hoakley October 8, 2020 Macs, Technology

Inside the file system: 3 APFS containers and volumes

The previous articles in this series have explained the basic division of storage into partitions, with a GUID partition table, then outlined the current implementation of Apple’s older file system HFS+. This concluding article attempts to do the same for the replacement for HFS+, Apple File System or APFS. In writing this I have been constrained by the limited information provided in Apple’s documentation.

Whereas HFS+ is implemented as a file system straight into a GPT partition, so placing a single volume in each partition, APFS adds the intermediate of a container, within which there can be multiple volumes, each containing its own file system and sharing the same space within the container. This causes great confusion in terms: for the sake of clarity, in the rest of this article I will avoid referring to partitions as much as possible, and use the APFS terms of container and volume.

Container

An APFS container stores all the higher-level information which is common to the file systems within it. These include the volume metadata, snapshots, and provision for space management and crash protection.

Several copies of the container superblock are held at any time, which includes copies from the immediate past. The first copy in a container is primarily used to locate the Checkpoint area, where other copies are held, and the most recent of those can then be accessed to get a contemporary view of the container and its data.

The container also holds the EFI Jumpstart, an embedded EFI driver which is used to boot a Mac from that container. This also contains the location of other container structures, with a container object map and a list of volumes.

The Checkpoint area contains a record of in-memory state together with a copy of the container superblock at that moment. It stores ephemeral objects to provide protection in the event of a crash.

Each APFS container has exactly one instance of the Space Manager. This is a major feature of APFS which keeps track of free space within the container, allocating and freeing storage blocks on demand. It contains bitmaps which it uses to record and manage free space.

A container also has exactly one instance of the Reaper, which manages the deletion of objects which are too large to be deleted between file system transactions. This tracks the deletion state of those large objects so they can be removed across multiple transactions.

Volume

An APFS volume contains file system directory structures, file metadata and file content. Each has its own superblock, which contains the location of the root file system tree, the extent reference tree, and the snapshot metadata tree, as well as the volume object map. The trees used are, as in HFS+, B-trees. For example, a directory in the file system consists of an inode record, several directory entry records, and an extended attributes record.

Volumes can have roles assigned, of which the most important for macOS are the System and Data roles used to compose a Volume Group in macOS 10.15 and later. If a version of APFS finds such a backward-incompatible feature which is used by any volume, then Apple’s instructions are that volume mustn’t be mounted.

Objects stored on disk are never modified in place, a major departure from HFS+. Instead, a copy of the object is modified and written out to a new location on disk – this is the overriding principle of copy on write which applies both to objects being stored by the file system, and within the file system itself.

There is also provision to protect the file system during the lengthy process of encryption. While a volume is being encrypted, the file system maintains a special recovery block which is used to recover following any system crash which might otherwise result in corruption.

Checks and repairs

The rather fragmentary information above should enable better understanding of the log returned by First Aid in Disk Utility:
Volume was successfully unmounted. Performing fsck_apfs -y -x /dev/rdisk6s1 Checking the container superblock. Checking the space manager. Checking the space manager free queue trees. Checking the object map. Checking volume. Checking the APFS volume superblock. The volume ThunderBay3 was formatted by diskmanagementd (1412.81.1) and last modified by apfs_kext (1412.141.1). Checking the object map. Checking the snapshot metadata tree. Checking the snapshot metadata. Checking the extent ref tree. Checking the fsroot tree. Verifying allocated space. The volume /dev/rdisk6s1 appears to be OK. File system check exit code is 0. Restoring the original state found as mounted.

For each volume checked, the following container areas are checked first:

container superblock
Space Manager
object map.

Those same areas are also checked when a container is selected for First Aid.

After those, the following areas of the volume are checked:

volume superblock
volume formatting and modification, giving the names of tools and build numbers used
object map
snapshot metadata tree and metadata
extent reference tree
root file system tree
allocated space.

I hope this casts a little more light on what is going on in APFS.

Unfortunately, at present Apple’s documentation of APFS is far from complete, hampering attempts to develop third-party repair tools. Although some are starting to appear, fsck_apfs, either called directly or through Disk Utility, remains the gold standard. Data recovery services are similarly struggling to tackle the more hopeless cases.

Reference

Apple File System Reference (PDF)

25Comments

Add yours

1

EcleX on October 8, 2020 at 1:42 pm

Many thanks! So, to fully check a disk with “Disk Utility – First Aid”, the disk should be checked (takes a couple of seconds or so!) first, then the container, and then the volumes in such order. But since checking the container also checks the volumes inside, checking the volumes is redundant, and not required if the container has been already checked. Is that correct?

LikeLiked by 1 person
- 2
  
  hoakley on October 8, 2020 at 3:19 pm
  
  Well, there’s something you shouldn’t forget here. Clicking on the First Aid button doesn’t just check the selected item, it automatically tries to repair any errors which it might find. Disk Utility currently has no option just to check disks, containers, or volumes.
  If you want to check and repair the disk, i.e. the partition table etc., then select the disk and click on First Aid.
  If you want to check and repair all volumes and the enclosing container, then you have two options. You can either select the container, which in my experience invariably leads to failure unless you manually unmount all its volumes, or you can select each volume in turn, which seems more reliable at unmounting and remounting. Except that if you want to check volumes on the startup disk, then you should restart in Recovery mode and do it from there instead.
  You don’t need to check and repair both the container and the volumes within it: either will suffice. However, if one results in any repairs, then performing the other will check that those repairs have taken correctly.
  If you’d rather not have the items repaired automatically, then you’ll need to use fsck_apfs directly, with the -n option.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on October 8, 2020 at 4:25 pm
    
    Thanks for the comprehensive reply. Four questions:
    
    1. Do you mean
    fsck_apfs -n -l -x /dev/rdisk1s1
    or similar from Terminal (in Recovery mode or booting from other disk)?
    
    BTW, an article about how to use fsck would be also great! Just a suggestion for your consideration.
    
    2. On the other hand, I think that safe mode performs extra checkings/repairs, different than the ones made by Disk Utility or fsck. In such a case, is it enough to reboot into safe mode, or should the Mac be turned off, and then cold booted into safe mode?
    
    3. In relation to topic 2 above, is it enough to boot into safe mode until the login window whows, and then reboot normally, or is it better to login as safe mode, and then reboot normally?
    
    4. Finally, you said that third-party repair tools are starting to appear. Do you mean TechTool Pro 13 (Micromat)? The other two that I know are DiskWarrior 5 (Alsoft) and Drive Genius (Prosoft Engineering), yet nonee of them can check/repair APFS disks.
    
    Thanks again for all.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 8, 2020 at 5:52 pm
      
      Thank you.
      1. No. I mean the command that you require, and that’s not easy to work out. For example, neither the man page nor the usage info include an -x option, although Disk Utility refers to it. I’d love to write about it, but as it’s largely undocumented, and working out what it does for each option isn’t straightforward, I have to await better information from Apple.
      2. I’ve looked at what Safe mode does and doesn’t do in 10.15 in this article. And that no longer includes fscking any disk or volume, neither does it check snapshots, which used to happen in High Sierra and Mojave.
      3. In order to benefit from Safe Mode, you have to boot into it fully. See that article for details.
      4. I know of TechTool Pro which claims to have started to do this, although whether it just uses fsck_apfs I don’t know. There’s also at least one file recovery tool which works on APFS, but I found too laborious and tedious to use in real life, but it can recover a lot of a damaged disk if you really have to, and can’t afford a data recovery service. There may also be others that I don’t know about.
      Howard.
      
      LikeLike
5

EcleX on October 8, 2020 at 6:57 pm

Thanks.

2. I understand then that safe boot repairs different things than Disk Utility. I wonder if utilities like Cocktail do the same than safe boot.
https://www.maintain.se/cocktail/

4. Do you mean R-Studio or UFS Explorer Professional Recovery?
https://www.r-studio.com/data_recovery_macintosh
https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php

LikeLiked by 1 person
- 6
  
  hoakley on October 8, 2020 at 10:45 pm
  
  2. Safe boot does not repair file systems or disks at all in Catalina. Not at all. If Cocktail performs any disk checking, then it will through fsck.
  3. I don’t recall whether it was either of those two products, but that’s the sort of function that I’m referring to: not repairing a file system, but recovering its files when it has been damaged beyond repair.
  Howard.
  
  LikeLike
7

EcleX on October 9, 2020 at 6:11 am

So, if there are problems, it is recommended to run both safe boot and “Disk Utility – First Aid”. In such order? Thanks!

LikeLiked by 1 person
- 8
  
  hoakley on October 9, 2020 at 6:16 am
  
  The question is: problems with what?
  If you suspect that you have file system problems with your startup container, then you can only check and repair those properly in Recovery mode. So you should start up in Recovery mode, open Disk Utility there, and then run First Aid on the volume(s)/container/disk as appropriate.
  If you suspect that you have file system problems on a different container, then you don’t have to restart at all, but can run Disk Utility directly on that disk/container/volume as needed.
  I’m not sure where Safe boot comes into this at all.
  Howard.
  
  LikeLike
  - 9
    
    EcleX on October 9, 2020 at 3:33 pm
    
    Thanks. I guess that it is equivalent to run “Disk Utility – First Aid” in Recovery mode than booting from other disk. Is that correct?
    
    On the other hand, when it is recommended to boot into safe mode?
    
    LikeLiked by 1 person
    - 10
      
      hoakley on October 9, 2020 at 10:08 pm
      
      No. When you run Disk Utility or fsck in Recovery mode, you can be confident that the version being run is that for the startup volumes (etc.) which you are checking and repairing. If you use either tool from another disk, it may be from a different version of macOS.
      This article explains why you might want to start up in Safe Mode.
      Howard.
      
      LikeLike
  - 11
    
    EcleX on October 10, 2020 at 10:14 am
    
    Thanks. Yes, sure. I meant when both disks have the same macOS version and build. In such a case, I understand that it is equivalent to run “Disk Utility – First Aid” in Recovery mode than booting from other disk. Right? I prefer booting from other disk because that allows more checking and repairs, if required, like running DiskWarrior (for HFS+ for now and hopefully for APFS in the future), etc.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on October 10, 2020 at 10:24 pm
      
      I don’t follow you.
      You suspect there’s a file system problem with your startup Volume Group. You restart in Recovery mode, run Disk Utility there, and First Aid on the volume(s)/disk.
      There are no other tools which you can use, which aren’t provided in Recovery mode. You have Disk Utility, fsck_apfs, and other command tools. What else is there to check or repair the startup volumes/disk?
      An added complication here is that, if you’re running a T2 Mac in normal secure mode, you can’t start up from an external disk without entering Recovery mode and changing security mode there.
      Howard.
      
      LikeLike
  - 13
    
    EcleX on October 12, 2020 at 10:31 am
    
    Thanks. What I meant is, if both disks have the same macOS version and build, is it it equivalent to run “Disk Utility – First Aid” in Recovery mode than booting from the other disk and opening “Applications – Utilities – Disk Utility – First Aid”?
    
    LikeLiked by 1 person
    - 14
      
      hoakley on October 12, 2020 at 11:41 am
      
      I don’t know. The only way to know is to discover whether Disk Utility, fsck_apfs and other tools are identical in Recovery mode to those in your cloned System volume.
      Although you might expect them to be, that’s only an expectation without evidence.
      The simple and recommended solution is to use Recovery mode, which also gives access to other tools such as the option to reinstall macOS, and access to Secure Boot tools when you need them. That is after all what the Recovery volume is for.
      Howard.
      
      LikeLike
15

Bob on October 9, 2020 at 11:41 am

Hello Howard, could I get a clarification on this statement?

“Objects stored on disk are never modified in place, a major departure from HFS+. Instead, a copy of the object is modified and written out to a new location on disk”

What do we mean by object? This statement by itself begs the question, does a process doing block-IO have each (re)written block moved? It seems like this would have a terrible effect on performance of something like a DBMS, which likes to pre-allocate table-space and perform block-IO.

You mentioned “copy on write,” a term associated with file system snapshots. I have also read that APFS supports snapshots. If true, have you come across any information that this is a feature available to the user? I have previously read conjecture that Apple might be using the feature for software updates, which makes sense if true.

LikeLike
- 16
  
  hoakley on October 9, 2020 at 12:05 pm
  
  Thank you. These are big questions which aren’t answered clearly by the current documentation.
  Copy-on-write certainly applies to all file system objects, and ensures that file system metadata are completely protected. My understanding of regular file data writes is that it also applied there, although I have seen that disputed (without evidence).
  I don’t know how this affects block-IO. However, with regular file access, only changed blocks are written out to disk, and the old blocks replaced by those are then available for any snapshot.
  Copy on write is more general than snapshots, although it’s an important technique to make snapshots possible. APFS does support snapshots, and the user can make them through an application such as Time Machine or Carbon Copy Cloner. Snapshots are an integral part of Time Machine backups, from Mojave onwards, and have at times been used to provide system rollback prior to updating macOS (although not currently in Catalina). They are expected to be an integral feature in Big Sur, where the current (and probably last previous) system are only accessed through a mounted snapshot.
  Howard.
  
  LikeLike
17

Week 41 – 2020 – This Week In 4n6 on October 11, 2020 at 3:03 am

[…] Inside the file system: 3 APFS containers and volumes […]

LikeLike
18

Nows on November 21, 2020 at 12:36 am

Hi there
Glad to find such detailed forum for mac and other forms of art-life 🙂
I just recently ran into a little issue on my mid 2009 macbook pro and I feel confident having found the right place to address it. My gratitude already Howard!

I have ‘partitioned’ my 250GB SSD into one half containing the original OS El Capitan in HFS+, and the other half into two APFS containers. The first holding one volume with OS Mojave, the second holding the two volumes of OS Catalina and Catalina-Data. Both Mojave and Catalina are patched versions to be able to run on my officially unsupported mac for those systems. I must say, I am pleasantly surprised with how well they’re running on this mac. I’m not at all a techie, but I have learned a thing or two recently while looking for an upgrade to solve some software issues I was getting lately, running into the wall of the highest officially supported OS El Capitan on this device.

Anyway, my issue is that since I installed two APFS structured OS versions, I can no longer boot my version of OS Catalina. When I set my boot drive in system preferences to the Catalina drive (which appears there when running Mojave), it always boots the Mojave version. And when I hold option key while booting, it only shows one EFI boot drive which also keeps booting only Mojave.

Before that, I had a patched version of OS High Sierra in HFS+ structure in place of now Mojave in APFS. Then Catalina would appear as EFI drive with option key held at start-up, together with my El Capitan and High Sierra drives. So now still only one EFI drive is showing and it always boots Mojave and I can no longer run Catalina.

All the time, everything still looks the same in Disk Utility and in Finder, showing the exact partitions on the main Disk, and the different containers with their volumes. I can also access any accessible files and apps of Catalina in Finder while running Mojave.

Have you come across this issue before and is there a way to again boot OS Catalina as it sits on my mac?

In any case, thank you very much and very nice to meet you. May you have a wonderful day.

LikeLiked by 1 person
- 19
  
  hoakley on November 21, 2020 at 9:41 am
  
  Thank you.
  On a supported Mac, such dual-booting normally works OK, but because Catalina and Big Sur use Volume Groups for the system, Mojave can’t fully understand them, and some users can experience problems.
  I’ve never tried this on an unsupported Mac, though, and can see that might cause bigger problems. There’s also the risk that you could write to the Volume Group from an earlier version of APFS which doesn’t really understand them, and cause problems. Those should be easier to avoid using separate containers, but that still isn’t a guarantee. You might find it helpful to re-install Catalina to see if that fixes the problem, perhaps.
  Howard.
  
  LikeLike
20

John on January 8, 2021 at 5:50 pm

First, thanks for the treasure trove of info you provide. I’m thankful for folks like yourself, and the good folks at Bombich and OWC for providing an invaluable source of info on APFS and other topics.

In the “Container” section you write “An APFS container stores all the higher-level information which is common to the file system within it. These include volume metadata, snapshots,…

Does this mean that APFS snapshots are stored somewhere in the container level rather than in the system, data or user created volumes within the container?? Not sure I am asking this correctly???

Thanks

LikeLiked by 1 person
- 21
  
  hoakley on January 8, 2021 at 6:44 pm
  
  Thank you.
  That’s what Apple says, and it makes sense. If a snapshot (the file system metadata, that is) were to be stored inside the volume, then its metadata would be part of that volume, which gets circular. However, the snapshot is associated with the volume, hence when you list snapshots you list them for a specific volume.
  Howard.
  
  LikeLike
  - 22
    
    John Kauble on January 13, 2021 at 5:02 pm
    
    Of course, that makes perfect sense now….
    
    I have to keep reminding myself that the APFS snapshots ONLY contain the metadata and NOT the file content, and that the snapshot “points to” the file content on the volume the snapshot is associated with…
    
    Of course, now that has my curiosity peaked as the where and how exactly the snapshot metadata is stored in the container…
    
    THANKS
    
    LikeLiked by 1 person
23

FREDERIC PINARDON on February 6, 2021 at 6:01 pm

Hi
I have an iMac under Catalina and for a mysterious reason I cannot install Big Sur.
First time it ended in a boot loop, since version 15.2 it fails also but comes back to Catalina after at least 6 or 7 reboot.
Apple Disk Utility under Catalina says that everything is fine, but when I start up from macOS Recovery over the Internet with Command-Option-R and run the Disk Utility from there, I have an error after checking the container superblock : NX media keylocker data range is invalid : 0x92678 etc…
Even the level 2 tech from Apple doesn’t know what it means !
Any idea ?
Thank you in advance,
Fred (from France)

LikeLiked by 1 person
- 24
  
  hoakley on February 6, 2021 at 9:58 pm
  
  I’m sorry, Fred, but that looks very much like you’re going to need to completely reformat that disk. You could do that from an external bootable disk, perhaps, and then install a fresh copy of Big Sur.
  Howard.
  
  LikeLike
  - 25
    
    FREDERIC PINARDON on February 6, 2021 at 10:41 pm
    
    Well I did that already with an external SSD but to no avail !
    
    LikeLiked by 1 person