New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOCKER_COMMAND_TIMEOUT
is not long enough for saving large windows images
#161
Comments
The timeout is hard-coded right now, which is not ideal. We are considering adding a Also, out of curiosity, how big are the images you are trying to scan? |
That sounds like a good idea and would work for us.
We use the pip package, and call the ggshield command installed as part of that package, so that would involve us overwriting the source in the packages folder if I'm not mistaken?
This one is around 15GB. We'd prefer smaller images, but that's not possible when creating images for Microsoft build tooling. |
Yes, patching the source would work but it's going to be clumsy. I just pushed a new branch called Let me know if it works for you. |
Thanks @agateau-gg. I've tried out the branch, and it allows the build to almost run to completion (so the timeout works). The build now fails with the following stack trace:
Narrowing in on the save command itself:
and then running the same command manually, outside of GitGuardian, returned a bit more detail:
A quick manual test shows that the colon (
You can follow the https://github.com/docker/cli/blob/a32cd16160f1b41c1c4ae7bee4dac929d1484e59/cli/command/image/save.go#L60 Ultimately, it appears that the MoveFileEx Win32 API - and likely the Windows filesystem - does not support colons in filenames. Other notes:
|
This makes it possible to scan larger images.
Saving fails if the image name contains a ':' character because we then try to create a tarball name with a ':' in it, which is not an allowed filename character on Windows. The tarball is created in a temporary directory, so it does not need to look like the image name. Let's use a fixed name instead: "archive.tar". This commit also uses Path instead of str as a type for the path arguments of functions: - docker_scan_archive - docker_archive_cmd - docker_save_to_tmp - get_files_from_docker_archive
Saving fails if the image name contains a ':' character because we then try to create a tarball name with a ':' in it, which is not an allowed filename character on Windows. The tarball is created in a temporary directory, so it does not need to look like the image name. Let's use a fixed name instead: "archive.tar". This commit also uses Path instead of str as a type for the path arguments of functions: - docker_scan_archive - docker_archive_cmd - docker_save_to_tmp - get_files_from_docker_archive
Thanks for the detailed report! I added a fix for this Regarding where the image is saved: the Python function we use looks at the |
No worries @agateau-gg - thanks for responding and fixing the issues so promptly. I can confirm that the update in the Thanks again 👏🏼 |
This makes it possible to scan larger images.
Saving fails if the image name contains a ':' character because we then try to create a tarball name with a ':' in it, which is not an allowed filename character on Windows. The tarball is created in a temporary directory, so it does not need to look like the image name. Let's use a fixed name instead: "archive.tar". This commit also uses Path instead of str as a type for the path arguments of functions: - docker_scan_archive - docker_archive_cmd - docker_save_to_tmp - get_files_from_docker_archive
Great to hear the latest changes helped! This work is now in the |
GitGuardian Shield Version 1.10.7
Command executed
ggshield scan docker
Describe the bug
There is a 6 minute hardcoded timeout present for all Docker commands:
ggshield/ggshield/docker.py
Lines 16 to 17 in 94a1fa0
We are finding that some of our Windows containers that we are scanning with the docker scanner are timing out at the image save command.
Expected behavior
No error occurs
Traceback
The text was updated successfully, but these errors were encountered: