Merge pull request #2661 from kleesc/securityworker_cpu

Raise an APIRequestFailure exception when security scanner is unavail…

test/test_secscan.py

@@ -8,7 +8,7 @@ from data.database import Image, IMAGE_NOT_SCANNED_ENGINE_VERSION
 from endpoints.notificationevent import VulnerabilityFoundEvent
 from endpoints.v2 import v2_bp
 from initdb import setup_database_for_testing, finished_database_for_testing
-from util.secscan.api import SecurityScannerAPI
+from util.secscan.api import SecurityScannerAPI, APIRequestFailure
 from util.secscan.analyzer import LayerAnalyzer
 from util.secscan.fake import fake_security_scanner
 from util.secscan.notifier import SecurityNotificationHandler, ProcessNotificationPageResult
@@ -160,7 +160,8 @@ class TestSecurityScanner(unittest.TestCase):
       security_scanner.set_internal_error_layer_id(security_scanner.layer_id(layer))
 
       analyzer = LayerAnalyzer(app.config, self.api)
-      analyzer.analyze_recursively(layer)
+      with self.assertRaises(APIRequestFailure) as ctx:
+        analyzer.analyze_recursively(layer)
 
       layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
       self.assertAnalyzed(layer, security_scanner, False, -1)

util/secscan/analyzer.py

@@ -57,7 +57,7 @@ class LayerAnalyzer(object):
     except AnalyzeLayerRetryException:
       # Something went wrong when trying to analyze the layer, but we should retry, so leave
       # the layer unindexed. Another worker will come along and handle it.
-      pass
+      raise APIRequestFailure
     except MissingParentLayerException:
       # Pass upward, as missing parent is handled in the analyze_recursively method.
       raise
@@ -145,7 +145,7 @@ class LayerAnalyzer(object):
         try:
           layer_data = self._api.get_layer_data(layer, include_vulnerabilities=True)
         except APIRequestFailure:
-          layer_data = None
+          raise
 
         if layer_data is not None:
           # Dispatch events for any detected vulnerabilities

workers/securityworker.py

@@ -10,7 +10,7 @@ from workers.worker import Worker
 from data.database import UseThenDisconnect
 from data.model.image import (get_images_eligible_for_scan, get_image_pk_field,
                               get_max_id_for_sec_scan, get_min_id_for_sec_scan)
-from util.secscan.api import SecurityConfigValidator
+from util.secscan.api import SecurityConfigValidator, APIRequestFailure
 from util.secscan.analyzer import LayerAnalyzer, PreemptedException
 from util.migrate.allocator import yield_random_entries
 from endpoints.v2 import v2_bp
@@ -73,6 +73,9 @@ class SecurityWorker(Worker):
         except PreemptedException:
           logger.info('Another worker pre-empted us for layer: %s', candidate.id)
           abt.set()
+        except APIRequestFailure:
+          logger.exception('Security scanner service unavailable')
+          return
 
         unscanned_images_gauge.Set(num_remaining)