NewTarIndex race condition when run in a goroutine #192
Comments
|
Hi @Noxsios, thanks for filing this issue. Could you tell us a bit more about how you are making use of Syft and Stereoscope in this environment? Are you calling them as libraries? We are trying to sort through the logs but we could use more guidance from you. I'll save the relevant logs here for posterity. |
|
Thanks for reaching out @tgerla! Our tool - name: flux
description: Installs the flux CRDs / controllers to use flux-based deployments in the cluster
required: true
manifests:
- name: flux-crds
namespace: flux
files:
- flux-install.yaml
images:
- ghcr.io/fluxcd/kustomize-controller:v0.27.1
- ghcr.io/fluxcd/source-controller:v0.28.0This component has 2 images, and we use Crane to pull the images and Syft/Stereoscope to perform the SBOMing, then include that resulting artifact in the package. We are calling both Syft and Stereoscope as libraries main function we are calling. This functionality works 100% of the time when run in series, but fails with the previous error message when run in goroutines. The only difference between these two is this concurrency of operations. The layer Other relevant info: The layer cache directory given to Hope this helps! |
|
Hi @Noxsios -- we'd love to get this fixed; would you be able to provide a very simple sample Go application that uses stereoscope in a way that exhibits this behavior (even with something like hardcoded image tags/etc.)? It would definitely help us out to get it addressed more quickly... Thanks! |
|
@kzantow Working on it! Ran into a few roadblocks getting the minimum POC working as our project is on src, location, err := image.DetectSource(imagesDir)
if err != nil {
log.Fatal(err)
}
log.Printf("Detected source %q for %q", src, location)
cfg := source.StereoscopeImageConfig{
Reference: imagesDir,
From: src,
}
syftSource, err := source.NewFromStereoscopeImage(cfg)
if err != nil {
log.Fatal(err)
}
catalog, relationships, distro, err := syft.CatalogPackages(syftSource, cataloger.DefaultConfig())
if err != nil {
log.Fatal(err)
}However, the # pkg/image/oci/directory_provider.go:44
// for now, lets only support one image indexManifest (it is not clear how to handle multiple manifests)
if len(indexManifest.Manifests) != 1 {
return nil, fmt.Errorf("unexpected number of OCI directory manifests (found %d)", len(indexManifest.Manifests))
}The WIP POC lives here: https://github.com/Noxsios/goroutine-syft/blob/main/main.go . I will update if I can successfully replicate. Current output: |
|
This gets me much closer, but layoutPath := layout.Path(imagesDir)
v1Img, err := layoutPath.Image(digest)
if err != nil {
log.Fatal(err)
}
img := image.Image{}
imgSrc, err := source.NewFromStereoscopeImageObject(&img, digest.String(), nil)
if err != nil {
log.Fatal(err)
}
catalog, relationships, distro, err := syft.CatalogPackages(imgSrc, cataloger.DefaultConfig())
if err != nil {
log.Fatal(err)
} |
|
Thanks @Noxsios, we're going to need to spend a little bit more time investigating this so we'll put it in our backlog. |
What happened:
In our build system we pull+cache images using crane in an OCI layout format. We then attempt to SBOM these images which may share layer tarballs.
Concurrently running
Image.Readresults in the following error being returned:I believe this is caused by stereoscope re-using file handles in
os.Openresulting in a race condition of reads.What you expected to happen:
Image SBOMing is go-routine safe w/ images that share layers.
How to reproduce it (as minimally and precisely as possible):
In a system w/ low IO speed (Github's default runner works):
alpinebase work)Anything else we need to know?:
Full stereoscope + syft logs in our CI run: https://github.com/defenseunicorns/zarf/actions/runs/5485435230/jobs/9994240328?pr=1887
Environment:
ubuntu-latestThe text was updated successfully, but these errors were encountered: