Add a sanity check on the fellow storage path

Avoid users accidentally running into a file being created where
block devices would normally live.

Motivated by #2

src/fellow_log.c

@@ -5543,6 +5543,36 @@ fellow_minsize(void)
 	return ((N_HDR + 2) * 2 * MIN_FELLOW_BLOCK);
 }
 
+static int
+fellow_skip_path_check(void)
+{
+	const char *e;
+
+	e = getenv("slash_fellow_options");
+	if (e == NULL)
+		return (0);
+	return (!! strstr(e, "skip-path-check"));
+}
+
+#define DEV_PATH(path, x)			\
+	if (strncmp(path, x, strlen(x)) == 0)	\
+		return (0)
+/*
+ * conduct a basic test to check if the path looks right for
+ * a regular file
+ */
+int
+fellow_sane_file_path(const char *path)
+{
+	if (fellow_skip_path_check())
+		return (1);
+
+	DEV_PATH(path, "/dev/");
+	DEV_PATH(path, "/devices/");
+
+	return (1);
+}
+
 struct fellow_fd *
 fellow_log_init(const char *path, size_t wantsize, size_t objsz_hint,
     mapper *freemap_mapper, void *freemap_mapper_priv,
@@ -5725,6 +5755,12 @@ fellow_log_init(const char *path, size_t wantsize, size_t objsz_hint,
 		ffd->size = wantsize;
 		break;
 	case S_IFREG:
+		if (! fellow_sane_file_path(path)) {
+			ffd->diag("fellow: %s is a file, but the path "
+			    "suggests that it should be a block device. "
+			    "Do you have a typo?\n", path);
+			goto err_close;
+		}
 		if (st.st_size < (ssize_t)wantsize) {
 			if (! posix_fallocate(ffd->fd,
 			    (off_t)0, (off_t)wantsize)) {

src/fellow_log_storage.h

@@ -213,6 +213,8 @@ void fellow_log_dle_submit(struct fellow_fd *ffd,
     struct fellow_dle *entry, unsigned n);
 typedef int fellow_resurrect_f(void *priv, const struct fellow_dle *e);
 
+int fellow_sane_file_path(const char *path);
+
 struct stvfe_tune;
 struct fellow_fd *
 fellow_log_init(const char *path, size_t wantsize, size_t objsz_hint,

src/fellow_storage.c

@@ -26,6 +26,7 @@
 #include <stdio.h>	// vsl.h needs
 #include <fcntl.h>	// open in tryopen
 #include <sys/file.h>	// flock in tryopen
+#include <sys/stat.h>	// stat in tryopen
 
 #include "cache/cache_varnishd.h"
 
@@ -954,8 +955,16 @@ sfe_taskrun(fellow_task_func_t func, void *priv, fellow_task_privstate *state)
 static const char *
 sfe_tryopen(const char *path)
 {
+	struct stat st;
 	int fd;
 
+	if (stat(path, &st) != 0 &&
+	    ! fellow_sane_file_path(path)) {
+		STVERR("%s does not exist (stat failed),"
+		    " but the path suggests that it should be an "
+		    "existing block device. Do you have a typo?\n", path);
+	}
+
 	fd = open(path, O_RDWR | O_CREAT, 0700);
 	if (fd < 0)
 		STVERR("open(%s) failed: %s (%d)",

src/vmod_slash.man.rst

@@ -430,6 +430,13 @@ A VCL-defined fellow storage can not load persisted objects, so to
 avoid accidentally emptying a storage, either the storage referenced
 by *path* must be empty, or the *delete* argument must be ``true``.
 
+*path* has to be either a regular file, or a block device. If *path*
+does not exist, it is created as a regular file. Checks on *path* are
+conducted in order to not accidentally create or use a file where
+block devices reside (e.g. on ``/dev/``). The environment variable
+``slash_fellow_options`` can be set to contain ``skip-path-check``
+where, for whatever exotic reason, this check needs to be skipped.
+
 When a VCL-defined fellow storage goes out of scope because the last
 VCL referencing it is discarded, all of its objects are removed from
 the cache, but remain on disk. They can be loaded again by configuring

src/vmod_slash.vcc

@@ -376,6 +376,13 @@ A VCL-defined fellow storage can not load persisted objects, so to
 avoid accidentally emptying a storage, either the storage referenced
 by *path* must be empty, or the *delete* argument must be ``true``.
 
+*path* has to be either a regular file, or a block device. If *path*
+does not exist, it is created as a regular file. Checks on *path* are
+conducted in order to not accidentally create or use a file where
+block devices reside (e.g. on ``/dev/``). The environment variable
+``slash_fellow_options`` can be set to contain ``skip-path-check``
+where, for whatever exotic reason, this check needs to be skipped.
+
 When a VCL-defined fellow storage goes out of scope because the last
 VCL referencing it is discarded, all of its objects are removed from
 the cache, but remain on disk. They can be loaded again by configuring