Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using OCI images instead of Docker Images #1006

Closed
wants to merge 3 commits into from
Closed

Using OCI images instead of Docker Images #1006

wants to merge 3 commits into from

Conversation

mukultaneja
Copy link
Contributor

Start analyzing OCI images using tern

Work towards: #948

Signed-off-by: Mukul Taneja [email protected]

@mukultaneja
Copy link
Contributor Author

@nishakm @rnjudge, Initial commit towards Issue #948. I would keep updating the same PR with small changes and request you to review them step by step.

nishakm
nishakm requested changes Aug 5, 2021
View reviewed changes
Copy link
Contributor

@nishakm nishakm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for reviewing this so late! Thanks for continuing to work on this! It looks good to me. I wonder if you can add some tests for the OCIImage class?
Also, there are some prospector errors that come up, but seem to be easy to resolve. Let me know if you're stuck with anything.

tern/analyze/default/container/image.py Outdated Show resolved Hide resolved
tern/analyze/oci/parse.py Outdated Show resolved Hide resolved
@mukultaneja
Copy link
Contributor Author

mukultaneja commented Aug 31, 2021
edited
Loading

@nishakm @rnjudge, Please review this PR. I have made the required changes and tested with the below command
tern -c report -i docker://debian:latest. This PR does the following things,

  1. Takes docker image as input and convert into OCI format using skopeo utility internally
  2. Contains respective class to load OCI image
  3. Follows the same image analysis process after loading the image.

nishakm
nishakm requested changes Sep 14, 2021
View reviewed changes
Copy link
Contributor

@nishakm nishakm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mukultaneja Sorry for taking so long to get back to you on this. I have one comment on the implementation as it is causing a problem with the security linter. Also, can you rebase your change so you can pick up the latest prospector changes?

tern/analyze/default/container/image.py Outdated Show resolved Hide resolved
@mukultaneja mukultaneja requested a review from nishakm September 23, 2021 20:38
@mukultaneja
Copy link
Contributor Author

@nishakm, I tried to get away with security issue by having shell==True / False but seems the linter does not allow to use subprocess at all. Any suggestions?

nishakm
nishakm requested changes Sep 23, 2021
View reviewed changes
Copy link
Contributor

@nishakm nishakm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mukultaneja I've added a suggestion. I will also try to test the changes.

tern/analyze/default/container/image.py Outdated Show resolved Hide resolved
tern/analyze/default/container/image.py Outdated Show resolved Hide resolved
tern/classes/oci_image.py Outdated Show resolved Hide resolved
mukultaneja and others added 3 commits September 30, 2021 02:48
@mukultaneja
Using OCI images instead of Docker Images
e3bdc51 
Start analyzing OCI images using tern

Work towards: #948

Signed-off-by: Mukul Taneja <[email protected]>
@mukultaneja
Using OCI images instead of Docker Images
65705b6 
Adding 'download_container_image` method

Work towards: #948

Signed-off-by: mtaneja <[email protected]>
@mukultaneja
Using OCI images instead of Docker Images
7084715 
Updating OCI Image class with required methods
to load image.

Work towards: #948

Signed-off-by: Mukul Taneja <[email protected]>
@mukultaneja mukultaneja requested a review from nishakm September 29, 2021 21:30
@mukultaneja
Copy link
Contributor Author

@nishakm I made all the requested changes and this time all tests got passed too :)

nishakm
nishakm reviewed Oct 6, 2021
View reviewed changes
Copy link
Contributor

@nishakm nishakm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rnjudge Need your input on this PR :)

tern/analyze/default/container/image.py
image_attr = general.parse_image_string(docker_image)
oci_image = 'oci://{0}/{1}'.format(
rootfs.working_dir, image_attr.get('name'))
docker_image = 'docker://{0}'.format(docker_image)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just found out that if we use docker:// rather than dockerdaemon we encounter a TLS error on the registry side. I also found that crane is a much more lightweight tool to pull container images, and conforms with OCI's on-disk layout spec. @rnjudge Do you want to merge this PR and then let @mukultaneja update it to use crane?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the effect of the TLS error on the registry side?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can't download the image, because the certificate has expired or something like that. Usually, you need to set an option to disable TLS checking on the client side.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The disadvantage of switching to crane is that you have to download the binary from github rather than install it via the package manager. But I feel that the install is easy and the source code is included with the binary distribution.

@nishakm
Copy link
Contributor

nishakm commented Nov 30, 2021

Hi @mukultaneja, sorry again for the delay in reviewing! I tried running tern with these changes. I get the following error:

2021-11-30 07:13:17,531 - DEBUG - rootfs - Running command: skopeo copy docker://debian:buster oci:///home/nisha/.tern/debian
Traceback (most recent call last):
  File "/home/nisha/terndev/bin/tern", line 10, in <module>
    sys.exit(main())
  File "/home/nisha/terndev/tern/tern/__main__.py", line 287, in main
    do_main(args)
  File "/home/nisha/terndev/tern/tern/__main__.py", line 116, in do_main
    crun.execute_image(args)
  File "/home/nisha/terndev/tern/tern/analyze/default/container/run.py", line 65, in execute_image
    full_image = cimage.load_full_image(
  File "/home/nisha/terndev/tern/tern/analyze/default/container/image.py", line 54, in load_full_image
    test_image.load_image(load_until_layer)
  File "/home/nisha/terndev/tern/tern/classes/oci_image.py", line 130, in load_image
    self._image_id = self.get_image_id(self._manifest)
AttributeError: 'OCIImage' object has no attribute 'get_image_id'

Also, could you please rebase your changes on top of main?

@nishakm
Copy link
Contributor

nishakm commented Nov 30, 2021

@mukultaneja few other requests:

@nishakm
Copy link
Contributor

nishakm commented Dec 9, 2021

Hi @mukultaneja. I have included your changes in #1090. Please take a look. I will close this PR once the more updated one is merged. Thanks again for your work on this!

@nishakm nishakm closed this Dec 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rnjudge rnjudge rnjudge left review comments

@nishakm nishakm nishakm requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mukultaneja @nishakm @rnjudge