pub fn probe_directory(dir: &Path) -> Result<()>Expand description
Verify that the calling process can perform the file operations that
a RocksDB or maildir style store relies on within dir: create a
file, write and fsync it, atomically rename it into place, and
unlink it.
It also cross-checks the kernel’s access(2) view of the renamed
file against the open(2) view. That cross-check only bites when
the real and effective uids differ; when they are the same (tests,
non-root deploys, plain root) both syscalls consult one identity and
can never disagree, so it is inert. It exists for the specific
failure mode of a privilege drop that keeps the real uid as root (to
retain a capability) while lowering the effective uid to a service
user:
access(2)answers using the real uid (root here).open(2),rename(2), andunlink(2)act using the effective (filesystem) uid (the service user here).- On a directory whose group and other permission bits have been
stripped (for example a root-owned
mkdirunder a077umask, laterchowned to the service user), those two identities disagree about whether a file is reachable.
RocksDB decides whether to open an existing database or create a
fresh one via an access(2)-style existence check, then does its
I/O via open/rename/unlink. When the two disagree it silently
creates a brand new database and aborts on the pre-existing
write-ahead log, which the operator sees only as an opaque
“wal_dir contains existing log file” failure on the second startup.
Running this probe first turns that late, cryptic corruption into an
early, actionable error.
The check runs as whatever real/effective/filesystem identity the process currently has, so it needs no assumptions about which user or which permission bits are “correct”. On failure the returned error names the directory owner, mode, and the process ids so the operator can see the mismatch.