endpoint: atomically replace header files

Write contents of the header file to a temporary file first. It will then be atomically renamed to the real file. This makes sure we never end up with corrupted on inconsistent header files on the filesystem. Also make sure the symlink to the old header file in the downgrade case is created atomically. The github.com/google/renameio package is used for the atomic replace and symlink creation. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
cilium · Jul 2, 2020 · 542f0c2 · 542f0c2
1 parent e6123cb
commit 542f0c2
Show file tree

Hide file tree

Showing 12 changed files with 558 additions and 7 deletions.
diff --git a/go.mod b/go.mod
@@ -39,6 +39,7 @@ require (
 	github.com/google/gofuzz v1.1.0
 	github.com/google/gopacket v1.1.17
 	github.com/google/gops v0.3.10
+	github.com/google/renameio v0.1.0
 	github.com/gorilla/mux v1.7.0
 	github.com/hashicorp/consul/api v1.2.0
 	github.com/hashicorp/go-immutable-radix v1.1.0

diff --git a/go.sum b/go.sum
diff --git a/pkg/endpoint/bpf.go b/pkg/endpoint/bpf.go
@@ -43,6 +43,7 @@ import (
 	"github.com/cilium/cilium/pkg/revert"
 	"github.com/cilium/cilium/pkg/version"
 
+	"github.com/google/renameio"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -136,31 +137,43 @@ func (e *Endpoint) writeHeaderfile(prefix string) error {
 	e.getLogger().WithFields(logrus.Fields{
 		logfields.Path: headerPath,
 	}).Debug("writing header file")
-	f, err := os.Create(headerPath)
+
+	// Write new contents to a temporary file which will be atomically renamed to the
+	// real file at the end of this function. This will make sure we never end up with
+	// corrupted header files on the filesystem.
+	f, err := renameio.TempFile(prefix, headerPath)
 	if err != nil {
-		return fmt.Errorf("failed to open file %s for writing: %s", headerPath, err)
+		return fmt.Errorf("failed to open temporary file: %s", err)
 	}
-	defer f.Close()
+	defer f.Cleanup()
 
 	if err = e.writeInformationalComments(f); err != nil {
 		return err
 	}
 
+	if err = e.owner.Datapath().WriteEndpointConfig(f, e); err != nil {
+		return err
+	}
+
+	err = f.CloseAtomicallyReplace()
+
 	// Create symlink with old header filename, to allow downgrade to pre-1.8
 	// Cilium. Can be removed once v1.8 is the oldest supported release.
 	// We don't add the symlink for the host endpoint so that it is not
-	// restored when downgrading to <1.8.
-	if !e.IsHost() {
+	// restored when downgrading to <1.8. To avoid linking to a
+	// nonexistent file, only create the symlink if the header file
+	// creation/replacement file suceeded above.
+	if !e.IsHost() && err == nil {
 		oldHeaderPath := filepath.Join(prefix, common.OldCHeaderFileName)
 		if _, err := os.Stat(oldHeaderPath); err != nil {
 			// The symlink doesn't already exists.
-			if err := os.Symlink(common.CHeaderFileName, oldHeaderPath); err != nil {
+			if err := renameio.Symlink(common.CHeaderFileName, oldHeaderPath); err != nil {
 				e.getLogger().WithError(err).Error("Failed to create C header file symlink")
 			}
 		}
 	}
 
-	return e.owner.Datapath().WriteEndpointConfig(f, e)
+	return err
 }
 
 // addNewRedirectsFromDesiredPolicy must be called while holding the endpoint lock for

diff --git a/vendor/github.com/google/renameio/.travis.yml b/vendor/github.com/google/renameio/.travis.yml
diff --git a/vendor/github.com/google/renameio/CONTRIBUTING.md b/vendor/github.com/google/renameio/CONTRIBUTING.md
diff --git a/vendor/github.com/google/renameio/LICENSE b/vendor/github.com/google/renameio/LICENSE
diff --git a/vendor/github.com/google/renameio/README.md b/vendor/github.com/google/renameio/README.md
diff --git a/vendor/github.com/google/renameio/doc.go b/vendor/github.com/google/renameio/doc.go