Race condition with static auth.json filename

[finkandreas]

https://github.com/eth-cscs/sarus/blob/75e223bfe555c15f41d6394b41750c74d56e1d98/src/image_manager/SkopeoDriver.cpp#L233

The filename for pulling an image from a registry which requires authentication has a race condition. Consider the following workflow:

• Pull1 starting for my.registry.com/container_image_1:latest
• Pull2 starting for my.registry.com/container_image_2:lastest
• Pull1 writing authentication information to auth.json for my.registry.com/container_image_1
• Pull2 writing authentication information to auth.json for my.registry.com/container_image_2
• Pull1 reaching the point where it wants to actually do skopeo copy --src-authfile auth.json
• Pull2 reaching the point where it wants to actually do skopeo copy --src-authfile auth.json

At this point Pull2 would be successful, because the authentication for Pull2 is in auth.json, but Pull1 will fail, because the authentication information for Pull1 was overwritten by Pull2

An obvious way to fix this is to have a unique name for the authentication file.

[Madeeks]

Hi @finkandreas, I can confirm the current design does not cover the case of simultaneous pulls from the same user, well spotted and thanks for opening the issue+PR.

[Madeeks]

Fixed by #31