Sharing `lfs.storage` locations between distinct repositories.

[ruro]

See the discussion in issue #3635 for more context. But here is a short summary:

The lfs.storage config option allows the user to set a shared global location used to store lfs blobs.

lfs.storage is a way you can place the storage for your LFS data on a different disk or location

The current implementation of lfs.storage however, has a serious drawback in that it doesn't work correctly with git lfs prune. Attempting to prune a repository, which shares its lfs.storage with another repository, will result in data loss as the pruning repository will treat all "foreign" blobs as regular dangling blobs and thus delete them.

---

I hope to discuss 2 problems in this issue:

1. Documentation/Safety

If I didn't miss anything, the above problem is mentioned in the documentation in 2 places.
man git-lfs-prune:

DESCRIPTION
       ...
       Note:  you should not run git lfs prune if you have different repositories sharing the same custom storage directory; see git-lfs-config(1) for more details about
       lfs.storage option.

and
man git-lfs-config:

LIST OF OPTIONS
   ...
   Other settings
       ...
       ○   lfs.storage
           Allow override LFS storage directory. Non-absolute path is relativized to inside of Git repository directory (usually .git).
           Note: you should not run git lfs prune if you have different repositories sharing the same storage directory.
           Default: lfs in Git repository directory (usually .git/lfs).

Both notes say basically the same thing. In my opinion, they are inadequate, considering that missing this will most likely lead to data loss.

• These should WARNINGs, not Notes.
• The text should explicitly state, that this will lead to data loss. you should not run is way to ambiguous.
• An extra warning should be added to the VERIFY REMOTE section in git-lfs-prune, explicitly stating that the checks/guarantees given by --verify-remote don't apply in this case.
• The description of VERIFY REMOTE should also mention that the guarantees given by --verify-remote only apply to the files that are currently tracked by the current repository, and that orphaned or untracked lfs blobs will still be always deleted even if they don't exist in the remote.

Additionally, it's very easy to forget about this problem or accidentally run a prune command in the wrong repository. I think, that you should consider adding some runtime safety nets for running lfs prune, when lfs.storage is set. At least, print a WARNING to the tty and wait before deleting the blobs, if lfs.storage is set to an absolute path. Preferably, completely refuse to run a prune in such a case, unless a --force option or something is specified.

2. Better lfs.storage

Here's a relatively simple proposals on how to improve lfs.storage. Introduce a new lfs.storage_prefix option. Setting it would be equivalent to setting lfs.storage to {lfs.storage_prefix}/{unique_repository_identifier}, where unique_repository_identifier would be some string, which is unique for every repository. For example, it could be

• an absolute path to the repo with all the / replaced with %
• the string specified in a .git/lfs_uuid file which would be generated on the first lfs operation inside the repo

This would allow the user to specify a centralized location for their lfs storage without compromising the ability to prune it. Unfortunately, this solution doesn't allow for the deduplication of blobs, but that is much harder to implement without storing extra meta information for every blob in the storage.

[KalleOlaviNiemitalo]

I am glad that @ruro's proposal preserves the ability to deduplicate blobs by configuring the same lfs.storage directory for multiple repositories (or multiple clones of the same repository). Doing so may cause git lfs prune to delete blobs that are still referenced by other repositories, but that is not a problem for build agents that are designed to never push any blobs to Git LFS servers anyway.

[bk2204]

Hey,

I definitely think we can improve the documentation here to make things better and more obvious that this is unsafe. So I'm on board with that.

I don't think we can use a per-repository UUID to identify repositories with your lfs.storage_prefix proposal, because people can and do copy bare Git repositories around (and even worktrees) and expect that to work. That is at least unofficially supported by Git upstream, and so that proposal wouldn't be viable, since it wouldn't guarantee that storage was unique.

It is, of course, possible for users to specify lfs.storage on a per-repository basis inside the .git/config file, and using a UUID can be an effective technique for that.

[ruro]

I have 2 problems with manually using lfs.storage on a per-repository basis:

• You have to set it up manually for each repo instead of configuring it once in a global config and forgetting about it.
• AFAIK, there is no way to set a per-repository lfs.storage location before cloning a new repo or populating a submodule.

I currently have 41 different repositories, not counting submodules (which I also use a lot) cloned on my laptop. Not all of them use LFS, but a lot do. I also frequently clone new repositories and delete old ones. Manually configuring each one of them is not really a viable solution, IMO.

---

people can and do copy bare Git repositories around (and even worktrees) and expect that to work

I don't really understand, what is the problem here. If you are worried that copying/moving a git repo will "loose" the link to the corresponding LFS storage, then this can be easily avoided with the second proposed UUID strategy (saving the generated UUID path to the .git directory). Actually, this can be further simplified by just automatically populating the .git/config file.

Consider the following:

0. If lfs.storage is set, do whatever the current implementation does.
1. Otherwise, if lfs.storage_prefix is set, initialize the lfs.storage setting in the .git/config of the current repository.

   [lfs]
       storage = "{lfs.storage_prefix}/{unique_repository_identifier}"

   We can discuss on how to better generate the {unique_repository_identifier} later.
2. After step (1), every subsequent lfs operation in this repo will see that the per-repository lfs.storage is already set in step (0), making the repo indistinguishable from the one, which was manually configured to use this lfs.storage.
3. Moving or copying this repo will also move or copy the .git/config file, preserving the link to the same lfs.stoarge location (this is also how lfs.storage currently works).

---

Some options on how to generate the unique_repository_identifier:

• %-separated path (so %home%user%projects%the_repo, this is how vim stores undo files)
• %-separated url of the default remote
• the last directory name, that isn't .git (so for a/b/c/.git it will be c)
• any of the above but if {lfs.storage_prefix}/{unique_repository_identifier} already exists, append _1, _2 etc to the identifier
• just a plain random UUID

There are some pros and cons to each of these, so I am open to discussion.

[bk2204]

I have 2 problems with manually using lfs.storage on a per-repository basis:

* You have to set it up manually for each repo instead of configuring it once in a global config and forgetting about it.

* AFAIK, there is no way to set a per-repository `lfs.storage` location before cloning a new repo or populating a submodule.

git clone -c lfs.storage=/media/data/lfs/name https://github.com/owner/name should work. I agree that it's not especially convenient.

people can and do copy bare Git repositories around (and even worktrees) and expect that to work

I don't really understand, what is the problem here. If you are worried that copying/moving a git repo will "loose" the link to the corresponding LFS storage, then this can be easily avoided with the second proposed UUID strategy (saving the generated UUID path to the .git directory). Actually, this can be further simplified by just automatically populating the .git/config file.

No, my point is that those are now separate repositories and shouldn't share storage. Otherwise, someone can copy the repository to another place on the disk and then run git lfs prune and you've lost data. That's the specific problem you want to avoid, right?

Some options on how to generate the unique_repository_identifier:

* `%`-separated path (so `%home%user%projects%the_repo`, this is how `vim` stores undo files)

Using an encoded path runs into filename size limits.

* `%`-separated url of the default remote

* the last directory name, that isn't `.git` (so for `a/b/c/.git` it will be `c`)

These are likely to cause problems if the user has cloned the same repo multiple times.

* any of the above but if `{lfs.storage_prefix}/{unique_repository_identifier}` already exists, append `_1`, `_2` etc to the identifier

I think this might be possible.

* just a plain random UUID

This is too easy to copy with the repository and duplicate the storage, leading to data loss.

What I'd really like to do is just use a hash of the canonical path, which has none of the above problems, but that unfortunately doesn't work on case-insensitive file systems, since it isn't possible in Go to get a canonical pathname including the proper case and case folding can't be correctly done outside the kernel.

[ruro]

No, my point is that those are now separate repositories and shouldn't share storage. Otherwise, someone can copy the repository to another place on the disk and then run git lfs prune and you've lost data.

But that's how it currently works with user-defined lfs.storage in .git/config anyway. Without significant changes to the lfs.storage mechanism itself (like storing "owner" repo metadata for each blob or something), I am pretty sure, that it's literally impossible to solve this particular problem in the general case.

If you think, that reworking the core lfs.storage mechanism to allow sharing between repositories is warranted, then I am open to further discussion. My original proposal, however, was based on the assumption, that significant changes to the lfs.storage mechanism won't be accepted and so a "lesser of 2 evils" approach had to be taken.

Assuming, that we are engineering a "simple" solution, there are basically 2 options, either:

1. Moving/copying a repository doesn't change the lfs.storage (so the lfs.storage location is somehow tied to the state of the .git repository)
2. Moving/copying a repository also changes the associated lfs.storage (probably based on the canonical path or its hash)

Option (1) has a small drawback that copying a repository will create 2 repositories, which share the lfs.storage, as you've
already pointed out. However, this is a much smaller issue in my book, because this type of sharing is guaranteed to be between "same" repositories (in the sense, that they share most of their history). Sure, the user may still accidentally destroy some of their data by creating unpublished changes in the copy and then running git lfs prune in the original repo, but I don't find this to be that big of a problem as long as sufficient documentation/warnings are employed.

Option (2) sounds reasonable at first glance, until you realize that in this case, moving the repository to a different location will effectively nuke all the lfs data from the POV of the moved repository. You can kind of mitigate this issue by allowing copied repositories to have read-only or copy-on-write access to the original lfs.storage location, but this doesn't actually fully solve the issue, since running a git lfs prune in the original repository (which doesn't know, that it has been copied from) will still result in potential data loss, like in Option (1). Additionally, this copy-on-write strategy will result in the duplication of the lfs.storage each time the repository is moved.

Given the above comparison, I came to the conclusion that although option (1) isn't 100% foolproof, it's an acceptable compromise.

---

That's the specific problem you want to avoid, right?

Not quite. I want to solve the problem, where git lfs prune is unusable together with lfs.storage (unless you micromanage per-repository lfs.storage configs). Which in turn makes lfs.storage itself unusable in the long term, since the storage size keeps growing with no way to safely prune it.

This is too easy to copy with the repository

See my earlier point, but that was exactly the intention in all the above options. The proposed lfs.storage_prefix option should mostly be thought as a convenient way to automatically initialize per-repository lfs.storage configuration. The "you should not run git lfs prune if you have different repositories sharing the same storage directory." warning would still apply. The difference would be that unlike setting lfs.storage in ~/.gitconfig, setting lfs.storage_prefix in ~/.gitconfig won't leave you with "different repositories sharing the same storage directory" unless you do it yourself, sidestepping the issue somewhat.

---

hash of the canonical path

My original intention for pushing the %-separated path, %-separated remote url and the directory name options is that it makes the contents of the lfs.storage_prefix directory easily interpretable for humans. With human-readable names, you can

1. find out which repositories use lfs at all (assuming non-lfs repositories don't touch their storage)
2. compare how much storage does each repos lfs.storage take up
3. clean up lfs.storages of the repositories, which you have already deleted

Of course, you may be able to do (1,2) with git lfs env or something, but it's more complicated than it needs to be, assumes that you know where are all the git repositories in your system and (3) doesn't seem to be possible at all.

[Calrathan]

What about allowing users to do a 'mark' pass in each repo that shares the lfs.storage, for a "mark and prune" operation to clean up their storage location? The workflow would be:

c:\git\repo1> git lfs mark keyword
c:\git\repo2> git lfs mark keyword
c:\git\repo3> git lfs prune keyword

You collect the list of files that shouldn't be pruned into file based on the hash of 'keyword' which aggregates files to not prune across the repos, and then the prune pass will just retain the files listed (and valid for the current repository). It gives the user the ability to prune their shared lfs.storage safely.

Additionally, if using lfs.storage from a repo would somehow register the source repo's path you could also make git lfs prune provide a warning if git lfs mark hadn't been called from that repo.

[bk2204]

That is unfortunately subject to a variety of race conditions. Starting from the first mark operation, every repository which shares that storage must be completely quiescent, or there will likely be data loss. That race condition is why Git doesn't prune objects immediately.

[Calrathan]

Sure, but the prune operation is already subject to data loss while using lfs.storage. While the users would have to ensure that nothing else touched the repos in question between these operations, wouldn't this approach at least provide the opportunity for people to solve the problem of the shared lfs.storage growing unbounded?

[bk2204]

Right now, we wouldn't recommend using shared lfs.storage at all. Any situation where we would be willing to include that as an acceptable use case would involve a robust solution where users don't need to worry about accidental data loss.

What that might look like is a shared directory with hard links into individual locations on a per-repo basis, but I haven't thought much about this particular design beyond that. That would be an incompatible change in the behaviour of lfs.storage, since it wouldn't all be placed in the same location, so dealing with that would also be a consideration we'd need to address.

[DanboDuan]

These are likely to cause problems if the user has cloned the same repo multiple times.

I think unique_repository_identifier should be the same for the same repo. thus {lfs.storage_prefix}/{unique_repository_identifier} would be the same for the same repo with multiple times cloning, and caches will be shared for those multiple times cloning, and then this would save time for git lfs checkout files

[CarterAtClay]

Just want to +1 and bump this since being able to reliably share an lfs.storage location (or equivalent new feature if needed for compatibility reasons) for multiple repos can save us literally hundreds of gigabytes of local storage space and server egress for our use-case. We have many repos and significant overlap in LFS files between them (submodules or a monorepo may also help with this, but those have their own problems).

Is there any workaround for not being able to prune safely? If I happen to know where all the repos that share storage are, know all changes have been pushed to the remote, and am not concerned about race conditions etc, could I write a script that cross-references the repos and manually prunes?