory or saved more permanently.
Table 2: Global Read-Only FiST Variables
For example, an encrypting file system may want to store
routines useful in writing file systems. The names of these an encryption key, cipher ID, and Initialization Vector (IV)
functions begin with “fist.” FiST functions can take a vari- for each file. This can be declared in FiST using:
able number of arguments, omit some arguments where
fileformat SECDAT f
suitable defaults exist, and use different types for each ar- char key[16]; /* cipher key */
gument. These are true functions that can be nested and int cipher; /* cipher ID */
may return any single value. char iv[16]; /* initialization vector */
g;
Function Meaning
fistPrintf print messages Two FiST functions exist for handling file formats: fist-
fistStrEq string comparison SetFileData and fistGetFileData. These two routines can
fistMemCpy buffer copying similar store persistently and retrieve (respectively) additional file
fistLastErr get the last error code system and file attributes, as well as any other arbitrary
fistSetErr set the return error code data. For example, to save the cipher ID in a file called
fistReturnErr return an error code immediately .key, use:
fistSetIoctlData set ioctl value to pass to a user process
fistGetIoctlData get ioctl value from a user process int cid;
fistSetFileData write arbitrary data to a file /* set cipher ID */
fistGetFileData read arbitrary data from a file fistSetFileData(".key", SECDAT, cipher, cid);
fistLookup find a file in a directory
fistReaddir read a directory The above FiST function will produce kernel code to
fistSkipName hide a name of a file in a directory open the file named “.key” and write the value of the
fistOp execute an arbitrary vnode operation “cid” variable into the “cipher” field of the “SECDAT” file
format, as if the latter had been a data structure stored in
Table 3: A sample of FiST functions used in this paper the “.key” file.
Finally, the mechanism for adding new attributes to
Each mount and file has attributes associated with it.
mounts is similar. For files, the declaration is per vnode
FiST recognizes common attributes of mounted file sys-
while for mounts it is per vfs. The routines fistSetFile-
tems and files that are defined by the system, such as the
Data and fistGetFileData can be used to access any arbi-
name, owner, last modification time, or protection modes.
trary persistent data, for both mounts and files.
FiST also allows developers to define new attributes and
optionally store them persistently. Attributes are accessed
by appending the name of the attribute to the mount or file 2.3.2 Rules for Controlling Execution and Informa-
reference, with a single dot in between, much the same way tion Flow
that C dereferences structure field names. For example, the In the previous sections we considered how FiST can con-
native block size of a mounted file system is accessed as trol the flow of information between the various layers. In
$vfs.blocksize and the name of a file is $0.name. this section we describe how FiST can control the execu-
FiST allows users to create new file attributes. For ex- tion flow of various operations using FiST rules.
ample, an ACL file system may wish to add timed access FiST does not change the interfaces that call it, because
to certain files. The following FiST Declaration can define such changes will not be portable across operating systems
the new file attributes in such a file system: and may require changing many user applications. FiST
per_vnode f therefore only exchanges information with applications us-
int user; /* extra user */ ing existing APIs (e.g., ioctls) and those specific applica-
int group; /* extra group */ tions can then affect change.
time_t expire; /* access expiration time */
g; The most control FiST file systems have is over the file
system (vnode) operations that execute in a normal stack-
With the above definition in place, a FiST file system able setting. Figure 6 highlights what a typical stackable
may refer to the additional user and group who are allowed vnode operation does: (1) find the vnode of the lower level

6
mount, and (2) repeat the same operation on the lower The general form for a FiST rule is:
vnode.
int fsname_getattr(vnode_t *vp, args...) % allset : optype : part f odeg (1)
f Table 4 summarizes the possible values that a FiST rule
int error;
vnode_t *lower_vp = get_lower(vp); can have. Callset defines a collection of operations to op-
erate on. Optype further defines the call set to a subset of
/* (1) pre-call code goes here */ operations or a single operation. Part defines the part of the
/* (2) call same operation on lower file system */
call that the following code refers to: pre-call, call, post-
error = VOP_GETATTR(lower_vp, args...);
/* (3) post-call code goes here */ call, or the name of a newly defined ioctl. Finally, code
return error; contains any C code enclosed in braces.
g
Call Sets
op to refer to a single operation
Figure 6: A skeleton of typical kernel C code for stackable vnode ops to refer to all operations
functions. FiST can control all three sections of every vnode func- readops to refer to non state changing operations
tion: pre-call, post-call, and the call itself. writeops to refer to state changing operations
Operation Types
The example vnode function receives a pointer to the
all all operations
vnode on which to apply the operation, and other argu-
data operations that manipulate file data
ments. First, the function finds the corresponding vnode at
name operations that manipulate file names
the lower level mount. Next, the function actually calls the The rest of the operation types specify one of the
lower level mounted file system through a standard VOP * following vnode operations: create, getattr, l/stat,
macro that applies the same operation, but on the file sys- link, lookup, mkdir, read, readdir, readlink, rename,
tem corresponding to the type of the lower vnode. The rmdir, setattr, statfs, symlink, unlink, and write.
macro uses the lower level vnode, and the rest of the argu-
Call Part
ments unchanged. Finally, the function returns to the caller
precall part before calling the lower file system
the status code which the lower level mount passed to the call the actual call to the lower file system
function. postcall part after calling the lower file system
There are three key parts in any stackable function that ioctl name of a newly defined ioctl
FiST can control: the code that may run before calling
the lower level mount (pre-call), the code that may run af- Table 4: Possible Values in FiST Rules
terwards (post-call), and the actual call to the lower level
mount. FiST can insert arbitrary code in the pre-call and 2.3.3 Filter Declarations and Filter Functions
post-call sections, as well as replace the call part itself with
anything else. FiST file systems can perform arbitrary manipulations of
By default, the pre-call and post-call sections are empty, the data they exchange between layers. The most useful
and the call section contains code to pass the operation to and at the same time most complex data manipulations in
the lower level file system. These defaults produce a file a stackable file system involve file data and file names. To
system that stacks on another but does not change behav- manipulate them consistently without FiST or Wrapfs, de-
ior, and that was designed so developers do not have to velopers must make careful changes in many places. For
worry about the basic stacking behavior—only about their example, file data is manipulated in read, write, and all
changes. of the MMAP functions; file names also appear in many
For example, a useful pre-call code in an encryption file places: lookup, create, unlink, readdir, mkdir, etc.
system would be to verify the validity of cipher keys. A FiST simplifies the task of manipulating file data or file
replication file system may insert post-call code to repeat names using two types of filters. A filter is a function like
the same vnode operation on other replicas. A versioning Unix shell filters such as sed or sort: they take some input,
file system could replace the actual call to remove a file and produce possibly modified output.
with a call to rename it; an example FiST code for the latter If developers declare filter:data in their FiST file,
might be: fistgen looks for two data coding functions in the Addi-
tional C Code section of the FiST File: encode data and
decode data. These functions take an input data page,
%op:unlink:call f and an allocated output page of the same size. Develop-
fistRename($name, fistStrAdd($name, ".unrm")); ers are expected to implement these coding functions in the
g
Additional C Code section of the FiST file. The two func-
tions must fill in the output page by encoding or decoding

7
it appropriately and return a success or failure status code. C macros to handle some of the FiST language, it would
Our encryption file system uses a data filter to encrypt and have resulted in unmaintainable and unreadable code. One
decrypt data (Section 4.1). of the advantages of the FiST system is that it produces
With the FiST declaration filter:name, fistgen in- highly readable code. Developers can even edit that code
serts code and calls to encode or decode strings repre- and add more features by hand, if they so choose.
senting file names. The file name coding functions (en- Fistgen also produces real C functions for specialized
code name and decode name) take an input file name FiST syntax that cannot be trivially handled in C. For exam-
string and its length. They must allocate a new string and ple, the fistGetIoctlData function takes arguments that rep-
encode or decode the file name appropriately. Finally, the resent names of data structures and names of fields within.
coding functions return the number of bytes in the newly A C function cannot pass such arguments; C++ templates
allocated string, or a negative error code. Fistgen inserts would be needed, but we opted against C++ to avoid requir-
code at the caller’s level to free the memory allocated by ing developers to know another language, because modern
file name coding functions. Unix kernels are still written in C, and to avoid interoper-
Using FiST filters, developers can easily produce file ability problems between C++ produced code and C pro-
systems that perform complex manipulations of data or duced code in a running kernel. Preprocessor macros can
names exchanged between file system layers. handle data structure names and names of fields, but they
do not have exact or portable C function semantics. To
solve this problem, fistgen replaces calls to functions such
2.4 Fistgen as fistGetIoctlData with automatically generated specially
Fistgen is the FiST language code generator. Fistgen reads named C functions that hard-code the names of the data
in an input FiST file, and using the right Basefs templates, structures and fields to manipulate. Fistgen generates these
produces all the files necessary to build a new file system functions only if needed and only once.
described in the FiST input file. These output files include
C file system source files, headers, sources for user level 2.5 Basefs
utilities, and a Makefile to compile them on the given plat-
form. Basefs is a template system which was derived from
Wrapfs[27]. It provides basic stacking functionality with-
Fistgen implements a subset of the C language parser
out changing other file systems or the kernel. To achieve
and a subset of the C preprocessor. It handles conditional
this functionality, the kernel must support three features.
macros (such as #ifdef and #endif). It recognizes the begin-
First, in each of the VFS data structures, Basefs requires a
ning of functions after the first set of declarations and the
field to store pointers to data structures at the layer below.
ending of functions. It parses FiST tags inserted in Basefs
Second, new file systems should be able to call VFS func-
(explained in the next section) used to mark special places
tions. Third, the kernel should export all symbols that may
in the templates. Finally, fistgen handles FiST variables
be needed by new loadable kernel modules. The last two
(beginning with $ or %) and FiST functions (such as fist-
requirements are needed only for loadable kernel modules.
Lookup) and their arguments.
After parsing an input file, fistgen builds internal data VFS Generic
structures and symbol tables for all the keywords it must
handle. Fistgen then reads the templates, and generates Specific
output files for each file in the template directory. For BASEFS
each such file, fistgen inserts needed code, excludes unused Generic
code, or replaces existing code. In particular, fistgen con-
ditionally includes large portions of code that support FiST EXT2FS Specific
filters: code to manipulate file data or file names. It also
produces several new files (including comments) useful in Figure 7: Where Basefs fits inside the kernel
the compilation for the new file system: a header file for Basefs handles many of the internal details of operating
common definitions, and two source files containing auxil- systems, thus freeing developers from dealing with kernel
iary code. specifics. Basefs provides a stacking layer that is indepen-
The code generated by fistgen may contain automatically dent from the layers above and below it. Figure 7 shows
generated functions that are necessary to support proper this. Basefs appears to the upper VFS as a lower level file
FiST function semantics. Each FiST function is replaced system. Basefs also appears to file systems below it as a
with one true C function—not a macro, inlined code, a VFS. All the while, Basefs repeats the same vnode opera-
block of code statements, or any feature that may not be tion on the lower level file system.
portable across operating systems and compilers. While it Basefs performs all data reading and writing on whole
might have been possible to use other mechanisms such as pages. This simplifies mixing regular reads and writes with

8
memory-mapped operations, and gives developers a single development of our templates. Finally, all three platforms
paged-based interface to work with. Currently, file systems support loadable kernel modules, which sped up the devel-
derived from Basefs manipulate data in whole pages and opment and debugging process. Loadable kernel modules
may not change the data size (e.g., compression). are a convenience in implementing FiST; they are not re-
To improve performance, Basefs copies and caches data quired.
pages in its layer and the layers below it.1 Basefs saves The implementation of Basefs was simple and improved
memory by caching at the lower layer only if file data is on previously reported efforts[27]. No changes were re-
manipulated and fan-in was used; these are the usual con- quired to either Solaris or FreeBSD. No changes to Linux
ditions that require caching at each layer. were required if using statically linked modules. To use dy-
Basefs is different from Wrapfs in four ways. First, namically loadable kernel modules under Linux, only three
substantial portions of code to manipulate file data and lines of code were changed in a header file. This change
file names, as well as debugging code are not included in was passive and did not have any impact on the Linux ker-
Basefs by default. These are included only if the file sys- nel.
tem needs them. By including only code that is necessary The remainder of this section describes the implementa-
we generate output code that is more readable than code tion of fistgen. Fistgen translates FiST code into C code
with multi-nested #ifdef/#endif pairs. Conditionally which implements the file system described in the FiST in-
including this code also resulted in improved performance, put file. The code can be compiled as a dynamically load-
as reported in Section 5.3. Matching or exceeding the per- able kernel module or statically linked with a kernel. In this
formance of other layered file systems was one of the de- section we describe the implementation of key features of
sign goals for Basefs. FiST that span its full range of capabilities.
Second, Basefs adds support for fan-out file systems na- We implemented read-only execution environment vari-
tively. This code is also conditionally included, because it ables (Section 2.3.1) such as %uid by looking for them
is more complex than single-stack file systems, adds more in one of the fields from struct cred in Solaris or
performance overhead, and consumes more memory. A struct ucred in FreeBSD. The VFS passes these
complete discussion of the implementation and behavior of structures to vnode functions. The Linux VFS simpli-
fan-out file systems is beyond the scope of this paper. fies access to credentials by reading that information from
Third, Basefs includes (conditionally compiled) support the disk inode and into the in-memory vnode structure,
for many other features that had to be written by hand in struct inode. So on Linux we find UID and other cre-
Wrapfs. This added support can be thought of as a li- dentials by referencing a field directly in the inode which
brary of common functions: opening, reading or writing, the VFS passes to us.
and then closing arbitrary files; storing extended attributes Most of the vnode attributes listed Section 2.3.1 are sim-
persistently; user-level utilities to mount and unmount file ple to find. On Linux they are part of the main vnode struc-
systems, as well as manipulate ioctls; inspecting and mod- ture. On Solaris and FreeBSD, however, we first perform a
ifying file attributes, and more. VOP GETATTR vnode operation to find them, and then re-
Fourth, Basefs includes special tags that help fistgen lo- turn the appropriate field from the structure that the getattr
cate the proper places to insert certain code. Inserting function fills.
code at the beginning or the end of functions is simple, The vnode attribute “name” was more complex to imple-
but in some cases the code to add has to go elsewhere. ment, because most kernels do not store file names after the
For example, handling newly defined ioctls is done (in initial name lookup routine translates the name to a vnode.
the basefs ioctl vnode function) at the end of a C On Linux, implementing the vnode name attribute was sim-
“switch” statement, right before the “default:” case. ple, because it is part of a standard directory entry structure,
dentry. On Solaris and FreeBSD, however, we add code
3 Implementation to the lookup vnode function that stores the initial file name
in the private data of the vnode. That way we can access
We implemented the FiST system in Solaris, Linux, and it as any other vnode attribute, or any other per-vnode at-
FreeBSD because these three operating systems span the tribute added using the per vnode declaration. We im-
most popular modern Unix platforms and they are suffi- plemented all other fields defined using the per vfs FiST
ciently different from each other. This forced us to un- declaration in a similar fashion.
derstand the generic problems in addition to the system- The FiST declarations described in Section 2.3 affect the
specific problems. Also, we had access to kernel sources overall behavior of the generated file system. We imple-
for all three platforms, which proved valuable during the mented the read-only access mode by replacing the call part
1 Heidemann proposed a solution to the cache coherency problem of every file system function that modifies state (such as
through a centralized cache manager[6]. His solution, however, required unlink and mkdir) to return the error code “read-only file
modifications to existing file systems and the rest of the kernel. system.” We implemented the fan-in mount style by ex-

9
cluding code that uses the mounted directory’s vnode also 4.1 Cryptfs
as the mount point.
Cryptfs is a strong encryption file system. It uses the
The only difficult part of implementing the ioctl dec-
Blowfish[21] encryption algorithm in Cipher Feedback
laration and its associated functions, fistGetIoctlData and
(CFB) mode[20]. We used one fixed Initialization Vector
fistSetIoctlData (Section 2.2), was finding how to copy
(IV) and one 128-bit key per mounted instance of Cryptfs.
data between user space and kernel space. Solaris and
Cryptfs encrypts both file data and file names. After en-
FreeBSD use the routines copyin and copyout; Linux 2.3
crypting file names, Cryptfs also uuencodes them to avoid
uses copy from user and copy to user.
characters that are illegal in file names. Additional design
The last complex feature we implemented was the
and important details are available elsewhere[26].
fileformat FiST declaration and the functions used
The FiST implementation of Cryptfs shows three addi-
with it: fistGetFileData and fistSetFileData (Section 2.3.1).
tional features: file data encoding, using ioctl calls, and
Consider this small code excerpt:
using per-VFS data. Cryptfs’s FiST code uses all four sec-
tions of a FiST file. Some of the more important code for
fileformat fmt f data structure;g
fistGetFileData( file, fmt, field, out); Cryptfs is:

%f
First, we generate a C data structure named fmt. To im- #include <blowfish.h>
plement fistGetFileData, we open file, read as many bytes %g
from it as the size of the data structure, map these bytes filter:data;
onto a temporary variable of the same data structure type, filter:name;
ioctl:fromuser SETKEY fchar ukey[16];g;
copy the desired field within that data structure into out, per_vfs fchar key[16];g;
close the file, and finally return a error/success status value %%
from the function. To improve performance, if fileformat %op:ioctl:SETKEY f
char temp_buf[16];
related functions are called several times inside a vnode if (fistGetIoctlData(SETKEY, ukey, temp_buf)<0)
function, we keep the file they refer to open until the last fistSetErr(EFAULT);
call that uses it. else
Fistgen itself (excluding the templates) is highly BF_set_key(&$vfs.key, 16, temp_buf);
g
portable, and can be compiled on any Unix system. The %%
total number of source lines for fistgen is 4813. Fistgen can unsigned char global_iv[8] = f
process each 1KB of template data in under 0.25 seconds 0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10 g;
(measured on the same platform used in Section 5.3). int cryptfs_encode_data(const page_t *in,
page_t *out)
f
int n = 0; /* blowfish variables */
4 Examples unsigned char iv[8];

fistMemCpy(iv, global_iv, 8);


This section describes the design and implementation of BF_cfb64_encrypt(in, out, %pagesize,
several sample file systems we wrote using FiST. The ex- &($vfs.key), iv, &n,
amples generally progress from those with a simple FiST BF_ENCRYPT);
design to those with a more complex design. Each example return %pagesize;
g
introduces a few more FiST features. ...

1. Cryptfs: is an encryption file system.


The above example omits the call to decode data and
2. Aclfs: adds simple access control lists. the calls to encode and decode file names because they are
3. Unionfs: joins the contents of two file systems. similar in behavior to data encoding. Cryptfs defines an
ioctl named SETKEY, used to set 128-bit encryption keys.
These examples are experimental and intended to illus- We wrote a simple user-level tool which prompts the user
trate the kinds of file systems that can be written using for a passphrase and sends an MD5-hash of it to the kernel
FiST. We illustrate and discuss only the more important using this ioctl. When the SETKEY ioctl is called, Cryptfs
parts of these examples—those that depict key features of stores the (cipher) key in the private VFS data field “key”,
FiST. Whenever possible, we mention potential enhance- to be used later.
ments to our examples. We hope to convince readers of the There are several possible extensions to Cryptfs: storing
flexibility and simplicity of writing new file systems using per-file or per-directory keys in auxiliary files that would
FiST. An additional example, Snoopfs, was described in otherwise remain hidden from users’ view, much the same
Section 2.1. as Aclfs does (Section 4.2.); using several types of encryp-

10
tion algorithms, and defining mount flags to select among The .acl file itself is modifiable only by the directory’s
them. owner. We accomplish this by using a special ioctl. Fi-
nally, we hide .acl files from anyone but their owner. We
4.2 Aclfs insert code in the beginning of lookup that returns the error
“no such file” if anyone other than the directory’s owner
Aclfs allows an additional UID and GID to share access to attempted to lookup the ACL file. To complete the hiding
a directory as if they were the owner and group of that di- of ACL files, we skip listing .acl files when reading di-
rectory. Aclfs shows three additional features of FiST: dis- rectories.
allowing fan-in (more secure), using special purpose aux- Aclfs shows the full set of arguments to the fistLookup
iliary files, and hiding files from users’ view. The FiST routine. In order, the five arguments are: the directory to
code for Aclfs uses the FiST Declarations and FiST Rules lookup in, the name to lookup, the vnode to store the newly
sections: looked up entry, and the credentials to perform the lookup
fanin no;
with (UID and GID, respectively).
ioctl:fromuser SETACL fint u; int g;g; There are several possible extensions to this implemen-
fileformat ACLDATA fint us; int gr;g; tation of Aclfs. Instead of using the UID and GID listed
%% in the .acl file, it can contain an arbitrarily long list of
%op:ioctl:SETACL f
if ($0.owner == %uid) f
user and group IDs to allow access to. The .acl file may
int u2, g2; also include sets of permissions to deny access from, per-
if (fistGetIoctlData(SETACL, u, &u2) < 0 || haps using negative integers to distinguish them from ac-
fistGetIoctlData(SETACL, g, &g2) < 0) cess permissions. The granularity of Aclfs can be made on
a per-file basis; for each file F , access permissions can be
fistSetErr(EFAULT);
else f
fistSetFileData(".acl", ACLDATA, us, u2); read from a file .F .acl, if one exists.
fistSetFileData(".acl", ACLDATA, gr, g2);
g
g else 4.3 Unionfs
fistSetErr(EPERM);
g Unionfs joins the contents of two file systems similar to
%op:lookup:postcall f the union mounts in BSD-4.4[15] and Plan 9[17]. The
int u2, g2; two lower file systems can be considered two branches of a
if (fistLastErr() == EPERM
&& stackable file system tree. Unionfs shows how to merge the
fistGetFileData(".acl", ACLDATA, us, u2)>=0 contents of directories in FiST, and how to define behav-
&& ior on a set of file system operations. The FiST code for
fistGetFileData(".acl", ACLDATA, gr, g2)>=0 Unionfs uses the FiST Declarations and FiST Rules sec-
&&
(%uid == u2 || %gid == g2)) tions:
fistLookup($dir:1, $name, $1,
$dir:1.owner, $dir:1.group); fanout 2;
g %%
%op:lookup:precall f %op:lookup:postcall f
if (fistStrEq($name, ".acl") && if (fistLastErr() == ENOENT)
$dir.owner != %uid) fistSetErr(fistLookup($dir:2, $name));
fistReturnErr(ENOENT); g
g %op:readdir:postcall f
%op:readdir:call f fistSetErr(fistReaddir($dir:2, NODUPS));
if (fistStrEq($name, ".acl")) g
fistSkipName($name); %delops:all:postcall f
g fistSetErr(fistOp($2));
g
%writeops:all:call f
When looking up a file in a directory, Aclfs first performs
fistSetErr(fistOp($1));
the normal access checks (in lookup). We insert postcall g
code after the normal lookup that checks if access to the
file was denied and if an additional file named .acl exists Normal lookup will try the first lower file system branch
in that directory. We then read one UID and GID from ($1). We add code to lookup in the second branch ($2)
the .acl file. If the effective UID and GID of the current if the first lookup did not find the file. If a file exists in
process match those listed in the .acl file, we repeat the both lower file systems, Unionfs will use the one from the
lookup operation on the originally looked-up file, but using first branch. Normal directory reading is augmented to in-
the ownership and group credentials of the actual owner of clude the contents of the second branch, but setting a flag to
the directory. We must use the owner’s credentials, or the eliminate duplicates; that way files that exist in both lower
lower file system will deny our request. file systems are listed only once. Since files may exist in

11
both branches, they must be removed (unlink, rmdir, and sizes for the three platforms we implemented the file sys-
rename) from all branches. Finally we declare that all writ- tems on: Linux 2.3, Solaris 2.6, and FreeBSD 3.3. These
ing operations should perform their respective operations results are shown in Figure 8. For reference, we include the
only on the first branch; this means that new files are cre- code sizes of Basefs and Wrapfs and also show the number
ated in the first branch where they will be found first by of lines of code required to implement Wrapfs in FiST and
subsequent lookups. Basefs.
There are several other issues file system semantics and 10000

3922
3791

3220
2980
2763
2753
in FiST
especially concerning error propagation and partial fail- over Basefs

1290
1166
ures, but these are beyond the scope of this paper. Exten- over Wrapfs
1000 from scratch
sions to our Unionfs include larger fan-outs, masking the

467
467
Number of Lines (log)

218
218
existence of a file in $2 if it was removed from $1, and

124
ioctls or mount options to decide the order of lookups and

99
100
writing operations on the individual file system branches.

40

39
17
17

15
10
5 Evaluation

4
0
0
0

0
We evaluate the effectiveness of FiST using three criteria: 1
Basefs Wrapfs Snoopfs Cryptfs Aclfs Unionfs
code size, development time, and performance. We show
File System
how code size is reduced dramatically when using FiST,
and the corresponding improvements in development and
porting times. We also show that performance overhead is Figure 8: Average code size for various file systems when written
small and comparable to other stacking work. We report in FiST, written given the Basefs or Wrapfs templates, and written
results based on the four example file systems described in from scratch in C.
this paper: Snoopfs, Cryptfs, Aclfs, and Unionfs. These Figure 8 shows large reductions in code size when
were tested on three different platforms: Linux 2.3, Solaris comparing FiST versus code hand-written from scratch—
2.6, and FreeBSD 3.3. generally writing tens of lines instead of thousands. We
also include results for the two templates. Size reductions
5.1 Code Size for the four example file systems range from a factor of 40
to 691, with an average of 255. We focus though on the
Code size is one measure of the development effort neces- comparison of FiST versus stackable template systems. As
sary for a file system. To demonstrate the savings in code Wrapfs represents the most conservative comparison, the
size achieved using FiST, we compare the number of lines figure shows for each file system the additional number of
of code that need to be written to implement the four exam- lines of code written using Wrapfs. The smallest average
ple file systems in FiST versus three other implementation code size reduction in using FiST versus Wrapfs or Basefs
approaches: writing C code using a stand-alone version of across all four file systems ranges from a factor of 1.3 to
Basefs, writing C code using Wrapfs, and writing the file 31.1; the average reduction rate is 10.5.
systems from scratch as kernel modules using C. In partic- Figure 8 suggests two size reduction classes. First, mod-
ular, we first wrote all four of the example file systems from erate (5–6 times) savings are achieved for Snoopfs, Cryptfs,
scratch before writing them using FiST. For these example and Aclfs. The reason for this is that some lines of FiST
file systems, the C code generated from FiST was identical code for these file systems produce ten or more lines of C
in size (modulo white-spaces and comments) to the hand- code, while others result in almost a one-to-one translation
written code. We chose to include results for both Basefs in terms of number of lines.
and Wrapfs because the latter was released last year, and Second, the largest savings appeared for Unionfs, a fac-
includes code that makes writing some file systems easier tor of 28–33 times. The reason for this is that fan-out file
with Wrapfs than Basefs directly. systems produce C code that affects all vnode operations;
When counting lines of code, we excluded comments, each vnode operation must handle more than one lower
empty lines, and %% separators. For Cryptfs we excluded vnode. This additional code was not part of the original
627 lines of C code of the Blowfish encryption algorithm, Wrapfs implementation, and it is not used unless fan-outs
since we did not write it. When counting lines of code for of two or more are defined (to save memory and improve
implementing the example file systems using the Basefs performance). If we exclude the code to handle fan-outs,
and Wrapfs stackable templates, we exclude code that is Unionfs’s added C code is still over 100 lines producing
part of the templates and only count code that is specific to savings of a factor of 7–10. FreeBSD’s Unionfs is 4863
the given example file system. We then averaged the code lines long, which is 50% larger than our Unionfs (3232

12
lines). FreeBSD’s Unionfs is 2221 lines longer than their Additional C Code section of the FiST file; the rest of the
Nullfs, while ours is only 481 lines longer than our Basefs. 2 support for Cryptfs is already in Wrapfs.
Figure 8 shows the code sizes for each platform. The The average per platform reduction in development time
savings gained by FiST are multiplied with each port. If across the four file systems is a factor of seven in using
we sum up the savings for the above three platforms, we FiST versus the Wrapfs templates. If we assume that de-
reach reduction factors ranging from 4 to over 100 times velopment time correlates directly to productivity, we can
when comparing FiST to code written using the templates. corroborate our results with Brooks’s report that high-level
This aggregated reduction factor exceeds 750 times when languages are responsible for at least a factor of five in im-
comparing FiST to C code written from scratch. The more proved productivity[3].
ports of Basefs exist, the better these cumulative savings An additional metric of productivity is comparing the
would be. number of lines of C code developed for each man-day,
given the templates. The average number of lines of code
5.2 Development Time we wrote per man-day was 80. One user of our Wrapfs tem-
plates had used them to create a new migration file system
Estimating the time to develop kernel software is very dif- called mfs3 . The average number of lines of code he wrote
ficult. Developers’ experience can affect this time signifi- per man-day was 68. The difference between his rate of
cantly, and this time is generally reduced with each port. productivity and ours is only 20%, which can be explained
In this section we report our own personal experiences because we are more experienced in writing file systems
given these file system examples and the three platforms than he is.
we worked with; these figures do not represent a controlled The most obvious savings in development time come
study. Figure 9 shows the number of days we spent devel- when taking into account multiple platforms. Then it is
oping various file systems and porting them to three differ- clearer that each additional platform increases the savings
ent platforms. factor of FiST versus other methods by one more.
73
70

48.5

100
55

inFiST
48

givenBasefs
5.3 Performance
25
22

givenWrapfs
8.5

10 fromscratch
(log)

To evaluate the performance of file systems written using


7
NumberoDays

FiST, we tested each of the example file systems by mount-


3
3
2
2

2
f

ing it on top of a disk based native file system and run-


1

1
0.5
0.5

ning benchmarks in the mounted file system. We conducted


0.2

measurements for Linux 2.3, Solaris 2.6, and FreeBSD 3.3.


0.1

0.1

0.1 The native file systems used were EXT2, UFS, and FFS,
Basefs Wrapfs Snoopfs Cryptfs Aclfs Unionfs
respectively. We measured the performance of our file sys-
FileSystem
tems by building a large package: am-utils-6.0, which con-
tains about 50,000 lines of C code in several dozen small
Figure 9: Average estimated reduction in development time files and builds eight binaries; the build process contains
a large number of reads, writes, and file lookups, as well
We estimated the incremental time spent designing, de-
as a fair mix of most other file system operations. Each
veloping, and debugging each file system, assuming 8 hour
benchmark was run once to warm up the cache for exe-
work days, and using our source commit logs and change
cutables, libraries, and header files which are outside the
logs. We estimated the time it took us to develop Wrapfs,
tested file system; this result was discarded. Afterwards,
Basefs, and the example file systems. Then we measured
we took 10 new measurements and averaged them. In be-
the time it took us to develop each of these file systems
tween each test, we unmounted the tested file system and
using the FiST language.
the one below it, and then remounted them; this ensured
For most file systems, incremental time savings are a fac-
that we started each test on a cold cache for that file sys-
tor of 5–15 because hand writing C code for each platform
tem. The standard deviations for our measurements were
can be time consuming, while FiST provides this as part
less than 2% of the mean. We ran all tests on the same
of the base templates and the additional library code that
machine: a P5/90, 64MB RAM, and a Quantum Fireball
comes with Basefs. For Cryptfs, however, there are no time
4.35GB IDE hard disk.
savings per platform, because the vast majority of the code
Figure 10 shows the performance overhead of each file
for Cryptfs is in implementing the four encoding and de-
system compared to the one it was based on. The intent of
coding functions, which are implemented in C code in the
these figures is two-fold: (1) to show that the basic stacking
2 Unfortunately, the stacking infrastructure in FreeBSD is currently
overhead is small, and (2) to show the performance benefits
broken, so we were unable to compare the performance of our stacking
to FreeBSD’s. 3 http://www-internal.alphanet.ch/˜schaefer/mfs.html

13
25
22.9 Min movals (rm –rf), recursive find, and “find-grep” (find /mnt
Max –print | xargs grep pattern) using the same file set used for
20 the large compile. The focus of this paper is not on perfor-
mance, but on savings in code size and development time.
Since the micro-benchmarks confirmed our previous good
%overhead

15
results, we do not repeat them here[27].
10 9.1 Finally, since we did not change the VFS, and all of our
7.7
stacking work is in the templates, there is no overhead on
4.9 5 5 the rest of the system; performance of native file systems
5 4.2
3 3.2
2.1 (NFS, FFS, etc.) is unaffected when our stacking is not
0.8 1
used.
0
Basefsvs. Basefs+ Snoopfs Cryptfsvs. Aclfsvs. Unionfsvs.
lowerfile vs.Basefs vs.Basefs Basefs+ Basefs Basefs
system 6 Related Work
ComparedFileSystems
Rosenthal first implemented stacking in SunOS 4.1 in the
early 1990s[19]. A few other projects followed his, in-
Figure 10: Performance overhead of various file systems for the cluding further prototypes for extensible file systems in
large compile benchmark, across three operating systems
SunOS[22], and the Ficus layered file system[5, 7]. Web-
ber implemented file system interface extensions that allow
of conditionally including code for manipulating file names user-level file servers[25]. Unfortunately, these implemen-
and file data in Basefs. Basefs+ refers to Basefs with code tations required modifications to either existing file systems
for manipulating file names and file data. or the rest of the kernel, limiting their portability signif-
The most important performance metric is the basic icantly, and affecting the performance of native file sys-
overhead imposed by our templates. The overhead of tems. FiST achieves portability using a minimal stackable
Basefs over the file systems it mounts on is just 0.8–2.1%. base file system, Basefs, which can be ported to another
This minimum overhead is below the 3–10% degradation platform in 1–3 weeks. No changes need to be made to ex-
previously reported for null-layer stacking[8, 22]. In addi- isting kernels or file systems, and there is no performance
tion, the overhead of the example file systems due to new penalty for native file systems.
file system functionality is greater than the basic stacking Newer operating systems, such as the HURD[4],
overhead imposed by our templates in all cases, even for Spring[13], and the Exokernel[10] have an extensible file
very simple file systems. With regard to performance, de- system interface. The HURD is a set of servers running un-
velopers who extend file system functionality using FiST der the Mach 3.0 microkernel[1] that collectively provide
primarily need to be concerned with the performance cost a Unix-like environment. HURD translators are programs
of new file system functionality as opposed to the cost of that can be attached to a pathname and perform specialized
the FiST stacking infrastructure. For instance, the overhead services when that pathname is accessed. Writing transla-
of Cryptfs is the largest of all the file systems shown due to tors entails implementing a well defined file access inter-
the cost of the Blowfish cipher. Note that the performance face and filling in stub operations for reading files, creating
of individual file systems can vary greatly depending on the directories, listing directory contents, etc.
operating system in question. Sun Microsystems Laboratories built Spring, an object-
Figure 10 also shows the benefits of having FiST cus- oriented research operating system[13]. Spring was de-
tomize the generated file system infrastructure based on signed as a set of cooperating servers on top of a microker-
the file system functionality required. The comparison of nel. It provides generic modules that offer services useful
Basefs+ versus Basefs shows that the overhead of including for a file system: caching, coherency, I/O, memory map-
code for manipulating file names and file data is 4.2–4.9% ping, object naming, and security. Writing a file system
over Basefs. This added overhead is not incurred in Basefs for Spring involves defining the operations to be applied
unless the file systems derived from it requires file data or on the objects. Operations not defined are inherited from
file name manipulations. While Cryptfs requires Basefs+ their parent object. One work that resulted from Spring
functionality, Snoopfs, Aclfs, and Unionfs do not. Com- is the Solaris MC (Multi-Computer) File System[12]. It
pared to a stackable file system such as Wrapfs, FiST’s borrowed the object-oriented interfaces from Spring and
ability to conditionally include file system infrastructure integrated them with the existing Solaris vnode interface
code saves an additional 4% of performance overhead for to provide a distributed file system infrastructure through
Snoopfs, Aclfs, and Unionfs. a special Proxy File System. Solaris MC provides all of
We also performed several micro-benchmarks which in- Spring’s benefits, while requiring little or no change to ex-
cluded a series of recursive copies (cp –r), recursive re- isting file systems; those can be ported gradually over time.

14
Solaris MC was designed to perform well in a closely cou- 7.1 Future Work
pled cluster environment (not a general network) and re-
quires high performance networks and nodes. We are developing support for file systems that change
The Exokernel is an extensible operating system that sizes such as for compression. The main complexity with
supporting compression is that the file offsets at the upper
comes with XN, a low-level in-kernel stable storage
system[10]. XN allows users to describe the on-disk data and lower layers are no longer identical, and some form of
efficient mapping is needed for operations such as append-
structures and the methods to implement them (along with
ing to a file or writing in the middle. This code complicates
file system libraries called libFSes). The Exokernel re-
quires significant porting work to each new platform, but the templates, but makes no change to the language.
then it can run many unmodified applications. We are also exploring layer collapsing in FiST: a method
The main disadvantages of the HURD, Spring, and the to generate one file system that merges the functionality
Exokernel are that they are not portable enough, not suf- from several FiST descriptions, thus saving the per-layer
ficiently developed or stable, or they are not available for stacking overheads.
general use. In comparison, FiST provides portable stack- We plan to port our system to Windows NT. NT has a
ing on widely available operating systems. Finally, none of different file system interface than Unix’s vnode interface.
the related extensible file systems come with a high-level NT’s I/O subsystem defines its file system interface. NT
language that developers can use to describe file systems. Filter Drivers are optional software modules that can be in-
High level languages have seldom been used to gener- serted above or below existing file systems[14]. Their task
ate code for operating system components. FiST is the first is to intercept and possibly extend file system functionality.
major language to describe a large component of the op- One example of an NT filter driver is its virus signature de-
erating system, the file system. Previous work in the area tector. It is possible to emulate file system stacking under
of operating system component languages includes a lan- NT. We estimate that porting Basefs to NT will take 2–3
guage to describe video device drivers[24]. months, not 1–3 weeks as we predict for Unix ports.

7 Conclusions 8 Acknowledgments

The main contribution of this work is the FiST language We would like to thank the anonymous USENIX reviewers
which can describe stackable file systems. This is a first and our shepherd Keith Smith, for their helpful comments
time a high-level language has been used to describe stack- in reviewing this paper. This work was partially made pos-
able file systems. From a single FiST description we gen- sible by NSF infrastructure grants numbers CDA-90-24735
erate code for different platforms. We achieved this porta- and CDA-96-25374.
bility because FiST uses an API that combines common
features from several vnode interfaces. FiST saves its de- References
velopers from dealing with many kernel internals, and lets
developers concentrate on the core issues of the file system [1] M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid,
they are developing. FiST reduces the learning curve in- A. Tevanian, and M. Young. Mach: A New Kernel Founda-
volved in writing file systems, by enabling non-experts to tion for UNIX Development. USENIX Conf. Proc., pages
93–112, Summer 1986.
write file systems more easily.
The most significant savings FiST offers is in reduced [2] B. N. Bershad and C. B. Pinkerton. Watchdogs: Extending
the UNIX File System. USENIX Conf. Proc., pages 267–75,
development and porting time. The average time it took us
Winter 1988.
to develop a stackable file system using FiST was about
[3] F. Brooks. “No Silver Bullet” Refired. In The Mythical
seven times faster than when we wrote the code using
Man-Month, Anniversary Ed., pages 205–26. Addison-
Basefs. We showed how FiST descriptions are more con- Wesley, 1995.
cise than hand-written C code: 5–8 times smaller for aver-
[4] M. I. Bushnell. The HURD: Towards a New Strat-
age stackable file systems, and as much as 33 times smaller egy of OS Design. GNU’s Bulletin. Free Software
for more complex ones. FiST generates file system mod- Foundation, 1994. Copies are available by writing to
ules that run in the kernel, thus benefiting from increased [email protected].
performance over user level file servers. The minimum [5] R. G. Guy, J. S. Heidemann, W. Mak, T. W. Page Jr., G. J.
overhead imposed by our stacking infrastructure is 1–2%. Popek, and D. Rothmeier. Implementation of the Ficus
FiST can be ported to other Unix platforms in 1–3 weeks, replicated file system. USENIX Conf. Proc., pages 63–71,
assuming the developers have access to kernel sources. The Summer 1990.
benefits of FiST are multiplied each time it is ported to a [6] J. Heidemann and G. Popek. Performance of cache co-
new platform: existing file systems described with FiST herence in stackable filing. Fifteenth ACM SOSP. ACM
can be used on the new platform without modification. SIGOPS, 1995.

15
[7] J. S. Heidemann and G. J. Popek. A layered approach to [25] N. Webber. Operating System Support for Portable Filesys-
file system development. Tech-report CSD-910007. UCLA, tem Extensions. USENIX Conf. Proc., pages 219–25, Win-
1991. ter 1993.
[8] J. S. Heidemann and G. J. Popek. File System Develop- [26] E. Zadok, I. Badulescu, and A. Shender. Cryptfs: A
ment with Stackable Layers. ACM ToCS, 12(1):58–89, Feb., Stackable Vnode Level Encryption File System. Techni-
1994. cal Report CUCS-021-98. Computer Science Department,
[9] S. C. Johnson. Yacc: Yet Another Compiler-Compiler, Columbia University, 1998.
UNIX Programmer’s Manual Volume 2 — Supplementary [27] E. Zadok, I. Badulescu, and A. Shender. Extending File
Documents. Bell Laboratories, Murray Hill, New Jersey, Systems Using Stackable Templates. USENIX Conf. Proc.,
July 1978. 1999.
[10] M. F. Kaashoek, D. R. Engler, G. R. Ganger, H. M. Briceño,
R. Hunt, D. Mazières, T. Pinckney, R. Grimm, J. Jannotti,
Software, documentation, and additional papers are avail-
and K. Mackenzie. Application performance and flexibility able from http://www.cs.columbia.edu/˜ezk/research/fist.
on exokernel systems. Sixteenth ACM SOSP, pages 52–65,
1997.
[11] S. R. Kleiman. Vnodes: An Architecture for Multiple File
System Types in Sun UNIX. USENIX Conf. Proc., pages
238–47, Summer 1986.
[12] V. Matena, Y. A. Khalidi, and K. Shirriff. So-
laris MC File System Framework. Tech-report TR-96-
57. Sun Labs, 1996. http://www.sunlabs.com/technical-
reports/1996/abstract-57.html.
[13] J. G. Mitchell, J. J. Gibbons, G. Hamilton, P. B. Kessler,
Y. A. Khalidi, P. Kougiouris, P. W. Madany, M. N. Nelson,
M. L. Powell, and S. R. Radia. An Overview of the Spring
System. CompCon Conf. Proc., 1994.
[14] R. Nagar. Filter Drivers. In Windows NT File System Inter-
nals: A developer’s Guide, pages 615–67. O’Reilly, 1997.
[15] J. S. Pendry and M. K. McKusick. Union mounts in
4.4BSD-Lite. USENIX Conf. Proc. on UNIX and Advanced
Computing Systems, pages 25–33, Winter 1995.
[16] J. S. Pendry and N. Williams. Amd – The 4.4 BSD Auto-
mounter. User Manual, edition 5.3 alpha. March 1991.
[17] R. Pike, D. Presotto, K. Thompson, and H. Trickey. Plan 9
from Bell Labs. Proceedings of Summer UKUUG Confer-
ence, pages 1–9, July 1990.
[18] D. S. H. Rosenthal. Requirements for a “Stacking”
Vnode/VFS Interface. UI document SD-01-02-N014.
UNIX International, 1992.
[19] D. S. H. Rosenthal. Evolving the Vnode Interface. USENIX
Conf. Proc., pages 107–18. USENIX, Summer 1990.
[20] B. Schneier. Algorithm Types and Modes. In Applied Cryp-
tography, 2nd ed., pages 189–97. John Wiley & Sons, 1996.
[21] B. Schneier. Blowfish. In Applied Cryptography, Second
Edition, pages 336–9. John Wiley & Sons, 1996.
[22] G. C. Skinner and T. K. Wong. ”Stacking” Vnodes: A
Progress Report. USENIX Conf. Proc., pages 161–74, Sum-
mer 1993.
[23] SMCC. lofs – loopback virtual file system. SunOS 5.5.1
Reference Manual, Section 7. Sun Microsystems, Inc., 20
March 1992.
[24] S. Thibault, R. Marlet, and C. Consel. A Domain Specific
Language for Video Device Drivers: From Design to Imple-
mentation. USENIX Conf. on Domain-Specific Languages,
pages 11–26, 1997.

16

You might also like