SAMZA-1768: Handle corrupted OFFSET file

[xinyuiscool]

This patch addresses the following tickets:

SAMZA-1778: SIGSEGV when reading properties (metrics) on a closed RocksDB store
SAMZA-1777: Logged store OFFSET file write during flush should be atomic
SAMZA-1768: Handle corrupted OFFSET file elegantly

[xinyuiscool]

@prateekm : could you please take a look?

[prateekm]

Minor: For consistency: LOG.warn("Failed to read offset file in storage partition directory: {}", offsetFileName, storepath, e)

[xinyuiscool]

Fixed.

[prateekm]

Do we need REPLACE_EXISTING if ATOMIC_MOVE is specified? From the javadoc:
ATOMIC_MOVE: The move is performed as an atomic file system operation and all other options are ignored. If the target file exists then it is implementation specific if the existing file is replaced or this method fails by throwing an IOException.

Also, this should be in the try block since this can throw exceptions.

[xinyuiscool]

The caller already handles the exception by logging the error and throw a runtime exception.

[prateekm]

Right, but would be good to move to try so that oos and fos are closed in finally.

[xinyuiscool]

ok, sure, let me do that.

[prateekm]

Minor: Maybe add a comment explaining that isOwningHandle is false if the db is closed.

[xinyuiscool]

Makes sense. Added the comment.

[prateekm]

LGTM, thanks!

[shanthoosh]

1. I think we need to add StandardCopyOption.REPLACE_EXISTING to the existing options to Files.move method. Files.move throws up FileAlreadyExistsException if target file already exists and we don't provide that Replace_existing option as an additional option.

2. Atomic move is a file system level primtiive operation and not all file system support it by default. File.move throws up AtomicMoveNotSupportedException if underlying file system doesn't support it. It would be better to handle it as well.

Please change if it makes sense(Above details are taken from Files.move javadoc).

[prateekm]

I don't think we need both REPLACE_EXISTING and ATOMIC_MOVE, but we might need to catch IOException as well where we catch AtomicMoveNotSupportedException. From the javadoc for ATOMIC_MOVE:

If the target file exists then it is implementation specific if the existing file is replaced or this method fails by throwing an IOException.

[shanthoosh]

I think it would be better to add a unit test for these changes.

[xinyuiscool]

Added the test for the case of offset already exist.

[xinyuiscool]

@prateekm : I move the Files.move() out of the try{} block again since we should close the streams before we do the file movement. This is to enforce the write to the offset file before move. The IOExceptions are handled from the callers so we don't need to catch them in this function. The current handling of failing the container looks ok to me since it should happen very rarely, as we haven't seen it happening in production.

[prateekm]

@xinyuiscool Makes sense to move this to its own try-catch block. It might still be better to handle IOException explicitly and revert to a normal move + replace existing. The IOException can happen if the implementation doesn't support replacing existing files as a part of the move. My concern is that this might fail on a particular platform consistently and we'll always end up rebootstrapping. Alternatively, if you've tested that it works on OSX and Linux, that'll be good enough for now.

Otherwise LGTM, feel free to merge this.

[xinyuiscool]

Good point on testing on both OSX and linux. I only tested on linux. Let me try OSX. Thanks.

[sborya]

what is this change do?