eth-cscs / sarus

OCI-compatible engine to deploy Linux containers on HPC environments.
https://sarus.readthedocs.io/en/stable/
BSD 3-Clause "New" or "Revised" License
130 stars 10 forks source link

Race condition with static auth.json filename #30

Closed finkandreas closed 1 year ago

finkandreas commented 1 year ago

https://github.com/eth-cscs/sarus/blob/75e223bfe555c15f41d6394b41750c74d56e1d98/src/image_manager/SkopeoDriver.cpp#L233

The filename for pulling an image from a registry which requires authentication has a race condition. Consider the following workflow:

At this point Pull2 would be successful, because the authentication for Pull2 is in auth.json, but Pull1 will fail, because the authentication information for Pull1 was overwritten by Pull2

An obvious way to fix this is to have a unique name for the authentication file.

Madeeks commented 1 year ago

Hi @finkandreas, I can confirm the current design does not cover the case of simultaneous pulls from the same user, well spotted and thanks for opening the issue+PR.

Madeeks commented 1 year ago

Fixed by #31