Re: How is OSTree designed to be safe from power loss damage?

[Leon Woestenberg <leon sidebranch com>]

Hi Colin,

On Mon, Jan 9, 2017 at 11:13 AM, Colin Walters <walters verbum org> wrote:

On Sun, Jan 8, 2017, at 09:40 PM, Leon Woestenberg wrote:

I understand how OSTree, at the end of it's deploy does an atomic switch in the "ostree admin" case of deployment of say a Linux OS. It assumes the softlink change is atomic on the filesystem (fair enough for me).

We actually reworked this logic a bit, this commit message should be useful:

https://github.com/ostreedev/ostree/commit/723705b803480dfd9c4090000ffc69fdafbb5c82

Thanks.

I am reviewing this from an embedded perspective, where we used the conventional swap A/B image approach.

I would like to make OSTree a first class citizen in upstream Yocto/OpenEmbedded, a lot has been done already by Leon Anavi and Anton Gerasimov in meta-updater.
(https://github.com/advancedtelematic/meta-updater)

However, how does OSTree recover from a situation where power loss occured during a pull or deployment? I would assume some files are then missing and some files are damaged (or incomplete).

The next time the system boots, how does OSTree verify that no files were corrupted by the underlying filesystem and how does it bring a next pull or deployment into a valid state?

Basically we use syncfs() to ensure the file contents are flushed to disk before

doing the symlink swap.

`git log --grep=fsync` in the ostree source shows you both how our

thinking on this has worked over time, and the diffs provide links to the

source code.

The question was not so much about the atomic swap, but more about what happens if the system was power-cycled or reset in the middle of pulling objects from a remote, or in the middle of deploying an OS?

In other words, what happens if I reset the device halfway creating the hardlinks, on the next boot cycle?

Regards,

Leon.