28c5179636
As the 2016-10-07~09 downtime incident shows, it is paramount to take further steps in guaranteeing that the server can't corrupt its own data files (especially the add-ons database) when receiving inappropriately-timed signals. This commit adds and deploys an ostream wrapper that requires callers to explicitly commit the results to disk when finished writing to the stream, so that only then the real destination file is overwritten with the working copy (a temporary in the same dir). This way, there should never be a situation in which the destination is left in an inconsistent state due to a signal or exception. The temporary receives a predictable name right now in the interest of simplicity, since we are more or less in control of the target directory anyway. We definitely don't want it to be an unlinked file since that would make it impossible for admins to inspect and compare the temporary against the original afterwards. The code makes some assumptions about the nature of the return value of filesystem::ostream_file() which will never be broken in this stable branch, which is why one helper function is in campaignd land rather than in the global filesystem API for now. This should probably be rectified when forward-porting to master. Maybe. Nothing of this will work reliably on Windows but we don't care. There's only one machine in the world where we support running campaignd at this time and it runs Linux.
7 lines
194 B
Text
7 lines
194 B
Text
addon/validation.cpp
|
|
campaign_server/addon_utils.cpp
|
|
campaign_server/blacklist.cpp
|
|
campaign_server/campaign_server.cpp
|
|
campaign_server/fs_commit.cpp
|
|
server/server_base.cpp
|
|
server/simple_wml.cpp
|