The filename for pulling an image from a registry which requires authentication has a race condition. Consider the following workflow:
Pull1 starting for my.registry.com/container_image_1:latest
Pull2 starting for my.registry.com/container_image_2:lastest
Pull1 writing authentication information to auth.json for my.registry.com/container_image_1
Pull2 writing authentication information to auth.json for my.registry.com/container_image_2
Pull1 reaching the point where it wants to actually do skopeo copy --src-authfile auth.json
Pull2 reaching the point where it wants to actually do skopeo copy --src-authfile auth.json
At this point Pull2 would be successful, because the authentication for Pull2 is in auth.json, but Pull1 will fail, because the authentication information for Pull1 was overwritten by Pull2
An obvious way to fix this is to have a unique name for the authentication file.
Hi @finkandreas, I can confirm the current design does not cover the case of simultaneous pulls from the same user, well spotted and thanks for opening the issue+PR.
https://github.com/eth-cscs/sarus/blob/75e223bfe555c15f41d6394b41750c74d56e1d98/src/image_manager/SkopeoDriver.cpp#L233
The filename for pulling an image from a registry which requires authentication has a race condition. Consider the following workflow:
skopeo copy --src-authfile auth.json
skopeo copy --src-authfile auth.json
At this point Pull2 would be successful, because the authentication for Pull2 is in auth.json, but Pull1 will fail, because the authentication information for Pull1 was overwritten by Pull2
An obvious way to fix this is to have a unique name for the authentication file.