securityscanner: add a min image id option

This will enable us to force some instances of the securityworker to scan only new images.
2017-03-03 13:55:25 -05:00 · 2017-03-03 13:55:25 -05:00 · 4ed0cdda14
commit 4ed0cdda14
parent aa2f88d321
4 changed files with 12 additions and 6 deletions
--- a/config.py
+++ b/config.py
@ -313,6 +313,9 @@ class DefaultConfig(object):
  # The number of seconds between indexing intervals in the security scanner
  SECURITY_SCANNER_INDEXING_INTERVAL = 30

+  # If specified, the security scanner will only index images newer than the provided ID.
+  SECURITY_SCANNER_INDEXING_MIN_ID = None
+
  # If specified, the endpoint to be used for all POST calls to the security scanner.
  SECURITY_SCANNER_ENDPOINT_BATCH = None

--- a/data/model/image.py
+++ b/data/model/image.py
@ -495,10 +495,13 @@ def get_image_id():
  return Image.id


-def get_images_eligible_for_scan(clair_version):
+def get_images_eligible_for_scan(clair_version, min_id=None):
  """ Returns a query that gives all images eligible for a clair scan """
-  return (get_image_with_storage_and_parent_base()
+  query = (get_image_with_storage_and_parent_base()
           .where(Image.security_indexed_engine < clair_version))
+  if min_id is not None:
+    query = query.where(Image.id >= min_id)
+  return query


 def get_image_with_storage_and_parent_base():
--- a/test/test_secscan.py
+++ b/test/test_secscan.py
@ -589,11 +589,11 @@ class TestSecurityScanner(unittest.TestCase):

    # Ensure no images are available for scanning.
    self.assertIsNone(model.image.get_min_id_for_sec_scan(expected_version))
-    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version)) == 0)
+    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version, None)) == 0)

    # Check for a higher version.
    self.assertIsNotNone(model.image.get_min_id_for_sec_scan(expected_version + 1))
-    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1)) > 0)
+    self.assertTrue(len(model.image.get_images_eligible_for_scan(expected_version + 1, None)) > 0)

  def test_notification_worker(self):
    layer1 = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
--- a/workers/securityworker.py
+++ b/workers/securityworker.py
@ -42,7 +42,7 @@ class SecurityWorker(Worker):

  def _index_images(self):
    def batch_query():
-      return get_images_eligible_for_scan(self._target_version)
+      return get_images_eligible_for_scan(self._target_version, app.config.get('SECURITY_SCANNER_INDEXING_MIN_ID', None))

    # Get the ID of the last image we can analyze. Will be None if there are no images in the
    # database.