2015-10-27 21:38:48 +00:00
|
|
|
import logging.config
|
2016-10-28 21:11:54 +00:00
|
|
|
import time
|
2015-10-27 21:38:48 +00:00
|
|
|
|
2017-03-13 18:41:40 +00:00
|
|
|
from math import log10
|
2017-03-10 20:51:44 +00:00
|
|
|
|
2015-10-05 17:35:01 +00:00
|
|
|
import features
|
|
|
|
|
2016-12-01 16:20:31 +00:00
|
|
|
from app import app, secscan_api, prometheus
|
2015-10-05 17:35:01 +00:00
|
|
|
from workers.worker import Worker
|
2016-12-01 16:20:31 +00:00
|
|
|
from data.database import UseThenDisconnect
|
2017-03-10 20:51:44 +00:00
|
|
|
from data.model.image import (get_images_eligible_for_scan, get_image_pk_field,
|
|
|
|
get_max_id_for_sec_scan, get_min_id_for_sec_scan)
|
2015-11-11 20:41:46 +00:00
|
|
|
from util.secscan.api import SecurityConfigValidator
|
2016-12-15 21:27:24 +00:00
|
|
|
from util.secscan.analyzer import LayerAnalyzer, PreemptedException
|
2016-02-17 19:44:49 +00:00
|
|
|
from util.migrate.allocator import yield_random_entries
|
2017-02-01 23:17:25 +00:00
|
|
|
from util.log import logfile_path
|
2016-05-04 21:40:09 +00:00
|
|
|
from endpoints.v2 import v2_bp
|
2015-10-05 17:35:01 +00:00
|
|
|
|
2017-02-22 00:13:51 +00:00
|
|
|
|
2017-02-27 20:02:29 +00:00
|
|
|
DEFAULT_INDEXING_INTERVAL = 30
|
2015-10-05 17:35:01 +00:00
|
|
|
|
2017-02-22 00:13:51 +00:00
|
|
|
|
2016-02-17 19:44:49 +00:00
|
|
|
logger = logging.getLogger(__name__)
|
2017-02-22 16:25:09 +00:00
|
|
|
unscanned_images_gauge = prometheus.create_gauge('unscanned_images',
|
|
|
|
'Number of images that clair needs to scan.')
|
2017-02-23 22:21:17 +00:00
|
|
|
max_unscanned_images_gauge = prometheus.create_gauge('max_unscanned_image_id',
|
|
|
|
'Max ID of the unscanned images.')
|
2017-02-22 00:13:51 +00:00
|
|
|
|
2015-10-05 17:35:01 +00:00
|
|
|
class SecurityWorker(Worker):
|
|
|
|
def __init__(self):
|
|
|
|
super(SecurityWorker, self).__init__()
|
2016-05-04 19:20:27 +00:00
|
|
|
validator = SecurityConfigValidator(app.config)
|
2017-03-13 18:41:40 +00:00
|
|
|
if not validator.valid():
|
|
|
|
logger.warning('Failed to validate security scan configuration')
|
|
|
|
return
|
2015-11-11 20:41:46 +00:00
|
|
|
|
2017-03-13 18:41:40 +00:00
|
|
|
self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 3)
|
|
|
|
self._analyzer = LayerAnalyzer(app.config, secscan_api)
|
|
|
|
self._min_id = None
|
2016-03-04 17:11:40 +00:00
|
|
|
|
2017-03-13 18:41:40 +00:00
|
|
|
interval = app.config.get('SECURITY_SCANNER_INDEXING_INTERVAL', DEFAULT_INDEXING_INTERVAL)
|
|
|
|
self.add_operation(self._index_images, interval)
|
2015-10-05 17:35:01 +00:00
|
|
|
|
2016-02-17 19:44:49 +00:00
|
|
|
def _index_images(self):
|
|
|
|
def batch_query():
|
2017-03-10 20:51:44 +00:00
|
|
|
return get_images_eligible_for_scan(self._target_version)
|
2016-02-17 19:44:49 +00:00
|
|
|
|
2016-05-04 19:20:27 +00:00
|
|
|
# Get the ID of the last image we can analyze. Will be None if there are no images in the
|
|
|
|
# database.
|
2016-12-01 16:20:31 +00:00
|
|
|
max_id = get_max_id_for_sec_scan()
|
2016-05-04 19:20:27 +00:00
|
|
|
if max_id is None:
|
|
|
|
return
|
2016-02-17 19:44:49 +00:00
|
|
|
|
2017-03-13 18:41:40 +00:00
|
|
|
if self.min_id is None or self.min_id > max_id:
|
|
|
|
logger.info('Could not find any available images for scanning.')
|
|
|
|
return
|
|
|
|
|
2017-02-23 22:21:17 +00:00
|
|
|
max_unscanned_images_gauge.Set(max_id)
|
|
|
|
|
2017-03-10 20:51:44 +00:00
|
|
|
# 4^log10(total) gives us a scalable batch size into the billions.
|
2017-03-13 18:41:40 +00:00
|
|
|
batch_size = int(4 ** log10(max(10, max_id - self.min_id)))
|
2017-03-10 20:51:44 +00:00
|
|
|
|
2016-02-17 19:44:49 +00:00
|
|
|
with UseThenDisconnect(app.config):
|
2017-02-22 00:13:51 +00:00
|
|
|
to_scan_generator = yield_random_entries(
|
|
|
|
batch_query,
|
2017-03-10 20:51:44 +00:00
|
|
|
get_image_pk_field(),
|
|
|
|
batch_size,
|
2017-02-22 00:13:51 +00:00
|
|
|
max_id,
|
2017-03-13 18:41:40 +00:00
|
|
|
self.min_id,
|
2017-02-22 00:13:51 +00:00
|
|
|
)
|
|
|
|
for candidate, abt, num_remaining in to_scan_generator:
|
2016-12-15 21:27:24 +00:00
|
|
|
try:
|
2017-03-10 20:51:44 +00:00
|
|
|
self._analyzer.analyze_recursively(candidate)
|
2016-12-15 21:27:24 +00:00
|
|
|
except PreemptedException:
|
2016-02-17 19:44:49 +00:00
|
|
|
logger.info('Another worker pre-empted us for layer: %s', candidate.id)
|
|
|
|
abt.set()
|
|
|
|
|
2017-02-22 00:13:51 +00:00
|
|
|
unscanned_images_gauge.Set(num_remaining)
|
|
|
|
|
2016-03-04 17:11:40 +00:00
|
|
|
# If we reach this point, we analyzed every images up to max_id, next time the worker runs,
|
|
|
|
# we want to start from the next image.
|
2017-03-13 18:41:40 +00:00
|
|
|
self.min_id = max_id + 1
|
|
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
def min_id(self):
|
|
|
|
""" If it hasn't already been determined, finds the ID of the first image to be analyzed.
|
|
|
|
First checks the config, then the database, and returns None if there are no images
|
|
|
|
available for scanning.
|
|
|
|
"""
|
|
|
|
if self._min_id is None:
|
|
|
|
self._min_id = app.config.get('SECURITY_SCANNER_INDEXING_MIN_ID')
|
|
|
|
if self._min_id is None:
|
|
|
|
self._min_id = get_min_id_for_sec_scan(self._target_version)
|
|
|
|
return self._min_id
|
|
|
|
|
|
|
|
@min_id.setter
|
|
|
|
def min_id(self, new_min_id):
|
|
|
|
self._min_id = new_min_id
|
|
|
|
|
2015-10-28 20:32:46 +00:00
|
|
|
|
2015-10-05 17:35:01 +00:00
|
|
|
if __name__ == '__main__':
|
2016-05-04 21:40:09 +00:00
|
|
|
app.register_blueprint(v2_bp, url_prefix='/v2')
|
|
|
|
|
2015-10-05 17:35:01 +00:00
|
|
|
if not features.SECURITY_SCANNER:
|
2015-11-10 18:07:47 +00:00
|
|
|
logger.debug('Security scanner disabled; skipping SecurityWorker')
|
2015-10-05 17:35:01 +00:00
|
|
|
while True:
|
|
|
|
time.sleep(100000)
|
|
|
|
|
2017-02-01 23:17:25 +00:00
|
|
|
logging.config.fileConfig(logfile_path(debug=True), disable_existing_loggers=False)
|
2015-10-05 17:35:01 +00:00
|
|
|
worker = SecurityWorker()
|
|
|
|
worker.start()
|