Merge lp:~parthm/bzr/no-chown-if-bzrlog-exists into lp:bzr

This doesn't actually solve the issue, as there is a race condition :).

> This doesn't actually solve the issue, as there is a race condition :).

You are right of course. Thanks for pointing that out.

After experimenting for some time I can't think of a good solution for the race condition. One option might be to just open() the file with 'at' later chown only if the ownership is different from from parent dir. The disadvantage is that we will do two stats per invocation. 1 for the parent dir and 1 for the file itself. Also, this will lead to bzr _always_ maintaining .bzr.log ownership the same as that of the containing directory. The could be considered a bug or a feature :-)
I will explore some more and see if I can come up with something.

Suggestions welcome.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Parth Malwankar wrote:
>> This doesn't actually solve the issue, as there is a race condition :).
>
> You are right of course. Thanks for pointing that out.
>
> After experimenting for some time I can't think of a good solution for the race condition. One option might be to just open() the file with 'at' later chown only if the ownership is different from from parent dir. The disadvantage is that we will do two stats per invocation. 1 for the parent dir and 1 for the file itself. Also, this will lead to bzr _always_ maintaining .bzr.log ownership the same as that of the containing directory. The could be considered a bug or a feature :-)
> I will explore some more and see if I can come up with something.
>
> Suggestions welcome.
>

There *is* a race condition, but the window is small, and it is better
to be racy and get it mostly right than to fail in obvious ways.

If someone has set perms on .bzr.log explicitly, I'd rather we didn't
keep changing it on them. Given that .bzr.log is in ~, it is *possible*
you'd have them set differently. (I don't want people to see what files
are in ~, but I want to share ~/.bzr.log, for example. Set the dir to
rwx--x--- and the file to rw-r-----)

If the file doesn't exist, we should try to be nice about what perms the
file gets.

The only way I see to avoid a race is to do something like
os.open(O_EXCL) and if that succeeds, then we chmod/chown. If it fails,
then we just fall back to opening regularly.

Also note that it is only 'racy' if they:

 1) For some reason create .bzr.log themselves
 2) Start 2 bzr processes simultaneously that are *different* versions.
    Otherwise, the 2 versions of bzr would use the same logic. And while
    it make chown twice, they would do the same thing.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuuCMkACgkQJdeBCYSNAAM5dACgvJpiReYnhZzkJQP9xBLJOBE5
SLUAoL+Ew9G0uk4N88VQSdALDxIb1ySV
=zhfY
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Parth Malwankar wrote:
>> This doesn't actually solve the issue, as there is a race condition :).
>
> You are right of course. Thanks for pointing that out.
>
> After experimenting for some time I can't think of a good solution for the race condition. One option might be to just open() the file with 'at' later chown only if the ownership is different from from parent dir. The disadvantage is that we will do two stats per invocation. 1 for the parent dir and 1 for the file itself. Also, this will lead to bzr _always_ maintaining .bzr.log ownership the same as that of the containing directory. The could be considered a bug or a feature :-)
> I will explore some more and see if I can come up with something.
>
> Suggestions welcome.
>

I should mention, *I* prefer having this patch to not having it. So
 review: approve

But it seems like Robert is either hesitant or objecting, though he
didn't actually vote.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuuCZEACgkQJdeBCYSNAAPNVACeMPCZ70YgF2rQzEqvPLzb09aK
pOsAmwdDCRuFZMMqrW7Y/u+0XPejBFyv
=UQ/q
-----END PGP SIGNATURE-----

This can be done completely non-racily with os.open - a really picky version could be a function something like:

    lomode = os.O_WRONLY | os.O_APPEND | osutils.O_TEXT
    while True:
        try:
            return os.open(filename, lomode)
        except OSError, e:
            if e.errno != errno.ENOENT:
                raise
        try:
            fd = os.open(filename, lomode | os.O_CREAT | os.O_EXCL)
        except OSError, e:
            if e.errno != errno.EEXIST:
                raise
        else:
            copy_ownership(filename, ownership_src)
            return fd

And os.fdopen to make a regular file object.

Raises the question though, is it ever going to be right for a osutils.open_with_ownership function to chown the file if it's *not* just created it? Makes me wonder again whether bundling the chown into the open function makes any sense.

> This can be done completely non-racily with os.open - a really picky version
> could be a function something like:
>
> lomode = os.O_WRONLY | os.O_APPEND | osutils.O_TEXT
> while True:
> try:
> return os.open(filename, lomode)
> except OSError, e:
> if e.errno != errno.ENOENT:
> raise
> try:
> fd = os.open(filename, lomode | os.O_CREAT | os.O_EXCL)
> except OSError, e:
> if e.errno != errno.EEXIST:
> raise
> else:
> copy_ownership(filename, ownership_src)
> return fd
>
> And os.fdopen to make a regular file object.
>

Thanks for this.
This certainly looks good to me. Would this approach work on Mac? In the python docs[1] the availability of os.open is shown as Unix and Windows. I don't know much about Mac so I ask.

> Raises the question though, is it ever going to be right for a
> osutils.open_with_ownership function to chown the file if it's *not* just
> created it? Makes me wonder again whether bundling the chown into the open
> function makes any sense.

I agree, I don't see too much use of open_with_ownership in a non-create case.
I can try to create and test a patch based on the above approach which also deals with open_with_ownership. Its used only in one another place IIRC.

[1] http://docs.python.org/library/os.html#os.open

> This certainly looks good to me. Would this approach work on Mac? In the
> python docs[1] the availability of os.open is shown as Unix and Windows. I
> don't know much about Mac so I ask.

The Python docs are a little confusing on this, but by their definition there is no longer such a thing as a mac, anything running OS X just another unix. Upstream Python has pretty much dropped support for everything but posix and windows systems.

> > Raises the question though, is it ever going to be right for a
> > osutils.open_with_ownership function to chown the file if it's *not* just
> > created it? Makes me wonder again whether bundling the chown into the open
> > function makes any sense.

Got my thinking a little backwards here, if chown should only be on create, building that logic into open_with_ownership probably makes sense.

> I agree, I don't see too much use of open_with_ownership in a non-create case.
> I can try to create and test a patch based on the above approach which also
> deals with open_with_ownership. Its used only in one another place IIRC.

Worth pondering how you think the interfaces should work, there are currently three new public functions in osutils, and only as many callsites.

Updated based on file creation code by Martin [gz]. Thanks.
Removed open_with_ownership and copy_with_ownership. Now copy_ownership is used directly.

One minor annoyance with that is that .bzr.log is created with the executable bit set due to O_CREAT. As per the open(2) man page:

The effective permissions are modified by the process's umask in the usual way: The permissions of the created file are (mode & ~umask).

On my system the mask is 022. I suppose we can do a chown specifically to unset executable bit. Thoughts?

Note: This isn't tested on Windows yet as I don't have a windows system available at the moment.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Parth Malwankar wrote:
> One minor annoyance with that is that .bzr.log is created with the executable bit set due to O_CREAT. As per the open(2) man page:
>
> The effective permissions are modified by the process's umask in the usual way: The permissions of the created file are (mode & ~umask).
>
> On my system the mask is 022. I suppose we can do a chown specifically to unset executable bit. Thoughts?
>
> Note: This isn't tested on Windows yet as I don't have a windows system available at the moment.
>

Why not just use "mode = source_mode & ~0111", which should always strip
the executable bit off. I don't see any need have the file executable.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuw+WcACgkQJdeBCYSNAANCMQCgtEGTtaSAUqUVhiKnEFy2EMo4
pZEAoLDZtbpEfnWglc5kbwlMxcfUFs0E
=nMDG
-----END PGP SIGNATURE-----

+ """Create a log file in while avoiding race.

some kind of typo here.

I would make the docstring be:

  Create the .bzr.log file.

  It inherits the ownership and permissions (masked by umask) from the containing
  directory to cope better with being run under sudo with $HOME still set to the
  user's homedir.

Also the fact that you have a comment next to every copy_ownership() invocation suggests it should be renamed to copy_ownership_from_directory.

To set the permissions you need to pass a third parameter to os.open(), which here should be 0666. This is separate from the O_APPEND etc mode.

Thanks!

> + """Create a log file in while avoiding race.
>
> some kind of typo here.
>
> I would make the docstring be:
>
> Create the .bzr.log file.
>
> It inherits the ownership and permissions (masked by umask) from the
> containing
> directory to cope better with being run under sudo with $HOME still set to
> the
> user's homedir.
>

Done.

> Also the fact that you have a comment next to every copy_ownership()
> invocation suggests it should be renamed to copy_ownership_from_directory.
>

I have renamed it to copy_ownership_from_path as both file and
directory are accepted, though we use only parent directory in
the existing cases.

> To set the permissions you need to pass a third parameter to os.open(), which
> here should be 0666. This is separate from the O_APPEND etc mode.
>

I have added permission of 0644 and tested it out.
Thanks.

On 30 March 2010 16:37, Parth Malwankar <email address hidden> wrote:
> I have added permission of 0644 and tested it out.

No, it should actually be 0666. If the user sets their umask to allow
group-writable files we should respect that unless there is a good
reason.

--
Martin <http://launchpad.net/~mbp/>

> No, it should actually be 0666. If the user sets their umask to allow
> group-writable files we should respect that unless there is a good
> reason.
>

Makes sense. Changed permissions to 0666.

Couple of style points, one of which causes a bug.

Generally you want the body of try/except loops to be as minimal, hence my use of else in the example before. I have mixed feelings about nested functions that aren't actually being used as closures. Factoring common logic branches into one route is generally a good thing, even if it means using break-as-goto.

Rather than things along the lines of:
     permissions = 0666
     fd = os.open(filename, flags, permissions)
it's better to use:
     fd = os.open(filename, flags, mode=0666)
which is still self-documenting, and avoids the variable.

As you do that with flags too, you're defeating the race protection of the loop by making all attempts after the first exclusive, potentially causing an infinite loop instead:
    flags = os.O_WRONLY | os.O_APPEND | osutils.O_TEXT
    while True:
        ...
            fd = os.open(filename, flags)
        ...
            flags = flags | os.O_CREAT | os.O_EXCL
            permissions = 0666
            fd = os.open(filename, flags, permissions)

Also bt.test_trace.test__open_bzr_log_uses_stderr_for_failures was failing, which can be fixed by moving a later catch one step up the exception hierarchy.

Pull <lp:~gz/bzr/no-chown-if-bzrlog-exists> for my fixes for these. I've poked a couple of other minor bits while I was there, but didn't do anything major. (I'd really like windows to avoid this codepath entirely, but this doesn't need to be done right now.)

> Pull <lp:~gz/bzr/no-chown-if-bzrlog-exists> for my fixes for these. I've poked
> a couple of other minor bits while I was there, but didn't do anything major.
> (I'd really like windows to avoid this codepath entirely, but this doesn't
> need to be done right now.)

Thanks for the updates Martin [gz]. I have merged in the changes.

Passes tests here.

merged in changes from trunk and moved NEWS entry to 2.2b2

I think this is an improvement. However my experience with race conditions is that we always, eventually, run into them.

So I'd like a new bug filed saying that we have this race and should fix it. That can be a wishlist bug, but we know the defect exists so lets capture the thinking about it now to save a future user having to figure it out.

> I think this is an improvement. However my experience with race conditions is
> that we always, eventually, run into them.
>
> So I'd like a new bug filed saying that we have this race and should fix it.
> That can be a wishlist bug, but we know the defect exists so lets capture the
> thinking about it now to save a future user having to figure it out.

Filed Bug #567036 for this.

So, this is failing on PQM. I don't have a detailed diagnostic for you yet, but there are 14 test failures.

Some failures:

======================================================================
FAIL: bzrlib.tests.test_decorators.TestDecoratorDocs.test_read_lock_passthrough
----------------------------------------------------------------------
_StringException: Text attachment: log
------------

------------
Text attachment: traceback
------------
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/testtools/runtest.py", line 128, in _run_user
    return fn(*args)
  File "/usr/lib/python2.4/site-packages/testtools/testcase.py", line 368, in _run_test_method
    testMethod()
  File "/home/pqm/bzr-pqm-workdir/home/+trunk/bzrlib/tests/test_decorators.py", line 170, in test_read_lock_passthrough
    self.assertDocstring('Frob the sample object', sam.frob)
AssertionError: 'Frob the sample object' is not None.
------------

FAIL: bzrlib.tests.test_decorators.TestDecoratorDocs.test_write_lock_passthrough
----------------------------------------------------------------------
_StringException: Text attachment: log
------------

------------
Text attachment: traceback
------------
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/testtools/runtest.py", line 128, in _run_user
    return fn(*args)
  File "/usr/lib/python2.4/site-packages/testtools/testcase.py", line 368, in _run_test_method
    testMethod()
  File "/home/pqm/bzr-pqm-workdir/home/+trunk/bzrlib/tests/test_decorators.py", line 177, in test_write_lock_passthrough
    sam.bank)
AssertionError: 'Bank the sample, but using bar and biz.' is not None.
------------

FAIL: bzrlib.tests.test_decorators.TestPrettyDecorators.test__fast_needs_read_lock
----------------------------------------------------------------------
_StringException: Text attachment: log
------------

------------
Text attachment: traceback
------------
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/testtools/runtest.py", line 128, in _run_user
    return fn(*args)
  File "/usr/lib/python2.4/site-packages/testtools/testcase.py", line 368, in _run_test_method
    testMethod()
  File "/home/pqm/bzr-pqm-workdir/home/+trunk/bzrlib/tests/test_decorators.py", line 225, in test__fast_needs_read_lock
    self.assertDocstring(
AssertionError: 'Just a function that supplies several arguments.' is not None.
------------

FAIL: bzrlib.tests.test_decorators.TestPrettyDecorators.test__fast_needs_write_lock
----------------------------------------------------------------------
_StringException: Text attachment: log
------------

------------
Text attachment: traceback
------------
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/testtools/runtest.py", line 128, in _run_user
    return fn(*args)
  File "/usr/lib/python2.4/site-packages/testtools/testcase.py", line 368, in _run_test_method
    testMethod()
  File "/home/pqm/bzr-pqm-workdir/home/+trunk/bzrlib/tests/test_decorators.py", line 254, in test__fast_needs_write_lock
    self.assertDocstring(
AssertionError: 'Just a function that supplies several arguments.' is not None.
------------

FAIL: bzrlib.tests.test_decorators.TestPrettyDecorators.test__pretty_needs_read_lock
------------...

On Wed, Apr 21, 2010 at 1:11 PM, Robert Collins
<email address hidden> wrote:
> Some failures:
>
> ======================================================================
> FAIL: bzrlib.tests.test_decorators.TestDecoratorDocs.test_read_lock_passthrough
> ----------------------------------------------------------------------
...
> Which is pretty strange. Its possible that I've got the wrong mp here, but tomorrow we should have the reporting code all fixed up in pqm anyhow. Have you tried a full test run?
> Its very odd to see these failures on this proposal, as I'm sure you can guess ;).
>

These results do look surprising. I am able to run all the failing
tests without any problems. I ran bt.test_decorators on WinXP
+ Linux and others on linux.
Any ideas?

----------------------------------------------------------------------
Ran 3 tests in 0.142s

OK
[no-chown-if-bzrlog-exists]% ./bzr --no-plugins selftest -s
bt.test_decorators
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
   /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
   bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

----------------------------------------------------------------------
Ran 34 tests in 0.121s

OK
[no-chown-if-bzrlog-exists]% ./bzr --no-plugins selftest -s bb
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
   /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
   bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

----------------------------------------------------------------------
Ran 1214 tests in 326.842s

OK (known_failures=2)
Missing feature 'case-insensitive case-preserving filesystem' skipped 18 tests.
Missing feature 'case-insensitive filesystem' skipped 1 tests.
bzrlib.tests.blackbox.test_branch.TestBranchStacked.test_branch_stacked_from_smart_server
is leaking threads among 31 leaking tests.
17 non-main threads were left active in the end.
[no-chown-if-bzrlog-exists]% ./bzr selftest -s bt.test_plugins
Unable to load plugin 'hg'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
Unable to load plugin 'svn'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
Unable to load plugin 'git'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
   /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
   bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

----------------------------------------------------------------------
Ran 72 tests in 1.313s

OK
[no-chown-if-bzrlog-exists]% ./bzr --no-plugins selftest -s bt.test_selftest
bzr sel...

Its been about an hour since I emailed on the test but for some reason that hasn't shown up so I just paste it here for now. Sorry if it shows up twice.

On Wed, Apr 21, 2010 at 1:11 PM, Robert Collins
<email address hidden> wrote:
> Some failures:
>
> ======================================================================
> FAIL: bzrlib.tests.test_decorators.TestDecoratorDocs.test_read_lock_passthrough
> ----------------------------------------------------------------------
...
> Which is pretty strange. Its possible that I've got the wrong mp here, but tomorrow we should have the reporting code all fixed up in pqm anyhow. Have you tried a full test run?
> Its very odd to see these failures on this proposal, as I'm sure you can guess ;).
>

These results do look surprising. I am able to run all the failing
tests without any problems. I ran bt.test_decorators on WinXP
+ Linux and others on linux.

----------------------------------------------------------------------
Ran 3 tests in 0.142s

OK
[no-chown-if-bzrlog-exists]% ./bzr --no-plugins selftest -s
bt.test_decorators
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
  /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
  bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

----------------------------------------------------------------------
Ran 34 tests in 0.121s

OK
[no-chown-if-bzrlog-exists]% ./bzr --no-plugins selftest -s bb
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
  /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
  bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

----------------------------------------------------------------------
Ran 1214 tests in 326.842s

OK (known_failures=2)
Missing feature 'case-insensitive case-preserving filesystem' skipped 18 tests.
Missing feature 'case-insensitive filesystem' skipped 1 tests.
bzrlib.tests.blackbox.test_branch.TestBranchStacked.test_branch_stacked_from_smart_server
is leaking threads among 31 leaking tests.
17 non-main threads were left active in the end.
[no-chown-if-bzrlog-exists]% ./bzr selftest -s bt.test_plugins
Unable to load plugin 'hg'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
Unable to load plugin 'svn'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
Unable to load plugin 'git'. It requested API version (2, 1, 0) of
module <module 'bzrlib' from
'/storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib/__init__.pyc'>
but the minimum exported version is (2, 2, 0), and the maximum is (2,
2, 0)
bzr selftest: /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzr
  /storage/parth/src/bzr.dev/no-chown-if-bzrlog-exists/bzrlib
  bzr-2.2.0dev1 python-2.6.4
Linux-2.6.31-20-generic-i686-with-Ubuntu-9.10-karmic

---------------------------------------------...

Those all look like they're from my <lp:~gz/bzr/support_OO_flag> branch, and seem to just be a dumb error on my part, I'll handle over there.

It looks like we had one more failure without feedback on pqm here... no mail, no comment in the mp... I'll look into it first thing monday morning unless lifeless (nudge nudge, what ? still not unpacked ? :-P) beats me to it

Haa, submitting by mail revealed a conflict in NEWS, new submission sent.

..which also failed due to test failing (some renaming was still needed for copy copy_ownership_from_path from copy_ownership).

> ..which also failed due to test failing (some renaming was still needed for
> copy copy_ownership_from_path from copy_ownership).

Ouch. This is embarrassing. I don't know how I missed something this obvious. Sorry about that.
I have fixed it and pushed the changes.

>>>>> Parth Malwankar <email address hidden> writes:

    >> ..which also failed due to test failing (some renaming was still needed for
    >> copy copy_ownership_from_path from copy_ownership).

    > Ouch. This is embarrassing.

Nah, don't worry about it. The fact that *pqm* didn't tell me that is
more embarassing...

    > I don't know how I missed something this obvious. Sorry about
    > that. I have fixed it and pushed the changes.

I had already sent the mp to pqm, but thanks all the same ;)