-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable analysis for OCI images #712
Conversation
@nishakm @rnjudge I have been working on issue #678 which is to analyze OCI images. I would like to propose an approach here. This PR as of now is in scratch form and mostly to take suggestions over my approach. Currently, I am targetting OCI images without umoci tool version. Please take a look once and share your feedback.
|
tern/__main__.py
Outdated
# Check if the image is of oci://<image-location>:<image-tag> | ||
if not check_oci_image_string(args.oci_image): | ||
sys.stderr.write('Error running Tern\n' | ||
'Please provide docker image ' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the --oci-image
command line option designed to handle both a docker image string in image:tag
and oci://<image-location>:<image-tag>
format? If so, we should modify the help string on the parser add_argument
lines below, as that help message only directs users to use oci://<image-location>:<image-tag>
and doesn't mention the ability to use docker image:tag
. If not, this string should be modified to direct users to only provide the oci image location/tag format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should have separate arguments to deal with both types of images and yes I need to change the string message to direct users to only provide the oci image location/tag format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to add a new command line option called --type, -t
were you can enter docker
or oci
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nishakm I added -t
option as you mentioned and I think it would make more sense having one option -i
to define container image and -t
is type of container image to call respective operations on to the image.
tern/analyze/docker/run.py
Outdated
@@ -69,6 +69,35 @@ def analyze(image_obj, args, dfile_lock=False, dfobj=None): | |||
analyze_docker_image(image_obj, args.redo, dfile_lock, dfobj) | |||
|
|||
|
|||
def execute_oci_image(args): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should create a directory called tern/analyze/oci
and put this function in a run.py
file there.
tern/utils/oci_image.py
Outdated
@@ -0,0 +1,32 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this file should be under: tern/analyze/oci/helpers.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the code to add modularity similar to the docker.
I'd say this is the expected way that folks would give an OCI image to tern, i.e., they've used
I wonder if |
if general.check_tar(args.image): | ||
logger.error("%s", errors.incorrect_raw_option) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this option should be different from the -i
option now. Or else this is going to get more complicated. @rnjudge What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I understand your question. The -w
option is already separate from the -i
option, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't our check here then be if args.raw
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this check here is to make sure that the user didn't provide a raw option tarball when they are trying to provide a docker or OCI image.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nishakm, this check is part of the execute_image
method and this method is only for docker or OCI image execution. The args.raw_image
still I am keeping the part do_main
method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed that this is just a validation check to make sure the user didn't accidentally choose the -i
option but provide a raw image tarball. Seems OK to me.
This commit proposes changes to analyze OCI images using tern. Work towards: #678 Signed-off-by: mukultaneja <[email protected]>
" The option can be used to pull docker" | ||
" images by digest as well -" | ||
" <repo>@<digest-type>:<digest>") | ||
parser_report.add_argument('-t', '--type', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to propose that we call this optionclient
instead of type
(using -c
option). This makes more sense to me as we would like to support the podman client in the future which represents image blobs differently than docker or skopeo might once they are pulled down locally, even if they all are stored on dockerhub technically as OCI images.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree - this makes better sense than the generic "type" in the container image context.
From my experiments, it looks like the typical way that an oci image is represented is as a directory with this layout:
You can get this layout using the "docker-ish" way using podman.
Podman also has an You can also get this layout using skopeo:
This will create a folder called So we have a number of ways to get to the common directory with the OCI layout. So I think we should expect that users provide a path to the OCI directory as input for Tern and perform tests on the layout accordingly. We can inform users in the documentation how to generate the OCI directory. Note that we can't do this with Docker as that directory is only accessible via |
@mukultaneja This is a pretty big contribution. Would it be possible to split it up into several smaller commits that we can merge in little by little? How about starting off with the OCIImage image class and some tests for that? |
do you want me to close this PR and send separate PRs with several commits? I was thinking if we could use this PR as a module and make modifications in it as we feel. Say the next commit would be adding tests for OCI images. Anyway so far changes, would allow us to generate a default report for an OCI image. |
I would rather the commits be self describing and independent. You can either do one PR with many commits or several PRs each being independent. The idea is that the changes are small and logical so they are easy to follow. |
Reg: |
This commit proposes changes to analyze
OCI images using tern.
Work towards: #678
Signed-off-by: mukultaneja [email protected]