Switching to draft; this will need to be conditioned off for Windows.

Truly impeccable timing from myself 🤣. Whenever this is un-drafted I'll take a peek again

@dcantah Comments are appreciated and useful too 😄

Believe atomicity can be achieved on windows with a little wrapper around MoveFileEx (in place of os.Rename). You need the MOVEFILE_REPLACE_EXISTING|MOVEFILE_WRITE_THROUGH flags, which unfortunately os.Rename only provides the first of the two.

MOVEFILE_REPLACE_EXISTING|MOVEFILE_WRITE_THROUGH I don't see a mention of atomicity on the MoveFileEx documentation page, but maybe I'm not sure what I'm looking for. MOVEFILE_WRITE_THROUGH seems to mention a "copy and delete operation" which sounds like it's two separate operations?

Mmm, my university wisdom might be misguided now (or perhaps always was LOL). This was a pretty common tactic in many "write files atomically" libraries, and even stdlibs:

1. https://github.com/untitaker/python-atomicwrites/blob/master/atomicwrites/__init__.py#L70-L79
2. https://github.com/untitaker/rust-atomicwrites/blob/master/src/lib.rs#L303-L313
3. https://github.com/natefinch/atomic/blob/master/file_windows.go#L29
4. https://bugs.python.org/msg146307

This area seems completely fraught with peril though. There's no clear picture or guarantee on docs of atomicity, and everyone seems to just almost pray that their use of MoveFile or MoveFileTransacted (deprecated now) works. A fun read: https://www.postgresql.org/message-id/CAPpHfds9trA6ipezK3BsuuOSQwEmESiqj8pkOxACFJpoLpcoNw%40mail.gmail.com.

A recommended approach as recent as 2021 on an article from msft recommends ReplaceFile now for files with "document-like" data. ReplaceFile at least has the advantage that it preserves the following as well:

• Creation time
• Short file name
• Object identifier
• DACLs
• Security resource attributes
• Encryption
• Compression
• Named streams not already in the replacement file

This is much deeper than my drive-by comment at 1 AM led on 🤣

@kevpar Curious if anyone from the FS teams could give a blessing on some approach for atomic writes on Windows

I've refactored this a bit to encapsulate the rename-file logic out into its own package and keep the CRI code a bit cleaner.

Mmm, my university wisdom might be misguided now (or perhaps always was LOL).

My curriculum didn't cover Windows, so this is all a bit unfamiliar to me 🤣

@dcantah, I didn't attempt to write a Windows codepath yet. Do you think we should:

1. Use MoveFileEx with MOVEFILE_REPLACE_EXISTING|MOVEFILE_WRITE_THROUGH
2. Use RenameFile (not sure with which flags)
3. Punt for now and leave Windows as-is (we're at least not making it worse while we do end up improving Linux)

I'd be fine with punting given we have an easy win on unix, but I'm curious if Kevin has any insights. At the very least lets add a TODO to consistentfile's Windows impl to find the right approach

At the very least lets add a TODO to consistentfile's Windows impl to find the right approach

Done

MoveFileEx with MOVEFILE_REPLACE_EXISTING|MOVEFILE_WRITE_THROUGH is not guaranteed to be atomic on Windows. In particular, it has to first delete the existing file, which means the file contents on disk have to be deallocated (per my understanding). So for instance, if the machine crashes in the middle of this operation, you can have a partially-deallocated file.

The filesystem doesn't provide any way to guarantee atomicity for this kind of thing. I think the best you can do is something like MoveFileEx or ReplaceFile.

The filesystem doesn't provide any way to guarantee atomicity for this kind of thing. I think the best you can do is something like MoveFileEx or ReplaceFile.

@kevpar Is there documentation somewhere (or do you have guidance you can share) covering the tradeoffs/recommendation to choose for this use-case?

maybe we can align with https://github.com/containerd/continuity/blob/25762ef7c27a37645197ed6d1d708e55a230e35d/ioutils.go#L28 ?

maybe we can align with https://github.com/containerd/continuity/blob/25762ef7c27a37645197ed6d1d708e55a230e35d/ioutils.go#L28 ?

I hadn't seen that one either, but I was trying to avoid an interface with data []byte. The io.ReadWriteCloser model here allows something like template.Execute to still work (since it accepts an io.Writer) without needing an additional in-memory buffer. template.ParseFiles does already read the whole thing into a buffer, but other use-cases with large files might not, and the consistentfile/atomicfile package allows that pattern to work. (Reading a large user-supplied file into memory could cause containerd to OOM.)

but other use-cases with large files might not, and the consistentfile/atomicfile package allows that pattern to work. (Reading a large user-supplied file into memory could cause containerd to OOM.)

Thanks for the comment. SGTM.

As part of replacing WritePidFile and WriteAddress I ported their (somewhat) platform-independent behavior to atomicfile. atomicfile now does the same rename workflow on Windows and reorders the underlying file close ahead of the rename to avoid the restriction that Windows has on renaming open files. If there's consensus on either MoveFileEx or RenameFile instead of Go's os.Rename (which does call MoveFileEx but not with the same flags), I'm happy to switch to that.