repository: Atomically replace refs/ symlinks

Naming a new version of an image the same as the old version is
pretty standard, and this is currenlty giving EEXIST errors. We
fix this by doing an atomic symlink + rename operation to replace
the symlink.

Signed-off-by: Alexander Larsson <[email protected]>

Author: alexlarsson

crates/composefs/Cargo.toml

@@ -29,6 +29,7 @@ tempfile = { version = "3.8.0", optional = true, default-features = false }
 xxhash-rust = { version = "0.8.2", default-features = false, features = ["xxh32"] }
 zerocopy = { version = "0.8.0", default-features = false, features = ["derive", "std"] }
 zstd = { version = "0.13.0", default-features = false }
+rand = { version = "0.9.1", default-features = true }
 
 [dev-dependencies]
 insta = "1.42.2"

crates/composefs/src/repository.rs

@@ -12,8 +12,8 @@ use anyhow::{bail, ensure, Context, Result};
 use once_cell::sync::OnceCell;
 use rustix::{
     fs::{
-        fdatasync, flock, linkat, mkdirat, open, openat, readlinkat, symlinkat, AtFlags, Dir,
-        FileType, FlockOperation, Mode, OFlags, CWD,
+        fdatasync, flock, linkat, mkdirat, open, openat, readlinkat, AtFlags, Dir, FileType,
+        FlockOperation, Mode, OFlags, CWD,
     },
     io::{Errno, Result as ErrnoResult},
 };
@@ -25,7 +25,7 @@ use crate::{
     },
     mount::mount_composefs_at,
     splitstream::{DigestMap, SplitStreamReader, SplitStreamWriter},
-    util::{proc_self_fd, Sha256Digest},
+    util::{proc_self_fd, replace_symlinkat, Sha256Digest},
 };
 
 /// Call openat() on the named subdirectory of "dirfd", possibly creating it first.
@@ -432,7 +432,9 @@ impl<ObjectID: FsVerityHashValue> Repository<ObjectID> {
             relative.push(target_component);
         }
 
-        symlinkat(relative, &self.repository, name)
+        // Atomically replace existing symlink
+
+        replace_symlinkat(&relative, &self.repository, &name)
     }
 
     pub fn ensure_symlink<P: AsRef<Path>>(&self, name: P, target: &str) -> ErrnoResult<()> {

crates/composefs/src/util.rs

@@ -1,8 +1,14 @@
+use rand::{distr::Alphanumeric, Rng};
 use std::{
     io::{Error, ErrorKind, Read, Result},
-    os::fd::{AsFd, AsRawFd},
+    os::fd::{AsFd, AsRawFd, OwnedFd},
+    path::Path,
 };
 
+use rustix::{
+    fs::{renameat, symlinkat, unlinkat, AtFlags},
+    io::{Errno, Result as ErrnoResult},
+};
 use tokio::io::{AsyncRead, AsyncReadExt};
 
 /// Formats a string like "/proc/self/fd/3" for the given fd.  This can be used to work with kernel
@@ -97,6 +103,43 @@ pub fn parse_sha256(string: impl AsRef<str>) -> Result<Sha256Digest> {
     Ok(value)
 }
 
+pub fn generate_tmpname(prefix: &str) -> String {
+    let rand_string: String = rand::rng()
+        .sample_iter(&Alphanumeric)
+        .take(12)
+        .map(char::from)
+        .collect();
+    format!("{}{}", prefix, rand_string)
+}
+
+pub fn replace_symlinkat(
+    target: impl AsRef<Path>,
+    dirfd: &OwnedFd,
+    name: impl AsRef<Path>,
+) -> ErrnoResult<()> {
+    let name = name.as_ref();
+    let target = target.as_ref();
+
+    for _ in 0..16 {
+        let tmp_name = generate_tmpname(".symlink-");
+        match symlinkat(target, dirfd, &tmp_name) {
+            Ok(_) => match renameat(dirfd, &tmp_name, &dirfd, name) {
+                Ok(_) => return Ok(()),
+                Err(e) => {
+                    let _ = unlinkat(dirfd, tmp_name, AtFlags::empty());
+                    return Err(e);
+                }
+            },
+            Err(Errno::EXIST) => {
+                continue;
+            }
+            Err(other) => Err(other)?,
+        }
+    }
+
+    Err(Errno::EXIST)
+}
+
 #[cfg(test)]
 mod test {
     use similar_asserts::assert_eq;