Enable analysis for OCI images #712
Conversation
|
@nishakm @rnjudge I have been working on issue #678 which is to analyze OCI images. I would like to propose an approach here. This PR as of now is in scratch form and mostly to take suggestions over my approach. Currently, I am targetting OCI images without umoci tool version. Please take a look once and share your feedback. |
tern/__main__.py
Outdated
| # Check if the image is of oci://<image-location>:<image-tag> | ||
| if not check_oci_image_string(args.oci_image): | ||
| sys.stderr.write('Error running Tern\n' | ||
| 'Please provide docker image ' |
There was a problem hiding this comment.
is the --oci-image command line option designed to handle both a docker image string in image:tag and oci://<image-location>:<image-tag> format? If so, we should modify the help string on the parser add_argument lines below, as that help message only directs users to use oci://<image-location>:<image-tag> and doesn't mention the ability to use docker image:tag. If not, this string should be modified to direct users to only provide the oci image location/tag format.
There was a problem hiding this comment.
I think we should have separate arguments to deal with both types of images and yes I need to change the string message to direct users to only provide the oci image location/tag format.
There was a problem hiding this comment.
Would it make sense to add a new command line option called --type, -t were you can enter docker or oci?
There was a problem hiding this comment.
@nishakm I added -t option as you mentioned and I think it would make more sense having one option -i to define container image and -t is type of container image to call respective operations on to the image.
tern/analyze/docker/run.py
Outdated
| @@ -69,6 +69,35 @@ def analyze(image_obj, args, dfile_lock=False, dfobj=None): | |||
| analyze_docker_image(image_obj, args.redo, dfile_lock, dfobj) | |||
|
|
|||
|
|
|||
| def execute_oci_image(args): | |||
There was a problem hiding this comment.
We should create a directory called tern/analyze/oci and put this function in a run.py file there.
tern/utils/oci_image.py
Outdated
| @@ -0,0 +1,32 @@ | |||
|
|
|||
There was a problem hiding this comment.
I think this file should be under: tern/analyze/oci/helpers.py
There was a problem hiding this comment.
I updated the code to add modularity similar to the docker.
I'd say this is the expected way that folks would give an OCI image to tern, i.e., they've used
I wonder if |
| if general.check_tar(args.image): | ||
| logger.error("%s", errors.incorrect_raw_option) |
There was a problem hiding this comment.
I think this option should be different from the -i option now. Or else this is going to get more complicated. @rnjudge What do you think?
There was a problem hiding this comment.
Not sure I understand your question. The -w option is already separate from the -i option, right?
There was a problem hiding this comment.
Shouldn't our check here then be if args.raw?
There was a problem hiding this comment.
I believe this check here is to make sure that the user didn't provide a raw option tarball when they are trying to provide a docker or OCI image.
There was a problem hiding this comment.
@nishakm, this check is part of the execute_image method and this method is only for docker or OCI image execution. The args.raw_image still I am keeping the part do_main method.
There was a problem hiding this comment.
Confirmed that this is just a validation check to make sure the user didn't accidentally choose the -i option but provide a raw image tarball. Seems OK to me.
This commit proposes changes to analyze OCI images using tern. Work towards: #678 Signed-off-by: mukultaneja <[email protected]>
| " The option can be used to pull docker" | ||
| " images by digest as well -" | ||
| " <repo>@<digest-type>:<digest>") | ||
| parser_report.add_argument('-t', '--type', |
There was a problem hiding this comment.
I would like to propose that we call this optionclient instead of type (using -c option). This makes more sense to me as we would like to support the podman client in the future which represents image blobs differently than docker or skopeo might once they are pulled down locally, even if they all are stored on dockerhub technically as OCI images.
There was a problem hiding this comment.
Agree - this makes better sense than the generic "type" in the container image context.
From my experiments, it looks like the typical way that an oci image is represented is as a directory with this layout: You can get this layout using the "docker-ish" way using podman. Podman also has an You can also get this layout using skopeo: This will create a folder called So we have a number of ways to get to the common directory with the OCI layout. So I think we should expect that users provide a path to the OCI directory as input for Tern and perform tests on the layout accordingly. We can inform users in the documentation how to generate the OCI directory. Note that we can't do this with Docker as that directory is only accessible via |
|
@mukultaneja This is a pretty big contribution. Would it be possible to split it up into several smaller commits that we can merge in little by little? How about starting off with the OCIImage image class and some tests for that? |
do you want me to close this PR and send separate PRs with several commits? I was thinking if we could use this PR as a module and make modifications in it as we feel. Say the next commit would be adding tests for OCI images. Anyway so far changes, would allow us to generate a default report for an OCI image. |
I would rather the commits be self describing and independent. You can either do one PR with many commits or several PRs each being independent. The idea is that the changes are small and logical so they are easy to follow. |
|
Reg: |
This commit proposes changes to analyze
OCI images using tern.
Work towards: #678
Signed-off-by: mukultaneja [email protected]