1
# Copyright (C) 2006, 2007 Canonical Ltd
3
# This program is free software; you can redistribute it and/or modify
4
# it under the terms of the GNU General Public License as published by
5
# the Free Software Foundation; either version 2 of the License, or
6
# (at your option) any later version.
8
# This program is distributed in the hope that it will be useful,
9
# but WITHOUT ANY WARRANTY; without even the implied warranty of
10
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11
# GNU General Public License for more details.
13
# You should have received a copy of the GNU General Public License
14
# along with this program; if not, write to the Free Software
15
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17
"""On-disk mutex protecting a resource
19
bzr on-disk objects are locked by the existence of a directory with a
20
particular name within the control directory. We use this rather than OS
21
internal locks (such as flock etc) because they can be seen across all
22
transports, including http.
24
Objects can be read if there is only physical read access; therefore
25
readers can never be required to create a lock, though they will
26
check whether a writer is using the lock. Writers can't detect
27
whether anyone else is reading from the resource as they write.
28
This works because of ordering constraints that make sure readers
29
see a consistent view of existing data.
31
Waiting for a lock must be done by polling; this can be aborted after
34
Locks must always be explicitly released, typically from a try/finally
35
block -- they are not released from a finalizer or when Python
38
Locks may fail to be released if the process is abruptly terminated
39
(machine stop, SIGKILL) or if a remote transport becomes permanently
40
disconnected. There is therefore a method to break an existing lock.
41
This should rarely be used, and generally only with user approval.
42
Locks contain some information on when the lock was taken and by who
43
which may guide in deciding whether it can safely be broken. (This is
44
similar to the messages displayed by emacs and vim.) Note that if the
45
lock holder is still alive they will get no notification that the lock
46
has been broken and will continue their work -- so it is important to be
47
sure they are actually dead.
49
A lock is represented on disk by a directory of a particular name,
50
containing an information file. Taking a lock is done by renaming a
51
temporary directory into place. We use temporary directories because
52
for all known transports and filesystems we believe that exactly one
53
attempt to claim the lock will succeed and the others will fail. (Files
54
won't do because some filesystems or transports only have
55
rename-and-overwrite, making it hard to tell who won.)
57
The desired characteristics are:
59
* Locks are not reentrant. (That is, a client that tries to take a
60
lock it already holds may deadlock or fail.)
61
* Stale locks can be guessed at by a heuristic
62
* Lost locks can be broken by any client
63
* Failed lock operations leave little or no mess
64
* Deadlocks are avoided by having a timeout always in use, clients
65
desiring indefinite waits can retry or set a silly big timeout.
67
Storage formats use the locks, and also need to consider concurrency
68
issues underneath the lock. A format may choose not to use a lock
69
at all for some operations.
71
LockDirs always operate over a Transport. The transport may be readonly, in
72
which case the lock can be queried but not acquired.
74
Locks are identified by a path name, relative to a base transport.
76
Calling code will typically want to make sure there is exactly one LockDir
77
object per actual lock on disk. This module does nothing to prevent aliasing
78
and deadlocks will likely occur if the locks are aliased.
80
In the future we may add a "freshen" method which can be called
81
by a lock holder to check that their lock has not been broken, and to
82
update the timestamp within it.
86
>>> from bzrlib.transport.memory import MemoryTransport
87
>>> # typically will be obtained from a BzrDir, Branch, etc
88
>>> t = MemoryTransport()
89
>>> l = LockDir(t, 'sample-lock')
91
>>> token = l.wait_lock()
92
>>> # do something here
98
# TODO: We sometimes have the problem that our attempt to rename '1234' to
99
# 'held' fails because the transport server moves into an existing directory,
100
# rather than failing the rename. If we made the info file name the same as
101
# the locked directory name we would avoid this problem because moving into
102
# the held directory would implicitly clash. However this would not mesh with
103
# the existing locking code and needs a new format of the containing object.
104
# -- robertc, mbp 20070628
108
from cStringIO import StringIO
115
from bzrlib.errors import (
127
from bzrlib.trace import mutter, note
128
from bzrlib.transport import Transport
129
from bzrlib.osutils import rand_chars, format_delta
130
from bzrlib.rio import read_stanza, Stanza
134
# XXX: At the moment there is no consideration of thread safety on LockDir
135
# objects. This should perhaps be updated - e.g. if two threads try to take a
136
# lock at the same time they should *both* get it. But then that's unlikely
139
# TODO: Perhaps store some kind of note like the bzr command line in the lock
142
# TODO: Some kind of callback run while polling a lock to show progress
145
# TODO: Make sure to pass the right file and directory mode bits to all
146
# files/dirs created.
149
_DEFAULT_TIMEOUT_SECONDS = 300
150
_DEFAULT_POLL_SECONDS = 1.0
153
class LockDir(object):
154
"""Write-lock guarding access to data."""
156
__INFO_NAME = '/info'
158
def __init__(self, transport, path, file_modebits=0644, dir_modebits=0755):
159
"""Create a new LockDir object.
161
The LockDir is initially unlocked - this just creates the object.
163
:param transport: Transport which will contain the lock
165
:param path: Path to the lock within the base directory of the
168
assert isinstance(transport, Transport), \
169
("not a transport: %r" % transport)
170
self.transport = transport
172
self._lock_held = False
173
self._locked_via_token = False
174
self._fake_read_lock = False
175
self._held_dir = path + '/held'
176
self._held_info_path = self._held_dir + self.__INFO_NAME
177
self._file_modebits = file_modebits
178
self._dir_modebits = dir_modebits
180
self._report_function = note
183
return '%s(%s%s)' % (self.__class__.__name__,
187
is_held = property(lambda self: self._lock_held)
189
def create(self, mode=None):
190
"""Create the on-disk lock.
192
This is typically only called when the object/directory containing the
193
directory is first created. The lock is not held when it's created.
195
if self.transport.is_readonly():
196
raise UnlockableTransport(self.transport)
197
self._trace("create lock directory")
198
self.transport.mkdir(self.path, mode=mode)
200
def _lock_core(self):
201
"""Make the pending directory and attempt to rename into place.
203
If the rename succeeds, we read back the info file to check that we
206
If we fail to acquire the lock, this method is responsible for
207
cleaning up the pending directory if possible. (But it doesn't do
210
:returns: The nonce of the lock, if it was successfully acquired.
212
:raises LockContention: If the lock is held by someone else. The exception
213
contains the info of the current holder of the lock.
216
self._trace("lock_write...")
217
start_time = time.time()
218
tmpname = self._create_pending_dir()
220
self.transport.rename(tmpname, self._held_dir)
221
# We must check we really got the lock, because Launchpad's sftp
222
# server at one time had a bug were the rename would successfully
223
# move the new directory into the existing directory, which was
224
# incorrect. It's possible some other servers or filesystems will
225
# have a similar bug allowing someone to think they got the lock
226
# when it's already held.
228
self._trace("after locking, info=%r", info)
229
if info['nonce'] != self.nonce:
230
self._trace("rename succeeded, "
231
"but lock is still held by someone else")
232
raise LockContention(self)
233
# we don't call confirm here because we don't want to set
234
# _lock_held til we're sure it's true, and because it's really a
235
# problem, not just regular contention, if this fails
236
self._lock_held = True
237
# FIXME: we should remove the pending lock if we fail,
238
# https://bugs.launchpad.net/bzr/+bug/109169
239
except errors.PermissionDenied:
240
self._trace("... lock failed, permission denied")
242
except (PathError, DirectoryNotEmpty, FileExists, ResourceBusy), e:
243
self._trace("... contention, %s", e)
244
raise LockContention(self)
245
self._trace("... lock succeeded after %dms",
246
(time.time() - start_time) * 1000)
249
def _create_pending_dir(self):
250
tmpname = '%s/%s.tmp' % (self.path, rand_chars(10))
252
self.transport.mkdir(tmpname)
254
# This may raise a FileExists exception
255
# which is okay, it will be caught later and determined
256
# to be a LockContention.
257
self._trace("lock directory does not exist, creating it")
258
self.create(mode=self._dir_modebits)
259
# After creating the lock directory, try again
260
self.transport.mkdir(tmpname)
261
self.nonce = rand_chars(20)
262
info_bytes = self._prepare_info()
263
# We use put_file_non_atomic because we just created a new unique
264
# directory so we don't have to worry about files existing there.
265
# We'll rename the whole directory into place to get atomic
267
self.transport.put_bytes_non_atomic(tmpname + self.__INFO_NAME,
272
"""Release a held lock
274
if self._fake_read_lock:
275
self._fake_read_lock = False
277
if not self._lock_held:
278
raise LockNotHeld(self)
279
if self._locked_via_token:
280
self._locked_via_token = False
281
self._lock_held = False
283
# rename before deleting, because we can't atomically remove the
285
start_time = time.time()
286
self._trace("unlocking")
287
tmpname = '%s/releasing.%s.tmp' % (self.path, rand_chars(20))
288
# gotta own it to unlock
290
self.transport.rename(self._held_dir, tmpname)
291
self._lock_held = False
292
self.transport.delete(tmpname + self.__INFO_NAME)
294
self.transport.rmdir(tmpname)
295
except DirectoryNotEmpty, e:
296
# There might have been junk left over by a rename that moved
297
# another locker within the 'held' directory. do a slower
298
# deletion where we list the directory and remove everything
301
# Maybe this should be broader to allow for ftp servers with
302
# non-specific error messages?
303
self._trace("doing recursive deletion of non-empty directory "
305
self.transport.delete_tree(tmpname)
306
self._trace("... unlock succeeded after %dms",
307
(time.time() - start_time) * 1000)
309
def break_lock(self):
310
"""Break a lock not held by this instance of LockDir.
312
This is a UI centric function: it uses the bzrlib.ui.ui_factory to
313
prompt for input if a lock is detected and there is any doubt about
314
it possibly being still active.
316
self._check_not_locked()
317
holder_info = self.peek()
318
if holder_info is not None:
319
lock_info = '\n'.join(self._format_lock_info(holder_info))
320
if bzrlib.ui.ui_factory.get_boolean("Break %s" % lock_info):
321
self.force_break(holder_info)
323
def force_break(self, dead_holder_info):
324
"""Release a lock held by another process.
326
WARNING: This should only be used when the other process is dead; if
327
it still thinks it has the lock there will be two concurrent writers.
328
In general the user's approval should be sought for lock breaks.
330
dead_holder_info must be the result of a previous LockDir.peek() call;
331
this is used to check that it's still held by the same process that
332
the user decided was dead. If this is not the current holder,
333
LockBreakMismatch is raised.
335
After the lock is broken it will not be held by any process.
336
It is possible that another process may sneak in and take the
337
lock before the breaking process acquires it.
339
if not isinstance(dead_holder_info, dict):
340
raise ValueError("dead_holder_info: %r" % dead_holder_info)
341
self._check_not_locked()
342
current_info = self.peek()
343
if current_info is None:
344
# must have been recently released
346
if current_info != dead_holder_info:
347
raise LockBreakMismatch(self, current_info, dead_holder_info)
348
tmpname = '%s/broken.%s.tmp' % (self.path, rand_chars(20))
349
self.transport.rename(self._held_dir, tmpname)
350
# check that we actually broke the right lock, not someone else;
351
# there's a small race window between checking it and doing the
353
broken_info_path = tmpname + self.__INFO_NAME
354
broken_info = self._read_info_file(broken_info_path)
355
if broken_info != dead_holder_info:
356
raise LockBreakMismatch(self, broken_info, dead_holder_info)
357
self.transport.delete(broken_info_path)
358
self.transport.rmdir(tmpname)
360
def _check_not_locked(self):
361
"""If the lock is held by this instance, raise an error."""
363
raise AssertionError("can't break own lock: %r" % self)
366
"""Make sure that the lock is still held by this locker.
368
This should only fail if the lock was broken by user intervention,
369
or if the lock has been affected by a bug.
371
If the lock is not thought to be held, raises LockNotHeld. If
372
the lock is thought to be held but has been broken, raises
375
if not self._lock_held:
376
raise LockNotHeld(self)
379
# no lock there anymore!
380
raise LockBroken(self)
381
if info.get('nonce') != self.nonce:
382
# there is a lock, but not ours
383
raise LockBroken(self)
385
def _read_info_file(self, path):
386
"""Read one given info file.
388
peek() reads the info file of the lock holder, if any.
390
return self._parse_info(self.transport.get(path))
393
"""Check if the lock is held by anyone.
395
If it is held, this returns the lock info structure as a rio Stanza,
396
which contains some information about the current lock holder.
397
Otherwise returns None.
400
info = self._read_info_file(self._held_info_path)
401
self._trace("peek -> held")
402
assert isinstance(info, dict), \
403
"bad parse result %r" % info
405
except NoSuchFile, e:
406
self._trace("peek -> not held")
408
def _prepare_info(self):
409
"""Write information about a pending lock to a temporary file.
412
# XXX: is creating this here inefficient?
413
config = bzrlib.config.GlobalConfig()
415
user = config.user_email()
416
except errors.NoEmailInUsername:
417
user = config.username()
418
s = Stanza(hostname=socket.gethostname(),
419
pid=str(os.getpid()),
420
start_time=str(int(time.time())),
426
def _parse_info(self, info_file):
427
return read_stanza(info_file.readlines()).as_dict()
429
def attempt_lock(self):
430
"""Take the lock; fail if it's already held.
432
If you wish to block until the lock can be obtained, call wait_lock()
435
:return: The lock token.
436
:raises LockContention: if the lock is held by someone else.
438
return self.wait_lock(max_attempts=1)
440
def wait_lock(self, timeout=None, poll=None, max_attempts=None):
441
"""Wait a certain period for a lock.
443
If the lock can be acquired within the bounded time, it
444
is taken and this returns. Otherwise, LockContention
445
is raised. Either way, this function should return within
446
approximately `timeout` seconds. (It may be a bit more if
447
a transport operation takes a long time to complete.)
449
:param timeout: Approximate maximum amount of time to wait for the
452
:param poll: Delay in seconds between retrying the lock.
454
:param max_attempts: Maximum number of times to try to lock.
456
:return: The lock token.
459
timeout = _DEFAULT_TIMEOUT_SECONDS
461
poll = _DEFAULT_POLL_SECONDS
462
# XXX: the transport interface doesn't let us guard against operations
463
# there taking a long time, so the total elapsed time or poll interval
464
# may be more than was requested.
465
deadline = time.time() + timeout
469
if self._fake_read_lock:
470
raise LockContention(self)
471
if self.transport.is_readonly():
472
raise UnlockableTransport(self.transport)
476
return self._lock_core()
477
except LockContention, err:
478
# TODO: LockContention should only be raised when we're know
479
# that the lock is held by someone else, in which case we
480
# should include the locker info, so it can be used here.
481
# In other cases, such as having a malformed lock present, we
482
# should raise a different.
484
# we shouldn't need to peek again here, because _lock_core
486
new_info = self.peek()
487
if new_info is not None and new_info != last_info:
488
if last_info is None:
489
start = 'Unable to obtain'
491
start = 'Lock owner changed for'
493
formatted_info = self._format_lock_info(new_info)
494
if deadline_str is None:
495
deadline_str = time.strftime('%H:%M:%S',
496
time.localtime(deadline))
497
self._report_function('%s %s\n'
499
'%s\n' # locked ... ago
500
'Will continue to try until %s\n',
507
if (max_attempts is not None) and (attempt_count >= max_attempts):
508
self._trace("exceeded %d attempts")
509
raise LockContention(self)
510
if time.time() + poll < deadline:
511
self._trace("waiting %ss", poll)
514
self._trace("timeout after waiting %ss", timeout)
515
raise LockContention(self)
517
def leave_in_place(self):
518
self._locked_via_token = True
520
def dont_leave_in_place(self):
521
self._locked_via_token = False
523
def lock_write(self, token=None):
524
"""Wait for and acquire the lock.
526
:param token: if this is already locked, then lock_write will fail
527
unless the token matches the existing lock.
528
:returns: a token if this instance supports tokens, otherwise None.
529
:raises TokenLockingNotSupported: when a token is given but this
530
instance doesn't support using token locks.
531
:raises MismatchedToken: if the specified token doesn't match the token
532
of the existing lock.
534
A token should be passed in if you know that you have locked the object
535
some other way, and need to synchronise this object's state with that
538
XXX: docstring duplicated from LockableFiles.lock_write.
540
if token is not None:
541
self.validate_token(token)
543
self._lock_held = True
544
self._locked_via_token = True
547
return self.wait_lock()
550
"""Compatibility-mode shared lock.
552
LockDir doesn't support shared read-only locks, so this
553
just pretends that the lock is taken but really does nothing.
555
# At the moment Branches are commonly locked for read, but
556
# we can't rely on that remotely. Once this is cleaned up,
557
# reenable this warning to prevent it coming back in
559
## warn("LockDir.lock_read falls back to write lock")
560
if self._lock_held or self._fake_read_lock:
561
raise LockContention(self)
562
self._fake_read_lock = True
564
def wait(self, timeout=20, poll=0.5):
565
"""Wait a certain period for a lock to be released."""
566
# XXX: the transport interface doesn't let us guard
567
# against operations there taking a long time.
569
# XXX: Is this really needed? Do people want to wait for the lock but
570
# not acquire it? As of bzr 0.17, this seems to only be called from
572
deadline = time.time() + timeout
576
if time.time() + poll < deadline:
577
self._trace("waiting %ss", poll)
580
self._trace("temeout after waiting %ss", timeout)
581
raise LockContention(self)
583
def _format_lock_info(self, info):
584
"""Turn the contents of peek() into something for the user"""
585
lock_url = self.transport.abspath(self.path)
586
delta = time.time() - int(info['start_time'])
588
'lock %s' % (lock_url,),
589
'held by %(user)s on host %(hostname)s [process #%(pid)s]' % info,
590
'locked %s' % (format_delta(delta),),
593
def validate_token(self, token):
594
if token is not None:
600
lock_token = info.get('nonce')
601
if token != lock_token:
602
raise errors.TokenMismatch(token, lock_token)
604
self._trace("Revalidated by token %r", token)
606
def _trace(self, format, *args):
607
if 'lock' not in debug.debug_flags:
609
mutter(str(self) + ": " + (format % args))
added
removed
bzrlib/lockdir.py
