internal/worker, etc.: use same directory for modules
Add a bind mount to the sandbox config, so the same directory
,/tmp/modules, holds modules for both inside and outside the sandbox.
Change-Id: Ie626756f808c6941ea01c7eb3df88f88c1a9bb2a
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/476196
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/cmd/worker/Dockerfile b/cmd/worker/Dockerfile
index c8b14e3..d2fcff1 100644
--- a/cmd/worker/Dockerfile
+++ b/cmd/worker/Dockerfile
@@ -24,10 +24,11 @@
# The sandbox mounts this directory.
RUN mkdir module
-# Where binaries live.
+# Where binaries and modules live.
# The sandbox config.json file maps these to the same paths
# inside the sandbox.
RUN mkdir /tmp/binaries
+RUN mkdir /tmp/modules
#### Sandbox setup
diff --git a/config.json.commented b/config.json.commented
index b13d7d0..5dc0da1 100644
--- a/config.json.commented
+++ b/config.json.commented
@@ -98,6 +98,14 @@
"type": "none",
"source": "/tmp/binaries",
"options": ["bind"]
+ },
+ {
+ # Mount /tmp/modules inside the sandbox to
+ # the same directory outside.
+ "destination": "/tmp/modules",
+ "type": "none",
+ "source": "/tmp/modules",
+ "options": ["bind"]
}
],
"linux": {
diff --git a/internal/worker/analysis.go b/internal/worker/analysis.go
index 45645a1..3a19e46 100644
--- a/internal/worker/analysis.go
+++ b/internal/worker/analysis.go
@@ -115,7 +115,7 @@
return nil, nil, err
}
- mdir := moduleDir(req.Module, req.Version, req.Insecure)
+ mdir := moduleDir(req.Module, req.Version)
defer removeDir(&err, mdir)
if err := prepareModule(ctx, req.Module, req.Version, mdir, s.proxyClient, req.Insecure); err != nil {
return nil, nil, err
diff --git a/internal/worker/scan.go b/internal/worker/scan.go
index 10f9c5b..69704c8 100644
--- a/internal/worker/scan.go
+++ b/internal/worker/scan.go
@@ -32,10 +32,11 @@
// The root of the sandbox, relative to the docker container.
sandboxRoot = "/bundle/rootfs"
- // The directory where binaries live. The sandbox mounts this
- // directory to the same path internally, so this path works
- // for both secure and insecure modes.
- binaryDir = "/tmp/binaries"
+ // The directories where binaries and modules live.
+ // The sandbox mounts this directory to the same path internally, so this
+ // path works for both secure and insecure modes.
+ binaryDir = "/tmp/binaries"
+ modulesDir = "/tmp/modules"
)
var activeScans atomic.Int32
@@ -242,12 +243,8 @@
}
// moduleDir returns a the path of a directory where the module can be downloaded.
-func moduleDir(modulePath, version string, insecure bool) string {
- dir := sandboxRoot
- if insecure {
- dir = os.TempDir()
- }
- return filepath.Join(dir, "modules", modulePath+"@"+version)
+func moduleDir(modulePath, version string) string {
+ return filepath.Join(modulesDir, modulePath+"@"+version)
}
// removeDir calls os.RemoveAll(dir) and combines the error with errp.
diff --git a/internal/worker/vulncheck_scan.go b/internal/worker/vulncheck_scan.go
index e3c666d..d3d9b93 100644
--- a/internal/worker/vulncheck_scan.go
+++ b/internal/worker/vulncheck_scan.go
@@ -322,9 +322,9 @@
return s.runBinaryScanSandbox(ctx, modulePath, version, binDir, stats)
}
- const insecure = false
- mdir := moduleDir(modulePath, version, insecure)
+ mdir := moduleDir(modulePath, version)
defer removeDir(&err, mdir)
+ const insecure = false
if err := prepareModule(ctx, modulePath, version, mdir, s.proxyClient, insecure); err != nil {
return nil, err
}
@@ -393,7 +393,7 @@
return s.runBinaryScanInsecure(ctx, modulePath, version, binaryDir, os.TempDir(), stats)
}
- mdir := moduleDir(modulePath, version, true)
+ mdir := moduleDir(modulePath, version)
defer removeDir(&err, mdir)
if err := prepareModule(ctx, modulePath, version, mdir, s.proxyClient, true); err != nil {
return nil, err
