Merge pull request #3357 from quay/joseph.schorr/QUAY-1327/dont-scan-uploading

Make sure images in the process of being uploaded are not scanned by Clair
This commit is contained in:
Joseph Schorr 2019-02-13 16:04:34 -05:00 committed by GitHub
commit f917de8c70
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 1 deletions

View file

@ -446,7 +446,8 @@ def get_image_pk_field():
def get_images_eligible_for_scan(clair_version): def get_images_eligible_for_scan(clair_version):
""" Returns a query that gives all images eligible for a clair scan """ """ Returns a query that gives all images eligible for a clair scan """
return (get_image_with_storage_and_parent_base() return (get_image_with_storage_and_parent_base()
.where(Image.security_indexed_engine < clair_version)) .where(Image.security_indexed_engine < clair_version)
.where(ImageStorage.uploading == False))
def get_image_with_storage_and_parent_base(): def get_image_with_storage_and_parent_base():

View file

@ -145,6 +145,7 @@ class _ManifestBuilder(object):
def assign_layer_blob(self, layer, blob, computed_checksums): def assign_layer_blob(self, layer, blob, computed_checksums):
""" Assigns a blob to a layer. """ """ Assigns a blob to a layer. """
assert blob assert blob
assert not blob.uploading
repo_image = model.image.get_image_by_db_id(layer.db_id) repo_image = model.image.get_image_by_db_id(layer.db_id)
if repo_image is None: if repo_image is None:

View file

@ -104,6 +104,14 @@ class LayerAnalyzer(object):
# Nothing more to do. # Nothing more to do.
return return
# Make sure the image's storage is not marked as uploading. If so, nothing more to do.
if layer.storage.uploading:
if not set_secscan_status(layer, False, self._target_version):
raise PreemptedException
# Nothing more to do.
return
# Analyze the image. # Analyze the image.
previously_security_indexed_successfully = layer.security_indexed previously_security_indexed_successfully = layer.security_indexed
previous_security_indexed_engine = layer.security_indexed_engine previous_security_indexed_engine = layer.security_indexed_engine