I've changed this to a mutex based implementation instead of atomic operations as requested. Functional wise it works just like before, but I don't know if this will slow down the requests to a point where it will be noticeable. So, please have a look!

I've changed the implementation to use Application::GetLastReloadFailed() as suggested by @julianbrost, and works exactly as the previous version of this PR. So, please have a look at the new implementation. I think, this is just a trivial change now.

Sorry, I had to fix some segfault crashes 🙈 !

I've just pushed a new commit that fixes the referenced issue in the PR description, and makes use of the AtomicFile for some of the important files. So, please have a look at it and let me know if you have any questions or concerns. Thanks!

Additionally, this PR uses AtomicFile to write some of the important files in ConfigPackageUtility, such as the active.conf file.

This additional commit abf08d0 fixes the following strange looking error from a customer.

[2025-06-29 18:02:18 +0200] critical/config: Error: Include file '../active.conf' does not exist
Location: in /var/lib/icinga2/api/packages/director/df4d559a-1f5f-4a58-8aab-ebb6b745f640/include.conf: 1:0-1:23
[2025-06-29 18:02:18 +0200] critical/cli: Config validation failed. Re-run with 'icinga2 daemon -C' after fixing the config.
[2025-06-29 18:02:18 +0200] critical/Application: Found error in config: reloading aborted

I don't yet understand how this is supposed to fix this. ../active.conf relative to that file is /var/lib/icinga2/api/packages/director/active.conf, so that's a file that's outside of the config stage, i.e. deleting the stage shouldn't make this file disappear.

I don't yet understand how this is supposed to fix this. ../active.conf relative to that file is /var/lib/icinga2/api/packages/director/active.conf, so that's a file that's outside of the config stage, i.e. deleting the stage shouldn't make this file disappear.

No it doesn't make active.conf file disappear but a config package (note: a package not a stage) has a include.conf file that looks like this:

$ cat /var/lib/icinga2/api/packages/example-cmd/include.conf
include "*/include.conf"

...originated from this code part:

Now, what does this include file do? It includes the include.conf file of each and every stage directory relative to that package regardless whether it's currently active or not. And the include.conf file of a config stage looks roughly like this (roughly because the stage name can vary depending on the currently active stage):

$ cat /var/lib/icinga2/api/packages/example-cmd/dc8d5503-71a4-4498-9c8b-637e99bd06c1/include.conf
include "../active.conf"
if (ActiveStages["example-cmdb"] == "dc8d5503-71a4-4498-9c8b-637e99bd06c1") {
  include_recursive "conf.d"
  include_zones "example-cmdb", "zones.d"
}

This is originated from this code part:

So, the package's include.conf file includes the include.conf file of all stages and the include.conf file of the individual config stage on the other hand includes the active.conf file of their package. Now, when reloading the Icinga 2 daemon, it will actually evaluate all the include files of the config stages even if the stage is not active. So, when a config stage gets deleted right after the new Icinga 2 daemon has read the config files, i.e., the parser constructed an IncludeExpression for the ../active.conf file to search relative to the deleted stage, it won't be able to find it anymore, since that include file along with its parent directory has been removed. The commit fixes this by preventing stage deletions while the Icinga 2 daemon is reloading just like the other handlers.

So, when a config stage gets deleted right after the new Icinga 2 daemon has read the config files, i.e., the parser constructed an IncludeExpression for the ../active.conf file to search relative to the deleted stage, it won't be able to find it anymore, since that include file along with its parent directory has been removed.

So it's there but it doesn't find it? Why? (I've overheard you having a discussion about normalizing relative file paths earlier, I believe that's probably relevant here, but I didn't follow and the details are missing here.)

So it's there but it doesn't find it? Why?

It's obviously not there like I said in my previous comment. The include expression contains the deleted config stage as a relative base and the ../active.conf as include path and when the config stage gets deleted after that, this include evaluation can't do nothing about it but fail.

I've overheard you having a discussion about normalizing relative file paths earlier, I believe that's probably relevant here, but I didn't follow and the details are missing here.

Nothing that would resolve this, so it shouldn't be relevant for this PR and I don't see how normalizing relative paths earlier would resolve this specific case.

Is there any point where /var/lib/icinga2/api/packages/director/active.conf doesn't exist?

Or is the following race condition happening here?

1. Reload is started, /var/lib/icinga2/api/packages/director/df4d559a-1f5f-4a58-8aab-ebb6b745f640/include.conf is read.
2. Config stage df4d559a-1f5f-4a58-8aab-ebb6b745f640 is deleted using the API, thereby the whole directory /var/lib/icinga2/api/packages/director/df4d559a-1f5f-4a58-8aab-ebb6b745f640/ is deleted.
3. Now the the include.conf from the first step is actually evaluated, resulting in the include "../active.conf" being mapped to the path /var/lib/icinga2/api/packages/director/df4d559a-1f5f-4a58-8aab-ebb6b745f640/../active.conf. Accessing this fails because an intermediate directory no longer exists.

Nothing that would resolve this, so it shouldn't be relevant for this PR and I don't see how normalizing relative paths earlier would resolve this specific case.

If /var/lib/icinga2/api/packages/director/df4d559a-1f5f-4a58-8aab-ebb6b745f640/../active.conf was normalized to /var/lib/icinga2/api/packages/director/active.conf, that symptom wouldn't appear, compare ls /doesnotexist/.. and ls $(realpath -m /doesnotexist/..). (I'm not saying that we should change this, it's just important for understanding what's happening here.)

Please change 73f3fdb so that the Co-Authored-By isn't in the middle of the commit message but at the end as it's supposed to be a trailer¹. Also, it's more common that you still set the commit author to yourself and add the other person as the co-author (typically, you should not have to manually set the author of a commit to a different person).

Also, it's more common that you still set the commit author to yourself and add the other person as the co-author (typically, you should not have to manually set the author of a commit to a different person).

I agree with that¹, lest I get innocently git-blamed for it at some future date. 😆 (not that there's anything wrong with the commit, just joking)