Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove container after extraction #10

Merged
merged 2 commits into from
Apr 20, 2016
Merged

remove container after extraction #10

merged 2 commits into from
Apr 20, 2016

Conversation

pweil-
Copy link
Contributor

@pweil- pweil- commented Apr 11, 2016

Fixes #8

After a second look I realized we can do this with a single defer if I extracted a method which is probably better anyway.

@simon3z @enoodle PTAL

Build and test:

[pweil@localhost image-inspector]$ rm image-inspector
[pweil@localhost image-inspector]$ go build cmd/image-inspector.go 
[pweil@localhost image-inspector]$ ./image-inspector --image=fedora:22 --serve 0.0.0.0:8080
2016/04/11 10:43:47 Image fedora:22 is available, skipping image pull
2016/04/11 10:43:47 Extracting image fedora:22 to /var/tmp/image-inspector-283317876
2016/04/11 10:43:49 !!!WARNING!!! It is insecure to serve the image content without changing
2016/04/11 10:43:49 root (--chroot). Absolute-path symlinks in the image can lead to disclose
2016/04/11 10:43:49 information of the hosting system.
2016/04/11 10:43:49 Serving image content /var/tmp/image-inspector-283317876 on webdav://0.0.0.0:8080/api/v1/content/
[pweil@localhost image-inspector]$ go test -v -cover ./...
?       github.com/simon3z/image-inspector/cmd  [no test files]
=== RUN   TestValidate
--- PASS: TestValidate (0.00s)
PASS
coverage: 75.0% of statements
ok      github.com/simon3z/image-inspector/pkg/cmd  0.001s  coverage: 75.0% of statements
?       github.com/simon3z/image-inspector/pkg/inspector    [no test files]
[pweil@localhost image-inspector]$

enoodle
enoodle reviewed Apr 11, 2016
View reviewed changes
pkg/inspector/image-inspector.go
}

reader, writer := io.Pipe()
go handleTarStream(reader, i.opts.DstPath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil-, @simon3z what if handleTarStream is taking more time for some reason but createAndExtractImage gets to its end? handleTarStream will keep working but maybe if it is slow we will get to the scanning with some of the files not written yet. Should we add some kind of channel here and wait for handleTarStream to finish? This existed before this patch and is not connected to it, but I noticed this now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering that too. We could throw a channel in there like you suggest and wait on the channel or a timeout.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@enoodle @pweil- I'll probably need to see it in code. Can you re-submit with that change as well (in a different patch so it's easier to add/remove) thanks.

@enoodle
Copy link
Contributor

enoodle commented Apr 11, 2016

LGTM 👍

pweil-
pweil- reviewed Apr 11, 2016
View reviewed changes
pkg/inspector/image-inspector.go
@@ -197,7 +198,8 @@ func (i *defaultImageInspector) createAndExtractImage(client *docker.Client, con
}

reader, writer := io.Pipe()
go handleTarStream(reader, i.opts.DstPath)
notificationChannel := make(chan int)
go handleTarStream(reader, i.opts.DstPath, notificationChannel)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simon3z @enoodle adds a notification channel to the async method

@simon3z
Copy link
Owner

simon3z commented Apr 11, 2016

@pweil- we may need to queue this behind #3

@simon3z
Copy link
Owner

simon3z commented Apr 18, 2016

@pweil- let's try to merge this next. (It needs to be rebased).

@pweil-
Copy link
Contributor Author

pweil- commented Apr 19, 2016

rebased. @enoodle can you double check the merge here to make sure I didn't miss anything? Thanks!

tests:

[pweil@localhost image-inspector]$ go test -cover ./...
?       github.com/simon3z/image-inspector/cmd  [no test files]
ok      github.com/simon3z/image-inspector/pkg/cmd  0.002s  coverage: 100.0% of statements
ok      github.com/simon3z/image-inspector/pkg/inspector    0.002s  coverage: 10.5% of statements
ok      github.com/simon3z/image-inspector/pkg/openscap 0.004s  coverage: 38.3% of statements

@simon3z
Copy link
Owner

simon3z commented Apr 19, 2016

@enoodle please re-review.

@enoodle
Copy link
Contributor

enoodle commented Apr 20, 2016

LGTM 👍

simon3z
simon3z reviewed Apr 20, 2016
View reviewed changes
pkg/inspector/image-inspector.go
case <-notificationChannel:
break
case <-time.After(time.Minute * 2):
return imageMetadata, fmt.Errorf("timeout occured waiting for handleTarStream to finish")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil- I am really worried about this one. IIUC if the extraction is longer than 2 minutes then we exit. It would be better if it was "2 minutes of inactivity"... but as it is now worries me.

Any chance that we can remove it? Maybe we can make it configurable... but I am worried anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we just not use a separate go routine when calling handleTarStream? Then all this goes away.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind, that is required for the copy to start. Ok, let me look at it

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil- yeah I am all to remove the go routine if possible.

@pweil-
Copy link
Contributor Author

pweil- commented Apr 20, 2016

Refactored the second commit so it will wait until both handleTarStream and the CopyFromContainer are finished without using a timeout. We can add a reasonable timeout later if necessary.

Testing:

# build
[pweil@localhost image-inspector]$ go build cmd/image-inspector.go 

# unit tests
[pweil@localhost image-inspector]$ go test -cover ./...
?       github.com/simon3z/image-inspector/cmd  [no test files]
ok      github.com/simon3z/image-inspector/pkg/cmd  0.002s  coverage: 100.0% of statements
ok      github.com/simon3z/image-inspector/pkg/inspector    0.002s  coverage: 10.6% of statements
ok      github.com/simon3z/image-inspector/pkg/openscap 0.003s  coverage: 38.3% of statements

# end-to-end
[pweil@localhost image-inspector]$ ./image-inspector --image=fedora:22 --serve 0.0.0.0:8080
2016/04/20 11:24:41 Image fedora:22 is available, skipping image pull
2016/04/20 11:24:41 Extracting image fedora:22 to /var/tmp/image-inspector-260853666
2016/04/20 11:24:43 !!!WARNING!!! It is insecure to serve the image content without changing
2016/04/20 11:24:43 root (--chroot). Absolute-path symlinks in the image can lead to disclose
2016/04/20 11:24:43 information of the hosting system.
2016/04/20 11:24:43 Serving image content /var/tmp/image-inspector-260853666 on webdav://0.0.0.0:8080/api/v1/content/
^C

# make sure it was extracted still
[pweil@localhost image-inspector]$ ll /var/tmp/image-inspector-260853666
total 80
drwxr-xr-x. 18 pweil pweil  4096 Apr 20 11:24 .
drwxrwxrwt. 47 root  root  12288 Apr 20 11:24 ..
lrwxrwxrwx.  1 pweil pweil     7 Apr 20 11:24 bin -> usr/bin
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 boot
drwxr-xr-x.  4 pweil pweil  4096 Apr 20 11:24 dev
-rwxr-xr-x.  1 pweil pweil     0 Apr 20 11:24 .dockerenv
-rwxr-xr-x.  1 pweil pweil     0 Apr 20 11:24 .dockerinit
drwxr-xr-x. 46 pweil pweil  4096 Apr 20 11:24 etc
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 home
lrwxrwxrwx.  1 pweil pweil     7 Apr 20 11:24 lib -> usr/lib
lrwxrwxrwx.  1 pweil pweil     9 Apr 20 11:24 lib64 -> usr/lib64
drwx------.  2 pweil pweil  4096 Apr 20 11:24 lost+found
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 media
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 mnt
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 opt
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 proc
drwxr-x---.  2 pweil pweil  4096 Apr 20 11:24 root
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 run
lrwxrwxrwx.  1 pweil pweil     8 Apr 20 11:24 sbin -> usr/sbin
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 srv
drwxr-xr-x.  2 pweil pweil  4096 Apr 20 11:24 sys
drwxrwxr-t.  7 pweil pweil  4096 Apr 20 11:24 tmp
drwxr-xr-x. 12 pweil pweil  4096 Apr 20 11:24 usr
drwxr-xr-x. 18 pweil pweil  4096 Apr 20 11:24 var

@simon3z
Copy link
Owner

simon3z commented Apr 20, 2016

@enoodle please review ASAP. Thanks!

enoodle
enoodle reviewed Apr 20, 2016
View reviewed changes
pkg/inspector/image-inspector.go

// capture any error from the copy, ensures both the handleTarStream and CopyFromContainer
// are done.
err = <- errorChannel
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: gofmt is angry at this space after the arrow

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

enoodle
enoodle reviewed Apr 20, 2016
View reviewed changes
pkg/inspector/image-inspector.go

reader, writer := io.Pipe()
// handle closing the reader/writer in the method that creates them
defer writer.Close()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil- we didn't have anything to close writer before?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, didn't see anything

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I also checked if CopyFromContainer was doing it but it wasn't)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then we got evene better than we aimed for :) 🍰

@pweil- pweil- mentioned this pull request Apr 20, 2016
Open
@enoodle
Copy link
Contributor

enoodle commented Apr 20, 2016

@simon3z @pweil- LGTM 👍

@simon3z simon3z merged commit 8a0d8f9 into simon3z:master Apr 20, 2016
enoodle pushed a commit to enoodle/image-inspector that referenced this pull request May 18, 2016
@simon3z
Merge pull request simon3z#10 from enoodle/warn_on_bad_dockercfg
8d02275 
openscap: Warn instead of fail when loading configs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Failing to cleanup target container when an error occurs
3 participants
@pweil- @enoodle @simon3z