Move from os filesystem operations to internal/filesystem

Signed-off-by: apostasie <[email protected]>

Author: apostasie

pkg/buildkitutil/buildkitutil_test.go

@@ -29,6 +29,8 @@ import (
 	"testing"
 
 	"gotest.tools/v3/assert"
+
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 )
 
 func TestBuildKitFile(t *testing.T) {
@@ -55,7 +57,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "only Dockerfile is present",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, DefaultDockerfileName), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, DefaultDockerfileName), []byte{}, 0644)
 			},
 			args:       args{".", ""},
 			wantAbsDir: tmp,
@@ -65,7 +67,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "only Containerfile is present",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{}, 0644)
 			},
 			args:       args{".", ""},
 			wantAbsDir: tmp,
@@ -75,11 +77,11 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "both Dockerfile and Containerfile are present",
 			prepare: func(t *testing.T) error {
-				var err = os.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{}, 0644)
+				var err = filesystem.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{}, 0644)
 				if err != nil {
 					return err
 				}
-				return os.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{}, 0644)
 			},
 			args:       args{".", ""},
 			wantAbsDir: tmp,
@@ -89,11 +91,11 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "Dockerfile and Containerfile have different contents",
 			prepare: func(t *testing.T) error {
-				var err = os.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{'d'}, 0644)
+				var err = filesystem.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{'d'}, 0644)
 				if err != nil {
 					return err
 				}
-				return os.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{'c'}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "Containerfile"), []byte{'c'}, 0644)
 			},
 			args:       args{".", ""},
 			wantAbsDir: tmp,
@@ -103,7 +105,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "Custom file is specfied",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, "CustomFile"), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "CustomFile"), []byte{}, 0644)
 			},
 			args:       args{".", "CustomFile"},
 			wantAbsDir: tmp,
@@ -113,7 +115,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "Absolute path is specified along with custom file",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, "CustomFile"), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "CustomFile"), []byte{}, 0644)
 			},
 			args:       args{tmp, "CustomFile"},
 			wantAbsDir: tmp,
@@ -123,7 +125,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "Absolute path is specified along with Docker file",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, "Dockerfile"), []byte{}, 0644)
 			},
 			args:       args{tmp, "."},
 			wantAbsDir: tmp,
@@ -133,7 +135,7 @@ func TestBuildKitFile(t *testing.T) {
 		{
 			name: "Absolute path is specified with Container file in the path",
 			prepare: func(t *testing.T) error {
-				return os.WriteFile(filepath.Join(tmp, ContainerfileName), []byte{}, 0644)
+				return filesystem.WriteFile(filepath.Join(tmp, ContainerfileName), []byte{}, 0644)
 			},
 			args:       args{tmp, "."},
 			wantAbsDir: tmp,

pkg/cmd/builder/build.go

@@ -41,6 +41,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/buildkitutil"
 	"github.com/containerd/nerdctl/v2/pkg/clientutil"
 	"github.com/containerd/nerdctl/v2/pkg/containerutil"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/platformutil"
 	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/strutil"
@@ -110,7 +111,7 @@ func Build(ctx context.Context, client *containerd.Client, options types.Builder
 		if err != nil {
 			return err
 		}
-		if err := os.WriteFile(options.IidFile, []byte(id), 0644); err != nil {
+		if err := filesystem.WriteFile(options.IidFile, []byte(id), 0644); err != nil {
 			return err
 		}
 	}

pkg/cmd/compose/compose.go

@@ -34,6 +34,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/composer"
 	"github.com/containerd/nerdctl/v2/pkg/composer/serviceparser"
 	"github.com/containerd/nerdctl/v2/pkg/imgutil"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/ipfs"
 	"github.com/containerd/nerdctl/v2/pkg/netutil"
 	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
@@ -136,7 +137,7 @@ func New(client *containerd.Client, globalOptions types.GlobalCommandOptions, op
 					return err
 				}
 				defer os.RemoveAll(dir)
-				if err := os.WriteFile(filepath.Join(dir, "api"), []byte(ipfsAddress), 0600); err != nil {
+				if err := filesystem.WriteFile(filepath.Join(dir, "api"), []byte(ipfsAddress), 0600); err != nil {
 					return err
 				}
 				ipfsPath = dir

pkg/cmd/container/create.go

@@ -51,6 +51,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/imgutil"
 	"github.com/containerd/nerdctl/v2/pkg/imgutil/load"
 	"github.com/containerd/nerdctl/v2/pkg/inspecttypes/dockercompat"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/ipcutil"
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 	"github.com/containerd/nerdctl/v2/pkg/logging"
@@ -951,7 +952,7 @@ func generateLogConfig(dataStore string, id string, logDriver string, logOpt []s
 		}
 
 		logConfigFilePath := logging.LogConfigFilePath(dataStore, ns, id)
-		if err = os.WriteFile(logConfigFilePath, logConfigB, 0600); err != nil {
+		if err = filesystem.WriteFile(logConfigFilePath, logConfigB, 0600); err != nil {
 			return logConfig, err
 		}
 

pkg/cmd/image/pull.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/imgutil"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/ipfs"
 	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
 	"github.com/containerd/nerdctl/v2/pkg/signutil"
@@ -62,7 +63,7 @@ func EnsureImage(ctx context.Context, client *containerd.Client, rawRef string,
 				return nil, err
 			}
 			defer os.RemoveAll(dir)
-			if err := os.WriteFile(filepath.Join(dir, "api"), []byte(options.IPFSAddress), 0600); err != nil {
+			if err := filesystem.WriteFile(filepath.Join(dir, "api"), []byte(options.IPFSAddress), 0600); err != nil {
 				return nil, err
 			}
 			ipfsPath = dir

pkg/cmd/image/push.go

@@ -46,6 +46,7 @@ import (
 	nerdconverter "github.com/containerd/nerdctl/v2/pkg/imgutil/converter"
 	"github.com/containerd/nerdctl/v2/pkg/imgutil/dockerconfigresolver"
 	"github.com/containerd/nerdctl/v2/pkg/imgutil/push"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/ipfs"
 	"github.com/containerd/nerdctl/v2/pkg/platformutil"
 	"github.com/containerd/nerdctl/v2/pkg/referenceutil"
@@ -85,7 +86,7 @@ func Push(ctx context.Context, client *containerd.Client, rawRef string, options
 				return err
 			}
 			defer os.RemoveAll(dir)
-			if err := os.WriteFile(filepath.Join(dir, "api"), []byte(options.IpfsAddress), 0600); err != nil {
+			if err := filesystem.WriteFile(filepath.Join(dir, "api"), []byte(options.IpfsAddress), 0600); err != nil {
 				return err
 			}
 			ipfsPath = dir

pkg/cmd/ipfs/registry_serve.go

@@ -24,6 +24,7 @@ import (
 	"github.com/containerd/log"
 
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/ipfs"
 )
 
@@ -35,7 +36,7 @@ func RegistryServe(options types.IPFSRegistryServeOptions) error {
 			return err
 		}
 		defer os.RemoveAll(dir)
-		if err := os.WriteFile(filepath.Join(dir, "api"), []byte(options.IPFSAddress), 0600); err != nil {
+		if err := filesystem.WriteFile(filepath.Join(dir, "api"), []byte(options.IPFSAddress), 0600); err != nil {
 			return err
 		}
 		ipfsPath = dir

pkg/composer/serviceparser/serviceparser_test.go

@@ -18,7 +18,6 @@ package serviceparser
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 	"runtime"
 	"strconv"
@@ -27,6 +26,7 @@ import (
 	"github.com/compose-spec/compose-go/v2/types"
 	"gotest.tools/v3/assert"
 
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/strutil"
 	"github.com/containerd/nerdctl/v2/pkg/testutil"
 )
@@ -521,7 +521,7 @@ configs:
 	assert.NilError(t, err)
 
 	for _, f := range []string{"secret1", "secret2", "secret3", "config1", "config2"} {
-		err = os.WriteFile(filepath.Join(project.WorkingDir, f), []byte("content-"+f), 0444)
+		err = filesystem.WriteFile(filepath.Join(project.WorkingDir, f), []byte("content-"+f), 0444)
 		assert.NilError(t, err)
 	}
 

pkg/containerutil/container_network_manager.go

@@ -39,6 +39,7 @@ import (
 	"github.com/containerd/nerdctl/v2/pkg/clientutil"
 	"github.com/containerd/nerdctl/v2/pkg/dnsutil/hostsstore"
 	"github.com/containerd/nerdctl/v2/pkg/idutil/containerwalker"
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/labels"
 	"github.com/containerd/nerdctl/v2/pkg/mountutil"
 	"github.com/containerd/nerdctl/v2/pkg/netutil"
@@ -829,7 +830,7 @@ func writeEtcHostnameForContainer(globalOptions types.GlobalCommandOptions, host
 	}
 
 	hostnamePath := filepath.Join(stateDir, "hostname")
-	if err := os.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
+	if err := filesystem.WriteFile(hostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 		return nil, err
 	}
 

pkg/dnsutil/hostsstore/hostsstore.go

@@ -40,6 +40,7 @@ import (
 	"github.com/containerd/errdefs"
 	"github.com/containerd/log"
 
+	"github.com/containerd/nerdctl/v2/pkg/internal/filesystem"
 	"github.com/containerd/nerdctl/v2/pkg/store"
 )
 
@@ -116,11 +117,11 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {
 		// Because of the way we call network manager ContainerNetworkingOpts then SetupNetworking in sequence
 		// we need to make sure we do not overwrite an already allocated hosts file.
 		if _, err = os.Stat(loc); os.IsNotExist(err) {
-			if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {
+			if err = filesystem.WriteFile(loc, []byte{}, 0o644); err != nil {
 				return errors.Join(store.ErrSystemFailure, err)
 			}
 
-			// os.WriteFile relies on syscall.Open. Unless there are ACLs, the effective mode of the file will be matched
+			// WriteFile relies on syscall.Open. Unless there are ACLs, the effective mode of the file will be matched
 			// against the current process umask.
 			// See https://www.man7.org/linux/man-pages/man2/open.2.html for details.
 			// Since we must make sure that these files are world readable, explicitly chmod them here.
@@ -185,12 +186,12 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,
 			return err
 		}
 
-		err = os.WriteFile(loc, content, 0o644)
+		err = filesystem.WriteFile(loc, content, 0o644)
 		if err != nil {
 			err = errors.Join(store.ErrSystemFailure, err)
 		}
 
-		// os.WriteFile relies on syscall.Open. Unless there are ACLs, the effective mode of the file will be matched
+		// WriteFile relies on syscall.Open. Unless there are ACLs, the effective mode of the file will be matched
 		// against the current process umask.
 		// See https://www.man7.org/linux/man-pages/man2/open.2.html for details.
 		// Since we must make sure that these files are world readable, explicitly chmod them here.
@@ -351,6 +352,13 @@ func (x *hostsStore) updateAllHosts() (err error) {
 			return err
 		}
 
+		// Because the file is mounted, we cannot do atomic writes here as that would change inode.
+		// The practical implications of this are that a partial / interrupted write would leave the hosts file with
+		// an invalid entry and/or missing entries. At worse, this would lead to a container losing localhost network
+		// capabilities.
+		// Proper consistency requires that we would have a rollback mechanism in case of recoverable failure,
+		// and a disaster management / cleanup mechanism, presumably at the top-level of the operation.
+		// nolint:forbidigo
 		err = os.WriteFile(loc, buf.Bytes(), 0o644)
 		if err != nil {
 			log.L.WithError(err).Errorf("failed to write hosts file for %q", entry)