I’ve been involved in a lot of discussions about shutdown vs power off lately. It seems that I must be flying a nuclear armed bomber with my Pi, and flying it right over the home towns of the other folks in the discussions. Because they sure are offended that I might just push that power button and put my SD card at risk.
Therefore, I set out to put some operational statistics on the table. I built a new Raspbian Pi image on an SD card. It is an 8GB Sandisk MicroSD. Mainstream, but nothing special. Put it in a Pi 3B.
There is an overriding them here: NOTHING SPECIAL. No read-only file systems, no magic utilities, just an absolutely default out-of-the-box Pi.
Rigged it so that an Arduino controlled the power to the Pi via a relay. Wrote a very short sketch for the Arduion that powers the Pi on for two minutes, off for thirty seconds, repeat. The whole setup looks really weird because it is a super-quick rebuild of a little station that was used to reprogram speed controllers for quad copters (years ago, before you could get speed controllers that had the correct linear responses for quads). It was in a box, and already had power supplies, arduino, relays, FET for the relays (under the grey tape) so…
To have a semi-realistic read write workload to the SD, installed SQLITE3 and a bunch of things that I run on a real-world monitoring system that runs on a Pi. I ‘faked’ the sensors (really the queue senders) so that data streams in constantly. The DB is writing, re-org-ing, whatever it wants to do with itself, all the time.
Note this is NOT a “super heavy” bazillion IOPS workload. Because you don’t run those on SD. Because SDs wear out. If you NEVER powered the machine off, the SD will, eventually, physically wear out. If a Pi has a workload like that, it should boot from the SD and have the heavy IO stuff on a disk on USB.
In fact, I wonder how often a “oh look, powering off corrupted this card” is simply a worn out card? Can’t research that, so I’m staying out of that rabbit hole.
Anyway, back to the test rig. The Pi boots, merrily logs (fake) data to the DB, and, drat, every two minutes has a power failure. To help track, 90 seconds after each boot, a cron job writes a log entry to a file on a CIFS (windows) share. That log entry has the scan of the boot log that shows whether the ‘fsck’ that is performed at boot time succeeded or not; i.e. is the file system corrupted? And, really, if it corrupts beyond just trivia, the machine won’t boot. And so forth.
This test is NOT many things. It is not ‘proof’. There is no control group. I’m not comparing to any other failure rates. It is not the way that you would do it.
So what are the results? At the moment of this writing about 22:30 CDT on April 19, 2020, the Pi has powered off with no shutdown approximately 600 times. That’s about 1.5 years of daily power off.
All with no SD corruption. None. Nada. Nil. Zip. Goose Eggs. Zackenberg Ecological Research Operations. Zero Kiryu. Zilch. The number by which you do not divide.
I’m going to let it run… we will see what happens.
04-19-2020 22:30 - Approx 600 (1.5 times / day for one year)
04-20-2020 08:00 - Approx 830 (2.3 times / day for one year)
04-25-2020 14:58 - Approx 2400 (6.6 times / day for one year)
Still clean. Still the number of corruptions = The number by which you do not divide.
At that point, I ceased trying to make it fail. For me (YMMV), powering off with no shutdown is acceptable operational risk. SD cards fail for many reasons; always have a way to recover, such as a backup or rebuild.