►
From YouTube: June 2022 OpenZFS Leadership Meeting
Description
Agenda: DirectIO PR; ZIO taskq's for multiple pools; multiple encryption keys
detailed notes: https://docs.google.com/document/d/1w2jv2XVYFmBVvG1EGf-9A5HBVsjAYoLIFZAnWHhV-BM/edit
B
C
A
C
Go
sorry,
apparently,
my
internet
connection
is
unstable
at
the
moment,
but
I
don't
know
what
the
last
thing
you
guys
heard,
but
there
was,
there
was
one
part
we
had
talked
about
were
doing
stable
pages,
and
that
was
the
concept
of
say:
we've
taken
a
user's
buffer,
we've
met
or
pinned
it
in.
You
know
using
the
kernel
and
we're
going
to
directly
write
it
out.
Well,
they
could
still
change
the
contents
of
that
buffer.
C
Unfortunately,
after
going
down
many
kernel
rabbit
holes,
it
doesn't
seem
you
can
actually
do
that
through
the
kernel.
The
main
trouble
comes
in
with
the
users
pages,
possibly
being
anonymous
pages,
which
is
commonly
what
they
would
be.
So
this
just
means,
like
the
pages
aren't
backed
by
a
file
or
anything
so
like
if
they
malek
put
fill
them
up
and
send
them.
C
There's
no
way
in
the
kernel
to
write,
protect
the
page
table
entry
of
anonymous
page
at
least
no
way.
I
could
figure
out
how
to
do
so.
That's
very
unfortunate.
So
what
I
wound
up
doing
instead
is
I
added
a
module
parameter,
specifically
just
cio
direct
write,
verify
and
what
it
does
is.
If
this
is
enabled
it's
another
stage
in
the
cio
pipeline,
so
right
before
it
goes
to
say:
okay,
let's
update
the
block
pointer
in
the
done
function,
because
we've
successfully
committed
this
out.
C
If
you
get
a
checksum
failure
there,
it's
like
no,
don't
do
that.
This
is
failed
and
what
I
wind
up
doing
is
sending
a
z
event
or
z.
You
know,
so
it
can
be
seen
that
way
and
also
added
as
equal
status,
lowercase
d,
and
you
can
see
these
checks
on
verify
failures
that
happen
there,
but
it's
never
committed
to
disk.
In
that
case,
it's
just
like
no
something
changed,
and
so
we're
not
going
to
do
this
anymore,
so
it
just
bails
out
and
returns
the
en
val.
A
C
Else
exactly
yeah,
so
I
mean
it's
least
a
safety
net.
In
there
and
again
the
the
cool
thing
is,
I
know
one
concern
we
had.
Is
you
know
if
you
do,
if
a
user
does
unintentionally
manipulates
it
and
it
writes
it
out,
there
is
the
idea.
Well,
you
have
a
checks
on
failure.
You
go
to
read
it.
It's
like
hey,
something's,
all
wrong
here
and
there's
no
real
way
to
coordinate
that
back
to
what
caused
this
is
it.
C
C
C
C
C
D
C
C
C
C
C
D
D
A
A
C
C
A
A
G
C
C
A
You
could
have
the
same
checksum
before
and
after,
but
in
the
middle
it
had
some
other
value.
That
is
not
the
value
that
was
checksum,
so
I
mean
maybe,
given
that
you
know,
maybe
it
doesn't
make.
Maybe
the
e
in
val
does
make
sense,
because
you
know
we're.
We
can't
guarantee
correctness
right
in
the
face
of
concurrent
stores.
We
can
just
try
to
detect
some.
A
You
know
modifications
and
you
know
maybe
what
you
so
given
that
you
know.
Maybe
what
you
do
is
you
say
for
the
question
it
should
be
on
or
off
by
default.
Maybe
it's
maybe
it's
not
on
or
off
by
default.
Maybe
this
is
probabilistic
and
you
say
the
default
is
we're
going
to
check
one
percent
of
all
of
your
rights
or
you
know
some
percent,
so
we're
gonna
double
check
some.
A
You
know
one
percent
of
your
rights
and
then
let
you
know
if
you're
doing
the
wrong
thing
right.
The
requirement
still
continues
to
be
like
you
have
to
not
modify
it,
but
we're
just
going
to
give
you
like
a
little
bit
of
a
double
check
so
that
you
know
you
know
you're
not
get.
If
you
check
some
error
later
on
and
you
see
that
the
counter
was
bumped,
then
you
know
that,
like
the
application
probably
is
doing
bad
things
and
if,
if
the
counter
is
not
bumped,
you
don't
really
know
for
sure
either
way.
A
Of
being
on
all
the
time,
but
you
don't
have
the
advantage
of
if
we
have
it
off
by
default,
no
one
will
ever
turn
it
on
yeah,
like
you
have
the
performance,
the
performance
would
be
probably
negligible
performance
impact
of
doing
it.
One
percent
of
the
time
would
probably
be
negligible,
and
that
way
you
have
at
least
some
chance
that
people
who
are
just
using
it
like
naive.
The
concern
is
naive.
Users
right,
like
naive
users,
are
like,
oh
great,
like
oh
direct.
A
Let's
like
let's
go
direct
it
that'll
make
things,
go
faster
right,
like
everybody
on
the
internet,
says
user
directs
make
things
go
fast.
They
don't
know
what
they're
talking
about
they
don't
know.
They
may
not
even
know
that
you're
using
zfs
or
whatever,
but,
like
I
read
some
advice
on
the
internet.
That
says
oh
direct
means
go
fast,
so
I'm
going
to
use
odirect
and
then
like,
and
then
you
know
a
month
later.
Oh
zfs
is
just
full
of
trucks
and
errors.
My
discs
are
fine.
A
Every
like
this
is
all
broken
right,
and
so
we
want
to
like
have
some
kind
of
safeguard
for
those
naive
users,
which
is
why
I
think,
having
some
kind
of
verification,
maybe
not
100,
of
the
time
verif
like
double
check
some,
maybe
it's
one
percent.
Maybe
it's
10,
like
I,
don't
know
some
kind
of
verification
for
those
naive
cases
so
that
at
least
then
like,
if
we
get
inundated
with
like
zfs,
says
unexplained
check
some
errors.
We
can
be
like
hey
check
this
count.
A
C
A
A
A
E
The
question
is
like
how
much
absolute
overhead
do
you
get
with
a
checksum
because,
like
if
you
look
at
it
in
a
latency
histogram,
then
say
a
50
50
split
and
we'll
have
one
peak
at
the
latency
without
doing
the
extra
checksum
and
one
pic
the
other
one.
So
if
you
have
you're
doing
something,
latency
critical,
you're
gonna
end
up
with,
like
always
assuming
that
you're
check
something
right
so
on
average,
on
average
matt
you're
right.
But
if
you
care
about
like
p
and
90
whatever.
E
A
E
A
C
G
E
A
A
Since
you
know
we're
we're
still
like
it,
this
doesn't
the
tunable
doesn't
control
any
kind
of
correctness
behavior.
What
the
expected
interface
is.
It's
just
like
you're
always
required
to
not
do
stores
on
direct
like.
While
you
have
a
direct,
I
o
right
in
progress
and
we're
just
doing
a
little
double
check
for
you.
A
If
you
get
it
wrong,
then
what's
going
to
happen,
is
you're
going
to
get?
Is
that
like
the
right
will
succeed
and
when
you
go
to
read
it
you'll
get
a
check.
Some
error
so,
like
you,
told
us
to
write
this
data,
but
you
can't
actually
read
it
back,
so
you
know
we're
just
trying
to
help
you
not
get
we're
trying
to
help.
You
know
when
you
might
be
in
that
circumstance.
A
G
G
G
A
D
C
A
E
It
okay,
the
problem
is
ultimately
that
we
don't
attach
to
the
block
on
disk
or
the
block
pointer
that
points
to
the
block
whether
the
block
has
been
written
by
o
direct
or
not.
If
we
had
that
bit
of
information,
then
we
could
like
surface
to
check
some
errors
in
the
correct
way
differentiate
between
all
that.
E
A
A
Yeah
and
if
we
wanted
to
do
that,
I
suppose
the
way
we
could
do
that
was
the
the
per
data
set
feature
flag
activation
thing
like
we
did
for
z,
standard,
where
you
know
we
flag
a
data
set
as
soon
as
any
block's
ever
been
born
that
use
direct.
I
o
for
write
and
we'd,
be
like
you
know.
If
you
get
to
check
some
error
here,
maybe
it
means
something,
but
I
don't
know
if
that
makes
sense.
A
In
my
opinion,
I
think
it'll
be
sufficient
to
do
the
you
know
because,
like
we're
saying
you
know
applications,
you
know
they
they
wouldn't
have
deterministic
behavior.
If
they
were
doing
this
thing,
if
they
were
doing
the
concur
modification
today
so
like
they
are
very
likely
to
not
be
doing
that,
and
so
you
know
we
can
just
kind
of
assume
that
that
is
fine,
but
we're
you
know
like
in
zfs.
We
try
to
go
above
and
beyond.
We
have
checksums.
A
A
That's
like
don't
verify
like
don't
verify,
checksums
on
read,
and
so
that
would
let
you
like.
If
you
ran
your
application,
you
did
these
rights
and
it
did
the
concurrent
modifications
now
you're
like
oh
I'm
getting
checked
some
errors,
my
data,
isn't
there
I'm
so
sad,
we
could
say
well,
you
can
set
this
this
tunable
to
just
say
like
ignore
the
checksum
error
and
give
you
the
bad
give
you
the
data
that
is
inconsistent,
which
is
just
as
good
as
what
other
file
systems
are
doing.
A
E
A
E
Throwing
in
this,
so
there
is
actually
like
a
practical
concern.
For
example,
if
you
use
service
and
receive
somewhere,
I
think
I
think
if
we
encounter
it
check
some
error
doing
zeros,
then
we
stop
the
send
right.
I
don't
know
whether
there
is
a
flag
to
tell
it
to
send
corrupted
data
there
isn't
there
is
yeah
yeah
yeah.
A
Anyways,
I
think
that's
kind
of
not
required,
but
be
something
nice
if,
if
if
this
is
even
at
all
like
relevant,
I
mean-
hopefully
none
of
this
is
irrelevant
and
we're
just
like
going
the
extra
mile.
That
is
not
really
required,
but
I
think
especially
given
that
you've
already
implemented
this.
The
like
double
check
sum
checking
and
all
that
stuff
keeping
it
in
and
having
it
on.
C
Okay,
yeah
and
it
seems
like
the
count
I
mean,
makes
sense
and
we
can
just
set
a
default
of.
I
don't
know
100
or
something
yeah
and
just
I
mean
I'll,
have
to
go
back
and
update
the
code,
obviously
to
increase
the
counter,
but
that's
not
hard,
it
changed
the
module
forever.
I
mean
just
to
make
sure
it
makes
sense
yeah.
C
A
C
A
A
A
A
C
A
C
A
And
I
mean
maybe
the
output
would
be
like
decompressible,
but
just
give
you
the
wrong
results
right,
yeah
and
the
checksum
would
be
right
and
you'd
be
like
great,
like
it
checks
them
correctly.
Here
are
the
results?
Here's
here's
your
data
back
and
it's
just
like
it's
it's
neither
the
it's
it
like.
It
is
no
version
of
the
correct
data.
It's
not
like.
We
got
your
data
as
of
some
point
in
time.
It's
just
like
completely
mangled,
because
the
compression
decompression,
like
you
know,
lost
its
brain.
F
D
A
D
A
C
A
A
C
A
C
G
G
A
I
think
that
we
should
just
change
that
to
say
you
know
we
always
make
the
copy,
and
maybe
the
way
to
do
that
is
like
in
this
code
path,
rather
than
using
abd
bar
above
copy.
You
use
like
the
abd
iterate
function
and
do
the
copy
ourselves
it's
like.
We
know.
We
definitely
know
that
a
copy
was
made
because,
like
we
allocated
the
buffer,
we.
C
A
C
F
A
C
C
C
A
G
C
C
So
yeah,
I
think
that
was
the
only
major
things
I
had
with
it
and
obviously,
like
you
know,
in
reviews
people
look
at
it
and
taking
it
for
a
test
driving,
I
mean
again,
I
feel
pretty
good
about
the
linux
side.
Making
these
modifications
makes
100
sense
and
yeah
if
we
just
get
anybody
to
look
at
that,
one
lingering
error
and
again
I
have
a
branch,
my
own
branch-
I
can
point
them
to
it's
like
hey
run
this
there's
the
message:
output,
at
least
to
show
where
the
failure
is
starting
to
occur.
A
A
All
right
next
agenda
items,
zio
task,
you
scaling
from
multiple
pools
yeah
that
was
mine,
so
we
have
a
tunable
zeo
task.
You
batch
percent
defaults
to
75
percent
and
defines
how
many
threads
we
do.
The
zio
processing
on,
which
is
the
bulk
of
that
is
compression
and
checksums
and
things
of
that
nature.
A
So
it
defaults
to
75
of
your
cpu
course
the
idea
being
to
leave
some
system
time
left
over,
so
that,
if
you're
writing
to
a
highly
compressed
data
set
or
something
that
you
know
your
system's
not
going
to
not
be
responsive
because
all
the
threads
are
busy
doing
compression
the
problem.
Is
we
create
that
many
task
queues
for
each
pool?
A
So
if
you
had
two
pools-
and
you
say
where
zfs
sending
from
one
and
receiving
to
the
other
you'd
be
using
a
hundred
and
fifty
percent
of
your
cpu
cores
for
decompression
and
compression,
if
you
were,
you
know,
I
think
the
user
was
reading
from
a
pool
that
was
jesus
compressed
and
writing
to
one
that
was
it's
standard
compressed
or
you
know.
In
other
examples,
you
know.
A
Has
seven
pools,
then
that's
a
lot
more
threads
than
they
actually
have
cpus
yeah
is.
Did
you
have
a
solution
proposed
for
this?
I
was
curious.
What
other
people
thought
the
right
thing
to
do
there,
like
with
the
dynamic
mode
that
we
have,
we
could
try
to.
You
know
lower
the
number
of
threads
per
pool
when
you
add
more
pools,
but
you
know,
sometimes
people
have
some
pools
that
aren't
busy
and
some
that
are
and
then
how
does?
A
D
A
A
Like
I
mean
you
know,
they're
work,
stealing
and
whatnot,
but
like
more
or
less
it's
like
more
or
less
fifo.
So
I
would
think
that
the
fairness
would
be
reasonable.
My
concern
is
with
like
there's
dependencies
because
like
right
now
you
know
you
can't
have
dependencies
from
one
or
what
is
it
like
within
one
ta
within
one
zero
type
like
say
reads:
you
can't
have
a
read
that
depends
on
another
read
you
can
ever
read.
That
depends
on
the
right
or
right.
That
depends
on
a
read
because
those
are
different
task.
A
A
A
A
D
Yeah
and
for
like
a
customer
like
that,
I
mean:
did
you
get
a
sense
for
what
they
would
like
to
see
like?
Would
they
want
to
see
all
the
pools
like
reduced
the
number
of
like
right
threads
or
are
they
wanting
something
like?
Oh,
I
have
these
three
pools
that
are
more
critical,
so
I
really
want
them
to
have
more
cpu
than
the
other.
You
know
four
pools.
A
In
this
seven
pool
case
they're
all
the
pools
of
equal
importance
to
them,
but
I
can
definitely
see
that
being
for
other
people
yeah,
I'm
almost
thinking
like.
Should
we
have
a
z-pool
property
that
controls
this
and
then,
if
it's
not
set,
we
default
back
to
the
system-wide
tunable
or
something
and
does
that
make
sense,
or
does
that
not
make
sense?
A
Yeah,
that's.
This
is
just
the
zio
batch
test
queue.
That's
not
even
mentioning
the
you
know.
We
got
what
the
read
normal
and
read
high
priority
issue
and
interrupt
and
then
all
those
for
write
null
ioctl,
etc.
Yeah
I
mean
I
think
that
there's
not
an
obvious
solution
here.
If
you,
you
might
try
making
it
a
system-wide
task,
you
rather
than
per
pool
and
like
see
if
that
seems
to
work.
A
Yes,
the
other
option
is
making
that
tunable
more
dynamic,
so
you
can
change
it
at
runtime
and
just
lowering
the
you
know
when
it's
the
dynamic
task
you
code
goes
to
be,
like
you
know,
should
I
spawn
more
if
you're
like?
Actually
I'm
over
my
quota,
I
should
shut
down
test
queues
as
they
become
idle
or
before,
like.
B
Yep,
so
I
was
looking
at
basically
the
user
facing
documentation.
What
not-
and
it
looks
like
the
the
cleanest
way
to
do
this
from
the
user's
perspective,
would
be
to
use
the
at
notation
on
the
properties
and
have
multiple
slots.
So
you
would
have
like
key
format
at
zero
at
one
et
cetera
for
slot
zero
slot,
one
for
different
user
keys
and
obviously
all
that
would
be
stored
in
the
metadata
and
we'd
just
wrap
the
encryption
key,
multiple
different
times,
which
is
similar
to
what
we're
doing
now.
B
A
A
A
F
F
And
what
can
happen
is
that
you
can
have
an
arc
right
that
happens
and
dumps
out
the
buffers
while
it's
going
through
arcread.
Well,
it's
debuff
right,
which
calls
are
great
but
anyway,
and
so
you
can
be
trying
to
do
a
read
on
one
of
the
buffers
while
somebody
has
temporarily
said
it
to
null
and
your
life
is
very
sad.
F
The
p,
a
b
d
and
r
e
b
d
in
arc,
buff
header,
get
set
to
null
temporarily
while
going
through
the
path
of
arc.
Right
ready
are
great,
are
great
done
and
they
don't
really
check
much
before
they
do
that.
They
just
said
it
so
like
it
sets
it
to
null
in,
I
think,
ready
or
so
and
then
change
and
fixes
it
in
done.
A
F
F
D
D
F
F
F
F
A
I
think
we're
almost
at
the
end
of
the
meeting
time.
I
wanted
to
just
mention
that
we're
we're
still
working
on
planning
the
open
zfs
conference,
we're
looking
at
dates.
It
looks
like
it
might
be
in
early
november,
we're
we're
still
trying
to
plan
an
in-person
conference,
as
folks
have
indicated
from
the
last
meeting
and
we're
still,
the
opportunities
are
still
available
to
help
out.
If,
if
anybody
can
help
with
the
planning
and
logistics,
that
would
definitely
be
appreciated.
A
So
looking
forward
to
seeing
you
all
in
the
fall
and
hoping
that
kovud
will
be
calm,
then
in
the
meantime,
the
next
meeting
will
be
in
four
weeks,
which
is
july
19th.
We
delphics
folks
have
a
company
event
during
that
time.
So
I
think
we
might
not
be
some
folks
might
not
be
able
to
attend,
then
brian
or
brian
ballendorf.
Would
you
be
available
to
lead
the
meeting
on
that
time
on
the
19th.