Race condition with static auth.json filename
finkandreas opened this issue · 2 comments
finkandreas commented
sarus/src/image_manager/SkopeoDriver.cpp
Line 233 in 75e223b
The filename for pulling an image from a registry which requires authentication has a race condition. Consider the following workflow:
- Pull1 starting for my.registry.com/container_image_1:latest
- Pull2 starting for my.registry.com/container_image_2:lastest
- Pull1 writing authentication information to auth.json for my.registry.com/container_image_1
- Pull2 writing authentication information to auth.json for my.registry.com/container_image_2
- Pull1 reaching the point where it wants to actually do
skopeo copy --src-authfile auth.json - Pull2 reaching the point where it wants to actually do
skopeo copy --src-authfile auth.json
At this point Pull2 would be successful, because the authentication for Pull2 is in auth.json, but Pull1 will fail, because the authentication information for Pull1 was overwritten by Pull2
An obvious way to fix this is to have a unique name for the authentication file.
Madeeks commented
Hi @finkandreas, I can confirm the current design does not cover the case of simultaneous pulls from the same user, well spotted and thanks for opening the issue+PR.