Every disk write must fail safely. - Githubissues

ac2cz / pi_pacsat

Open source implementation of the Pacsat protocol based on public documents. Designed to run on a Linux computer using Direwolf as the TNC

4 stars 1 forks source link

Every disk write must fail safely. #25

Closed ac2cz closed 4 months ago

ac2cz commented 7 months ago

All writes to the disk must complete fully or fail with no action.

uploaded file data: use rename as last step
pacsat_upload_table: use rename as last step
installing a file (or moving): Consider the integrity between entries in the dir file, the dir in memory and the actual file that was moved. This may need a journal and a cleanup process that fixes partial situations.

ac2cz commented 7 months ago

Also include state file fixes in line with iors_control

ac2cz commented 7 months ago

Upload file data already fails safely. If we crash while writing part of it then the offset value is not saved into the upload table file.

ac2cz commented 7 months ago

All fixed except the more complex case of installing a file. This needs some design work.

ac2cz commented 7 months ago

For installed files the main danger seems to be when we are extracting the file from the pacsat file. We now rename the file to its extracted name when we finish.

At that point we have extracted the file onto disk but have not updated the keywords. If we crash then the system is inconsistent.

The solution is to move the rename after the update of the keywords and make sure that the extracted file ends in tmp or better still, is in the tmp directory. Then if we fail nothing is in the folder and no keywords are changed.

ac2cz commented 7 months ago

Note that we can still have the situation where the keywords are updated and then the rename fails. In that situation we think we have the file but it is in the tmp dir. We could have an integrity check that looks for that situation at boot and fixes it.

We also have a corresponding issue when we delete a file. We could have removed the keywords but fail to remove the file. Int his case we could move the file to a tmp_delete dir first, then change the keywords, then finally remove. We could have a similar integrity check at start up.

ac2cz commented 7 months ago

Downgraded to high as this is mitigated. It can be closed when the integrity check is added at boot.

ac2cz commented 6 months ago

There is also still an issue in pfh_update_pacsat_header() which updates the pacsat file itself to change the keywords. This should write the file into a temp file and then rename it at the end. in fact it does the opposite if that!

ac2cz commented 4 months ago

Now fixed.