Enable multi-layer analysis with no mount

This is work towards tern-tools#1082

Since overlay mount within a container requires the container
to run with privileges, we need another way of manifesting the
state of the filesystem at a given layer. This change adds a
new function apply_layers which uses bulk copy from one folder to
another after taking care of whiteout files. This will be the new
default operation of Tern's default analysis method. The other two
drivers can be accessed using the --driver option.

To account for the switch between using the drivers and applying
layers using the bulk copy method, we introduce the prep_layers
function that will make the switch. The rest of the changes involve
replacing instances of mount_overlay_fs with prep_layers wherever
appropriate.

To enable full operation, before adding the files to the image
layer during reading of the file data, we set the whiteout status
of the file.

Signed-off-by: Nisha K <[email protected]>

Author: Nisha K

tern/__main__.py

@@ -145,11 +145,12 @@ def main():
                         help="Change default working directory to specified"
                         " absolute path.")
     parser.add_argument('-dr', '--driver', metavar="DRIVER_OPTION",
-                        help="Required when running Tern in a container."
-                        "Using 'fuse' will enable the fuse-overlayfs driver "
-                        "to mount the diff layers of the container. If no "
-                        "input is provided, 'fuse' will be used as the "
-                        "default option.")
+                        default='default',
+                        help="Choose from the following storage drivers: \n"
+                        "overlay2: Use the kernel's overlay2 storage driver\n"
+                        "fuse: Use the fuse-overlayfs system tool\n"
+                        "If no option is given, the default method of "
+                        "applying container layers in userspace will be used.")
 
     # sys.version gives more information than we care to print
     py_ver = sys.version.replace('\n', '').split('[', maxsplit=1)[0]

tern/analyze/default/container/multi_layer.py

@@ -7,7 +7,10 @@
 Functions to analyze the subsequent layers in default mode
 """
 
+import glob
 import logging
+import os
+import shutil
 
 from tern.report import errors
 from tern.utils import constants
@@ -25,7 +28,7 @@
 logger = logging.getLogger(constants.logger_name)
 
 
-def mount_overlay_fs(image_obj, top_layer, driver=None):
+def mount_overlay_fs(image_obj, top_layer, driver):
     '''Given the image object and the top most layer, mount all the layers
     until the top layer using overlayfs'''
     tar_layers = []
@@ -35,6 +38,40 @@ def mount_overlay_fs(image_obj, top_layer, driver=None):
     return target
 
 
+def apply_layers(image_obj, top_layer):
+    """Apply image diff layers without using a kernel snapshot driver"""
+    # All merging happens in the merge directory
+    target = os.path.join(rootfs.get_working_dir(), constants.mergedir)
+    layer_dir = rootfs.get_untar_dir(image_obj.layers[top_layer].tar_file)
+    layer_contents = layer_dir + '/*'
+    # Account for whiteout files
+    for fd in image_obj.layers[top_layer].files:
+        if fd.is_whiteout:
+            # delete the corresponding file or directory in the target
+            # directory as well as the layer contents directory
+            deleted = fd.name.replace('.wh.', '')
+            delpath = os.path.join(target, os.path.dirname(fd.path), deleted)
+            if os.path.exists(delpath):
+                if os.path.isfile(delpath):
+                    os.remove(delpath)
+                else:
+                    shutil.rmtree(delpath)
+                os.remove(os.path.join(layer_dir, fd.path))
+    # Finally, bulk copy the layer contents into the target directory
+    # if there are any files to move
+    if os.listdir(layer_dir):
+        rootfs.root_command(['cp', '-r'] + glob.glob(layer_contents), target)
+    return target
+
+
+def prep_layers(image_obj, top_layer, driver='default'):
+    """Prepare the layer diff contents uptil the required point in time
+    based on the driver"""
+    if driver == 'default':
+        return apply_layers(image_obj, top_layer)
+    return mount_overlay_fs(image_obj, top_layer, driver)
+
+
 def fresh_analysis(image_obj, curr_layer, prereqs, options):
     """This is a subroutine that is run if there is no chached results or if
     the user wants to redo the analysis
@@ -53,12 +90,10 @@ def fresh_analysis(image_obj, curr_layer, prereqs, options):
     # if there is no shell, try to see if it exists in the current layer
     if not prereqs.fs_shell:
         prereqs.fs_shell = dcom.get_shell(image_obj.layers[curr_layer])
-    # mount diff layers from 0 till the current layer
-    target = mount_overlay_fs(image_obj, curr_layer, options.driver)
+    # prep layers based on the chosen driver
+    target = prep_layers(image_obj, curr_layer, options.driver)
     # set this layer's host path
     prereqs.host_path = target
-    # mount dev, sys and proc after mounting diff layers
-    rootfs.prep_rootfs(target)
     # get commands that created the layer
     # for docker images this is retrieved from the image history
     command_list = dcom.get_commands_from_metadata(
@@ -78,7 +113,9 @@ def fresh_analysis(image_obj, curr_layer, prereqs, options):
     else:
         # fall back to executing what we know
         core.execute_base(image_obj.layers[curr_layer], prereqs)
-    rootfs.unmount_rootfs()
+    # if the driver is using some storage driver, unmount the rootfs
+    if options.driver != 'default':
+        rootfs.unmount_rootfs()
 
 
 def analyze_subsequent_layers(image_obj, prereqs, master_list, options):

tern/analyze/default/debug/run.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2020 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2021 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -41,7 +41,7 @@ def check_image_obj(image_string):
 def mount_container_image(image_obj, driver=None):
     """Mount the container image to make it ready to invoke scripts"""
     if len(image_obj.layers) > 1:
-        target = multi_layer.mount_overlay_fs(
+        target = multi_layer.prep_layers(
             image_obj, len(image_obj.layers) - 1, driver)
         rootfs.prep_rootfs(target)
     else:
@@ -106,11 +106,10 @@ def drop_into_layer(image_obj, layer_index):
     upto the specified layer index and drop into a shell session"""
     rootfs.set_up()
     if layer_index == 0:
-        # mount only one layer
         target = rootfs.prep_base_layer(image_obj.layers[layer_index].tar_file)
     else:
         # mount all layers uptil the provided layer index
-        target = multi_layer.mount_overlay_fs(image_obj, layer_index)
+        target = multi_layer.prep_layers(image_obj, layer_index)
     mount_path = get_mount_path()
     print("\nWorking directory is: {}\n".format(mount_path))
     # check if there is a shell

tern/classes/image_layer.py

@@ -322,6 +322,7 @@ def add_files(self):
                                  os.path.relpath(file_info[2], '.'))
             file_data.set_checksum('sha256', file_info[1])
             file_data.extattrs = file_info[0]
+            file_data.set_whiteout()
             self.add_file(file_data)
 
     def get_layer_workdir(self):

tern/utils/rootfs.py

@@ -204,7 +204,7 @@ def prep_base_layer(base_layer_tar):
     return target_dir_path
 
 
-def mount_diff_layers(diff_layers_tar, driver=None):
+def mount_diff_layers(diff_layers_tar, driver='overlay2'):
     '''Using overlayfs, mount all the layer tarballs'''
     # make a list of directory paths to give to lowerdir
     lower_dir_paths = []
@@ -218,7 +218,7 @@ def mount_diff_layers(diff_layers_tar, driver=None):
            ',workdir=' + workdir_path
     if driver == 'fuse':
         root_command(fuse_mount, args, merge_dir_path)
-    else:
+    if driver == 'overlay2':
         root_command(union_mount, args, merge_dir_path)
     return merge_dir_path