Don't delete container bundles when loading fails; write bundle files atomically#1859
Open
radheradhe01 wants to merge 1 commit into
Open
Don't delete container bundles when loading fails; write bundle files atomically#1859radheradhe01 wants to merge 1 commit into
radheradhe01 wants to merge 1 commit into
Conversation
… atomically ### Problem `ContainersService.loadAtBoot` wraps each container load in a `do/catch`, and the `catch` runs `try? FileManager.default.removeItem(at: dir)` — deleting the entire on-disk bundle on **any** error. Some of those errors are transient and unrelated to bundle integrity. For example, a runtime plugin that is not yet registered throws `internalError`, which then destroys the user's container directory. A contributing root cause: `Bundle.write` persists JSON with a plain `data.write(to:)` (non-atomic). A crash or power loss mid-write can leave a truncated file that fails to decode on the next boot — which then triggers the deletion path above, turning a recoverable torn write into permanent data loss. ### Fix - `Bundle.write`: write with `.atomic`, so an interrupted write cannot leave a corrupt file behind. - `loadAtBoot`: stop deleting the bundle on load errors. Log and leave the bundle on disk so a transient failure (e.g. a plugin that registers later) does not cause data loss. ### Notes No behavior change on the success path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ContainersService.loadAtBootwraps each container load in ado/catch, and thecatchrunstry? FileManager.default.removeItem(at: dir)— deleting the entire on-disk bundle on any error. Some of those errors are transient and unrelated to bundle integrity. For example, a runtime plugin that is not yet registered throwsinternalError, which then destroys the user's container directory.A contributing root cause:
Bundle.writepersists JSON with a plaindata.write(to:)(non-atomic). A crash or power loss mid-write can leave a truncated file that fails to decode on the next boot — which then triggers the deletion path above, turning a recoverable torn write into permanent data loss.Fix
Bundle.write: write with.atomic, so an interrupted write cannot leave a corrupt file behind.loadAtBoot: stop deleting the bundle on load errors. Log and leave the bundle on disk so a transient failure (e.g. a plugin that registers later) does not cause data loss.Notes
No behavior change on the success path.