Google Git
Sign in
go / pkgsite-metrics / 78d973a699c50da2a76f4084c748363c689895bc^! / .
commit78d973a699c50da2a76f4084c748363c689895bc[log] [tgz]
authorZvonimir Pavlinovic <zpavlinovic@google.com>Thu Mar 02 16:32:06 2023 -0800
committerZvonimir Pavlinovic <zpavlinovic@google.com>Fri Mar 03 17:44:24 2023 +0000
treefb5a0cc9e677e0c3dca1ad7fd97a7236cca0b334
parent9272178eb29091b36e3ae3ac3146565c4fdc81b5 [diff]
internal/worker: clean cache outside of sandbox

Cleaning cache inside the sandbox seems to raise some memory leaks
seemingly related to the sandbox process. Clean the cache outside
instead, for now.

Change-Id: Ieefb67ff9901c8f2f3aa65f90c31d41f0be3dc72
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/472995
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

diff --git a/internal/worker/vulncheck_scan.go b/internal/worker/vulncheck_scan.go
index cd8b7ad..a8d7539 100644
--- a/internal/worker/vulncheck_scan.go
+++ b/internal/worker/vulncheck_scan.go

@@ -298,7 +298,7 @@
 		if s.insecure {
 			vulns, err = s.runGovulncheckScanInsecure(ctx, modulePath, version, stats)
 		} else {
-			return nil, errors.New("Govulncheck scan is currently unsupported in sandbox mode")
+			return nil, errors.New("govulncheck scan is currently unsupported in sandbox mode")
 		}
 		if err != nil {
 			return nil, err
@@ -335,9 +335,13 @@
 	return unmarshalVulncheckOutput(stdout)
 }
 
-// The Go module cache resides in its default location, $HOME/go/pkg/mod.
-// Inside the sandbox, the user is root and their home directory is /root.
-const sandboxGoModCache = "root/go/pkg/mod"
+// Inside the sandbox, the user is root and their $HOME directory is /root.
+const (
+	// The Go module cache resides in its default location, $HOME/go/pkg/mod.
+	sandboxGoModCache = "root/go/pkg/mod"
+	// The Go cache resides in its default location, $HOME/.cache/go-build.
+	sandboxGoCache = "root/.cache/go-build"
+)
 
 func runSourceScanSandbox(ctx context.Context, modulePath, version, mode string, proxyClient *proxy.Client, sbox *sandbox.Sandbox) ([]byte, error) {
 	sandboxDir, cleanup, err := downloadModuleSandbox(ctx, modulePath, version, proxyClient)
@@ -363,7 +367,7 @@
 		return "", nil, err
 	}
 	// Download all dependencies outside of the sandbox, but use the Go build
-	// cache inside the bundle.
+	// cache ("/bundle/rootfs/" + sandboxGoCache) inside the bundle.
 	log.Infof(ctx, "running go mod download")
 	cmd := exec.Command("go", "mod", "download")
 	cmd.Dir = imageDir
@@ -855,7 +859,11 @@
 		out, err = exec.Command("go", "clean", "-cache", "-modcache").CombinedOutput()
 	} else {
 		logDiskUsage("before")
-		out, err = s.sbox.Command(sandboxGoPath, "clean", "-cache", "-modcache").Output()
+		// TODO(zpavlinovic): clean within sandbox. Currently, there is a memory leak.
+		//out, err = s.sbox.Command(sandboxGoPath, "clean", "-cache", "-modcache").Output()
+		c := exec.Command("go", "clean", "-cache", "-modcache")
+		c.Env = append(os.Environ(), "GOCACHE=/bundle/rootfs/"+sandboxGoCache, "GOMODCACHE=/bundle/rootfs/"+sandboxGoModCache)
+		out, err = c.CombinedOutput()
 		if err == nil {
 			logDiskUsage("after")
 		}