quay/workers/securityworker.py

import logging.config
import time

import features

from app import app, secscan_api, prometheus
from workers.worker import Worker
from data.database import UseThenDisconnect
from data.model.image import (get_images_eligible_for_scan, get_max_id_for_sec_scan,
                              get_min_id_for_sec_scan, get_image_id)
from util.secscan.api import SecurityConfigValidator
from util.secscan.analyzer import LayerAnalyzer, PreemptedException
from util.migrate.allocator import yield_random_entries
from endpoints.v2 import v2_bp


BATCH_SIZE = 50
DEFAULT_INDEXING_INTERVAL = 30


logger = logging.getLogger(__name__)
unscanned_images_gauge = prometheus.create_gauge('unscanned_images',
                                                 'Number of images that clair needs to scan.')
max_unscanned_images_gauge = prometheus.create_gauge('max_unscanned_image_id',
                                                     'Max ID of the unscanned images.')

class SecurityWorker(Worker):
  def __init__(self):
    super(SecurityWorker, self).__init__()
    validator = SecurityConfigValidator(app.config)
    if validator.valid():
      self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 3)
      self._analyzer = LayerAnalyzer(app.config, secscan_api)

      # Get the ID of the first image we want to analyze.
      self._min_id = get_min_id_for_sec_scan(self._target_version)

      interval = app.config.get('SECURITY_SCANNER_INDEXING_INTERVAL', DEFAULT_INDEXING_INTERVAL)
      self.add_operation(self._index_images, interval)
    else:
      logger.warning('Failed to validate security scan configuration')

  def _index_images(self):
    def batch_query():
      return get_images_eligible_for_scan(self._target_version)

    # Get the ID of the last image we can analyze. Will be None if there are no images in the
    # database.
    max_id = get_max_id_for_sec_scan()
    if max_id is None:
      return

    max_unscanned_images_gauge.Set(max_id)

    with UseThenDisconnect(app.config):
      to_scan_generator = yield_random_entries(
        batch_query,
        get_image_id(),
        BATCH_SIZE,
        max_id,
        self._min_id,
      )
      for candidate, abt, num_remaining in to_scan_generator:
        try:
          self._analyzer.analyze_recursively(candidate)
        except PreemptedException:
          logger.info('Another worker pre-empted us for layer: %s', candidate.id)
          abt.set()

        unscanned_images_gauge.Set(num_remaining)

    # If we reach this point, we analyzed every images up to max_id, next time the worker runs,
    # we want to start from the next image.
    self._min_id = max_id + 1

if __name__ == '__main__':
  app.register_blueprint(v2_bp, url_prefix='/v2')

  if not features.SECURITY_SCANNER:
    logger.debug('Security scanner disabled; skipping SecurityWorker')
    while True:
      time.sleep(100000)

  logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
  worker = SecurityWorker()
  worker.start()
WIP: Towards sec demo 2015-10-27 21:38:48 +00:00			`import logging.config`
pylint formatting 2016-10-28 21:11:54 +00:00			`import time`
WIP: Towards sec demo 2015-10-27 21:38:48 +00:00
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`import features`

Adding in some metrics around clair sec scan. 2016-12-01 16:20:31 +00:00			`from app import app, secscan_api, prometheus`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`from workers.worker import Worker`
Adding in some metrics around clair sec scan. 2016-12-01 16:20:31 +00:00			`from data.database import UseThenDisconnect`
			`from data.model.image import (get_images_eligible_for_scan, get_max_id_for_sec_scan,`
Move the total image count stat back to the prom stat worker 2017-02-22 16:24:41 +00:00			`get_min_id_for_sec_scan, get_image_id)`
refactor securityworker Fixes #772. 2015-11-11 20:41:46 +00:00			`from util.secscan.api import SecurityConfigValidator`
Security scanner flow changes and auto-retry Changes the security scanner code to raise exceptions now for non-successful operations. One of the new exceptions raised is MissingParentLayerException, which, when raised, will cause the security worker to perform a full rescan of all parent images for the current layer, before trying once more to scan the current layer. This should allow the system to be "self-healing" in the case where the security scanner engine somehow loses or corrupts a parent layer. 2016-12-15 21:27:24 +00:00			`from util.secscan.analyzer import LayerAnalyzer, PreemptedException`
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00			`from util.migrate.allocator import yield_random_entries`
Use the registry API for security scanning when the storage engine doesn't support direct download url 2016-05-04 21:40:09 +00:00			`from endpoints.v2 import v2_bp`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00
Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00
various securityworker fixes 2016-02-10 02:25:07 +00:00			`BATCH_SIZE = 50`
Make the security scanning worker period configurable 2017-02-27 20:02:29 +00:00			`DEFAULT_INDEXING_INTERVAL = 30`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00
Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00			`logger = logging.getLogger(__name__)`
Linter fixes 2017-02-22 16:25:09 +00:00			`unscanned_images_gauge = prometheus.create_gauge('unscanned_images',`
			`'Number of images that clair needs to scan.')`
Remove images count (which is horribly slow in InnoDB) and add a max gauge 2017-02-23 22:21:17 +00:00			`max_unscanned_images_gauge = prometheus.create_gauge('max_unscanned_image_id',`
			`'Max ID of the unscanned images.')`
Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`class SecurityWorker(Worker):`
			`def __init__(self):`
			`super(SecurityWorker, self).__init__()`
Various small fixes in prep for QE release 2016-05-04 19:20:27 +00:00			`validator = SecurityConfigValidator(app.config)`
refactor securityworker Fixes #772. 2015-11-11 20:41:46 +00:00			`if validator.valid():`
Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00			`self._target_version = app.config.get('SECURITY_SCANNER_ENGINE_VERSION_TARGET', 3)`
Refactor the security worker and API calls and add a bunch of tests 2016-02-24 21:01:27 +00:00			`self._analyzer = LayerAnalyzer(app.config, secscan_api)`
refactor securityworker Fixes #772. 2015-11-11 20:41:46 +00:00
Compute min_id only once during securityworker's lifetime 2016-03-04 17:11:40 +00:00			`# Get the ID of the first image we want to analyze.`
Adding in some metrics around clair sec scan. 2016-12-01 16:20:31 +00:00			`self._min_id = get_min_id_for_sec_scan(self._target_version)`
Compute min_id only once during securityworker's lifetime 2016-03-04 17:11:40 +00:00
Make the security scanning worker period configurable 2017-02-27 20:02:29 +00:00			`interval = app.config.get('SECURITY_SCANNER_INDEXING_INTERVAL', DEFAULT_INDEXING_INTERVAL)`
			`self.add_operation(self._index_images, interval)`
Refactor security worker 2015-11-17 22:42:52 +00:00			`else:`
			`logger.warning('Failed to validate security scan configuration')`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00			`def _index_images(self):`
			`def batch_query():`
Adding in some metrics around clair sec scan. 2016-12-01 16:20:31 +00:00			`return get_images_eligible_for_scan(self._target_version)`
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00
Various small fixes in prep for QE release 2016-05-04 19:20:27 +00:00			`# Get the ID of the last image we can analyze. Will be None if there are no images in the`
			`# database.`
Adding in some metrics around clair sec scan. 2016-12-01 16:20:31 +00:00			`max_id = get_max_id_for_sec_scan()`
Various small fixes in prep for QE release 2016-05-04 19:20:27 +00:00			`if max_id is None:`
			`return`
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00
Remove images count (which is horribly slow in InnoDB) and add a max gauge 2017-02-23 22:21:17 +00:00			`max_unscanned_images_gauge.Set(max_id)`

Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00			`with UseThenDisconnect(app.config):`
Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00			`to_scan_generator = yield_random_entries(`
			`batch_query,`
			`get_image_id(),`
			`BATCH_SIZE,`
			`max_id,`
			`self._min_id,`
			`)`
			`for candidate, abt, num_remaining in to_scan_generator:`
Security scanner flow changes and auto-retry Changes the security scanner code to raise exceptions now for non-successful operations. One of the new exceptions raised is MissingParentLayerException, which, when raised, will cause the security worker to perform a full rescan of all parent images for the current layer, before trying once more to scan the current layer. This should allow the system to be "self-healing" in the case where the security scanner engine somehow loses or corrupts a parent layer. 2016-12-15 21:27:24 +00:00			`try:`
			`self._analyzer.analyze_recursively(candidate)`
			`except PreemptedException:`
Adapt security worker for Clair v1.0 (except notifications) 2016-02-17 19:44:49 +00:00			`logger.info('Another worker pre-empted us for layer: %s', candidate.id)`
			`abt.set()`

Read the number of unscanned clair images from the block allocator 2017-02-22 00:13:51 +00:00			`unscanned_images_gauge.Set(num_remaining)`

Compute min_id only once during securityworker's lifetime 2016-03-04 17:11:40 +00:00			`# If we reach this point, we analyzed every images up to max_id, next time the worker runs,`
			`# we want to start from the next image.`
			`self._min_id = max_id + 1`
Ready for demo 2015-10-28 20:32:46 +00:00
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`if __name__ == '__main__':`
Use the registry API for security scanning when the storage engine doesn't support direct download url 2016-05-04 21:40:09 +00:00			`app.register_blueprint(v2_bp, url_prefix='/v2')`

Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`if not features.SECURITY_SCANNER:`
specify securityworker skip message 2015-11-10 18:07:47 +00:00			`logger.debug('Security scanner disabled; skipping SecurityWorker')`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`while True:`
			`time.sleep(100000)`

WIP: Towards sec demo 2015-10-27 21:38:48 +00:00			`logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)`
Add support for Quay's vulnerability tool 2015-10-05 17:35:01 +00:00			`worker = SecurityWorker()`
			`worker.start()`