Metrics missing
Metrics missing
Posted Jun 5, 2024 14:12 UTC (Wed) by farnz (subscriber, #17727)In reply to: Metrics missing by koh
Parent article: Debian's /tmpest in a teapot
The big use case for /tmp that's always been OK is "write out a small file that another program will immediately take in as input". If the dirent gets deleted not long after creation, that's A-OK, because the reader has already opened it and has a lock on the inode as a result (the file contents are therefore safe until the file is closed).
Basically for the case where you can't pipe output to the input of the other program, because it needs to seek or otherwise do file-like things on it, not pipe-like things.
Posted Jun 5, 2024 14:48 UTC (Wed)
by koh (subscriber, #101482)
[Link] (8 responses)
I suppose I should be glad that we finally have the following sequence atomic and uninterruptible:
1. spawn child process
All this time I was under the impression that it's not, but now appearently we can be sure that noone presses ctrl-z or puts the computer to sleep while compiling something...
Posted Jun 5, 2024 15:29 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (7 responses)
We don't have that sequence; but you need some form of error handling for that case, anyway, since it's possible that you write out the file to a drive that physically fails between write and read - and there's never been a guarantee that the failure of the drive that contains /tmp will take down the system as a whole.
Posted Jun 5, 2024 15:37 UTC (Wed)
by mb (subscriber, #50428)
[Link] (6 responses)
Drive failure: The error reaction is: Throw an error and notify the user. Change the driver and the next run will succeed.
A "cleanup" daemon deleted my files: A sane error handling strategy does not exist. Next time the "cleanup" will delete my files again. The "cleanup" is the root cause of failure.
Posted Jun 5, 2024 16:48 UTC (Wed)
by farnz (subscriber, #17727)
[Link] (5 responses)
In the case where the user paused your program for multiple days, then got surprised, it's "re-run without stopping at a critical moment, and the next run will succeed". The cleanup won't delete your files again unless you have that long pause, which in the case I was responding to was introduced with Ctrl-Z or system suspend.
The underlying issue is the expectation that data in a temporary location is safe for an arbitrary amount of time; I could have replaced "Ctrl-Z" and wait with "Ctrl-Z, then rm -fr /tmp/*" for the same effect. You should already be handling "the system-wide shared temporary location might get erased while in use", because there's already lots of ways in which it could get erased behind your back; making it a tmpfs, or adding a clean-up daemon, is just one more way on the existing list of ways you could lose data in /tmp.
Posted Jun 5, 2024 21:00 UTC (Wed)
by koh (subscriber, #101482)
[Link] (4 responses)
The FHS-3.0 section 3.18 just says this about /tmp:
There is no wording indicating that processes can't rely, during their execution, on the integrity of the files they themselves have written (modulo system bugs and hardware errors, as usual). That indeed would be contradictory to the file system's only stated purpose: storing temporary files *required* by programs.
If my understanding is correct, periodic "cleaning" reduces reliability on purpose. tmpfs is fine, though, as long as resuming a suspend-to-disk doesn't touch it.
Posted Jun 5, 2024 21:14 UTC (Wed)
by bluca (subscriber, #118303)
[Link] (3 responses)
But for precious, precious data a state directory in /var/lib needs to be used instead. Using /tmp means tacit acknowledgement that "yes this might go away at any time, and it's fine, I'll just detect it and recreate it if needed". And that's not even getting into the issue of the various filename hijacking vulneratbilities, that are non-obvious to handle if one isn't aware of them.
Posted Jun 5, 2024 23:18 UTC (Wed)
by koh (subscriber, #101482)
[Link] (2 responses)
Citation needed.
> Using /tmp means tacit acknowledgement that "yes this might go away at any time, and it's fine, I'll just detect it and recreate it if needed".
A fractal of bad design: how can you "detect it" in particular when (rightly so) the advice has always been to use mkstemp(3) or similar?
Posted Jun 6, 2024 0:25 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
For Linux: Linux FHS 2.2, section 3.15 and 3.18, and before that, section 3.11 of the FSSTND, dating all the way back to Feburary 1994 [1], which was largely derived from standard Unix conventions.
Meanwhile, for Unix I can't be bothered to look it up, but every Unix system I had access to in the mid-late 90s [2] had an aggressively-reaped /tmp. Solaris and other Unix support forums show similar answers to [1].
[1] http://www.ibiblio.org/pub/Linux/docs/fsstnd/old/fsstnd-1.0/
Posted Jun 6, 2024 6:38 UTC (Thu)
by koh (subscriber, #101482)
[Link]
Thanks, I see.
Nitpick: Unlike [1], the FHS 2.2 and current 3.0 do no longer mention that dentrys in /tmp are unreliable by default. In fact, they state that programs may *require* temporary files stored therein. Appearently reliably only for WORN usage, since "detection" is racey with periodic cleanups.
Metrics missing
2. wait until child is initialized and starts running
3. wait until child decides to open *the right file*
Uses for /tmp
Uses for /tmp
Uses for /tmp
Uses for /tmp
> The /tmp directory must be made available for programs that require temporary files.
> Programs must not assume that any files or directories in /tmp are preserved between invocations of the program.
Uses for /tmp
Uses for /tmp
Uses for /tmp
> Citation needed.
[2] Solaris, SunOS, and HP-UX.
Uses for /tmp