[POSIX] Ensure data is durably written to disk (#619)

AlCutter · web-flow · commit 22d632689357 · 2025-04-24T12:04:58.000+01:00
diff --git a/storage/posix/file_ops.go b/storage/posix/file_ops.go
@@ -0,0 +1,177 @@
+// Copyright 2025 The Tessera authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package posix
+
+import (
+	"errors"
+	"fmt"
+	"math/rand/v2"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"k8s.io/klog/v2"
+)
+
+const (
+	dirPerm  = 0o755
+	filePerm = 0o644
+)
+
+// syncDir calls fsync on the provided path.
+//
+// This is intended to be used to sync directories in which we've just created new entries.
+func syncDir(d string) error {
+	fd, err := os.Open(d)
+	if err != nil {
+		return fmt.Errorf("failed to open %q: %v", d, err)
+	}
+
+	if err := fd.Sync(); err != nil {
+		return fmt.Errorf("failed to sync %q: %v", d, err)
+	}
+	return fd.Close()
+}
+
+// mkdirAll is a reimplementation of os.mkdirAll but where we fsync the parent directory/ies
+// we modify.
+func mkdirAll(name string, perm os.FileMode) (err error) {
+	name = strings.TrimSuffix(name, string(filepath.Separator))
+	if name == "" {
+		return nil
+	}
+
+	// Finally, check and create the dir if necessary.
+	dir, _ := filepath.Split(name)
+	di, err := os.Lstat(name)
+	switch {
+	case errors.Is(err, syscall.ENOENT):
+		// We'll see an ENOENT if there's a problem with a non-existant path element, so
+		// we'll recurse and create the parent directory if necessary.
+		if dir != "" {
+			if err := mkdirAll(dir, perm); err != nil {
+				return err
+			}
+		}
+		// Once we've successfully created the parent element(s), we can drop through and
+		// create the final entry in the requested path.
+		fallthrough
+	case errors.Is(err, os.ErrNotExist):
+		// We'll see ErrNotExist if the final entry in the requested path doesn't exist,
+		// so we simply attempt to create it in here.
+		if err := os.Mkdir(name, perm); err != nil {
+			return fmt.Errorf("%q: %v", name, err)
+		}
+		// And be sure to sync the parent directory.
+		return syncDir(dir)
+	case err != nil:
+		return fmt.Errorf("lstat %q: %v", name, err)
+	case !di.IsDir():
+		return fmt.Errorf("%s is not a directory", name)
+	default:
+		return nil
+	}
+}
+
+// createEx atomically creates a file at the given path containing the provided data, and syncs the
+// directory containing the newly created file.
+//
+// Returns an error if a file already exists at the specified location, or it's unable to fully write the
+// data & close the file.
+func createEx(name string, d []byte) error {
+	dir, _ := filepath.Split(name)
+	if err := mkdirAll(dir, dirPerm); err != nil {
+		return fmt.Errorf("failed to make entries directory structure: %w", err)
+	}
+
+	tmpName, err := createTemp(name, d)
+	if err != nil {
+		return fmt.Errorf("failed to create temp file: %v", err)
+	}
+	defer func() {
+		if err := os.Remove(tmpName); err != nil {
+			klog.Warningf("Failed to remove temporary file %q: %v", tmpName, err)
+		}
+	}()
+
+	if err := os.Link(tmpName, name); err != nil {
+		// Wrap the error here because we need to know if it's os.ErrExists at higher levels.
+		return fmt.Errorf("failed to link temporary file to target %q: %w", name, err)
+	}
+
+	return syncDir(dir)
+}
+
+// overwrite atomically creates/overwrites a file at the given path containing the provided data, and syncs
+// the directory containing the overwritten/created file.
+func overwrite(name string, d []byte) error {
+	dir, _ := filepath.Split(name)
+	if err := mkdirAll(dir, dirPerm); err != nil {
+		return fmt.Errorf("failed to make entries directory structure: %w", err)
+	}
+
+	tmpName, err := createTemp(name, d)
+	if err != nil {
+		return fmt.Errorf("failed to create temp file: %v", err)
+	}
+
+	if err := os.Rename(tmpName, name); err != nil {
+		return fmt.Errorf("failed to rename temporary file to target %q: %w", name, err)
+	}
+
+	return syncDir(dir)
+}
+
+// createTemp creates a new temporary file in the directory dir, with a name based on the provided prefix,
+// and writes the provided data to it.
+//
+// Multiple programs or goroutines calling CreateTemp simultaneously will not choose the same file.
+// It is the caller's responsibility to remove the file when it is no longer needed.
+//
+// Ths file data is written with O_SYNC, however the containing directory is NOT sync'd on the assumption
+// that this temporary file will be linked/renamed by the caller who will also sync the directory.
+func createTemp(prefix string, d []byte) (name string, err error) {
+	try := 0
+	var f *os.File
+
+	for {
+		name = prefix + strconv.Itoa(int(rand.Int32()))
+		f, err = os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_EXCL|os.O_SYNC, filePerm)
+		if err == nil {
+			break
+		} else if os.IsExist(err) {
+			if try++; try < 10000 {
+				continue
+			}
+			return "", &os.PathError{Op: "createtemp", Path: prefix + "*", Err: os.ErrExist}
+		}
+	}
+
+	defer func() {
+		if errC := f.Close(); errC != nil && err == nil {
+			err = errC
+		}
+	}()
+
+	if n, err := f.Write(d); err != nil {
+		return "", fmt.Errorf("failed to write to temporary file %q: %v", name, err)
+	} else if l := len(d); n < l {
+		return "", fmt.Errorf("short write on %q, %d < %d", name, n, l)
+	}
+
+	return name, nil
+}
diff --git a/storage/posix/files.go b/storage/posix/files.go
@@ -45,8 +45,6 @@ const (
 	// that were created before we introduced this.
 	compatibilityVersion = 1
 
-	dirPerm  = 0o755
-	filePerm = 0o644
 	stateDir = ".state"
 
 	minCheckpointInterval = time.Second
@@ -442,7 +440,7 @@ func (lrs *logResourceStorage) writeBundle(_ context.Context, index uint64, part
 // creating a zero-sized one if it doesn't already exist.
 func (a *appender) initialise(ctx context.Context) error {
 	// Idempotent: If folder exists, nothing happens.
-	if err := os.MkdirAll(filepath.Join(a.s.path, stateDir), dirPerm); err != nil {
+	if err := mkdirAll(filepath.Join(a.s.path, stateDir), dirPerm); err != nil {
 		return fmt.Errorf("failed to create log directory: %q", err)
 	}
 	// Double locking:
@@ -527,7 +525,7 @@ func (s *Storage) writeTreeState(size uint64, root []byte) error {
 		return fmt.Errorf("error in Marshal: %v", err)
 	}
 
-	if err := s.overwrite(filepath.Join(stateDir, "treeState"), raw); err != nil {
+	if err := overwrite(filepath.Join(s.path, stateDir, "treeState"), raw); err != nil {
 		return fmt.Errorf("failed to create private tree state file: %w", err)
 	}
 	return nil
@@ -583,9 +581,7 @@ func (a *appender) publishCheckpoint(ctx context.Context, minStaleness time.Dura
 		return fmt.Errorf("newCP: %v", err)
 	}
 
-	// TODO(mhutchinson): grab witness signatures
-
-	if err := a.s.overwrite(layout.CheckpointPath, cpRaw); err != nil {
+	if err := overwrite(filepath.Join(a.s.path, layout.CheckpointPath), cpRaw); err != nil {
 		return fmt.Errorf("overwrite(%s): %v", layout.CheckpointPath, err)
 	}
 
@@ -599,8 +595,7 @@ func (a *appender) publishCheckpoint(ctx context.Context, minStaleness time.Dura
 // It will error if a file already exists at the specified location, or it's unable to fully write the
 // data & close the file.
 func (s *Storage) createExclusive(p string, d []byte) error {
-	p = filepath.Join(s.path, p)
-	return createEx(p, d)
+	return createEx(filepath.Join(s.path, p), d)
 }
 
 func (s *Storage) readAll(p string) ([]byte, error) {
@@ -615,84 +610,27 @@ func (s *Storage) readAll(p string) ([]byte, error) {
 func (s *Storage) createIdempotent(p string, d []byte) error {
 	if err := s.createExclusive(p, d); err != nil {
 		if errors.Is(err, os.ErrExist) {
-			if r, err := s.readAll(p); err != nil {
+			r, err := s.readAll(p)
+			if err != nil {
 				return fmt.Errorf("file %q already exists, but unable to read it: %v", p, err)
-			} else if bytes.Equal(d, r) {
-				// Idempotent write
-				return nil
 			}
+			if !bytes.Equal(d, r) {
+				return fmt.Errorf("file %q already exists but has different contents", p)
+			}
+			// Idempotent write.
+			return nil
 		}
 		return err
 	}
 	return nil
 }
 
-// overwrite atomically overwrites the specified file relative to the root of the log (or creates it if it doesn't exist)
-// with the provided data.
-func (s *Storage) overwrite(p string, d []byte) error {
-	p = filepath.Join(s.path, p)
-	tmpN := p + ".tmp"
-	if err := os.WriteFile(tmpN, d, filePerm); err != nil {
-		return fmt.Errorf("failed to write temp file %q: %v", tmpN, err)
-	}
-	if err := os.Rename(tmpN, p); err != nil {
-		_ = os.Remove(tmpN)
-		return fmt.Errorf("failed to move temp file into target location %q: %v", p, err)
-	}
-	return nil
-}
-
 // stat returns os.Stat info for the speficied file relative to the log root.
 func (s *Storage) stat(p string) (os.FileInfo, error) {
 	p = filepath.Join(s.path, p)
 	return os.Stat(p)
 }
 
-// createEx atomically creates a file at the given path containing the provided data.
-//
-// It will error if a file already exists at the specified location, or it's unable to fully write the
-// data & close the file.
-func createEx(p string, d []byte) error {
-	dir, f := filepath.Split(p)
-	if err := os.MkdirAll(dir, dirPerm); err != nil {
-		return fmt.Errorf("failed to make entries directory structure: %w", err)
-	}
-	tmpF, err := os.CreateTemp(dir, f+"-*")
-	if err != nil {
-		return fmt.Errorf("failed to create temp file: %v", err)
-	}
-	if err := tmpF.Chmod(filePerm); err != nil {
-		return fmt.Errorf("failed to chmod temp file: %v", err)
-	}
-	tmpName := tmpF.Name()
-	defer func() {
-		if tmpF != nil {
-			if err := tmpF.Close(); err != nil {
-				klog.Warningf("Failed to close temporary file: %v", err)
-			}
-		}
-		if err := os.Remove(tmpName); err != nil {
-			klog.Warningf("Failed to remove temporary file %q: %v", tmpName, err)
-		}
-	}()
-
-	if n, err := tmpF.Write(d); err != nil {
-		return fmt.Errorf("unable to write data to temporary file: %v", err)
-	} else if l := len(d); n != l {
-		return fmt.Errorf("short write (%d < %d byte) on temporary file", n, l)
-	}
-	if err := tmpF.Close(); err != nil {
-		return fmt.Errorf("failed to close temporary file: %v", err)
-	}
-	tmpF = nil
-	if err := os.Link(tmpName, p); err != nil {
-		// Wrap the error here because we need to know if it's os.ErrExists at higher levels.
-		return fmt.Errorf("failed to link temporary file to target %q: %w", p, err)
-	}
-
-	return nil
-}
-
 // MigrationWriter creates a new POSIX storage for the MigrationTarget lifecycle mode.
 func (s *Storage) MigrationWriter(ctx context.Context, opts *tessera.MigrationOptions) (tessera.MigrationWriter, tessera.LogReader, error) {
 	r := &MigrationStorage{
@@ -743,7 +681,7 @@ func (m *MigrationStorage) AwaitIntegration(ctx context.Context, sourceSize uint
 
 func (m *MigrationStorage) initialise() error {
 	// Idempotent: If folder exists, nothing happens.
-	if err := os.MkdirAll(filepath.Join(m.s.path, stateDir), dirPerm); err != nil {
+	if err := mkdirAll(filepath.Join(m.s.path, stateDir), dirPerm); err != nil {
 		return fmt.Errorf("failed to create log directory: %q", err)
 	}
 	// Double locking:
