fix: chalking large zip files #229
Conversation
Removing previous chalk FD caching mechanism which stored file stream on the chalk object which restricted where it can be used. Now most places use the fd_cache mechanism to interact with FDs except a few specific places which need to do something custom such as open FD to TTY which is not cached.
miki725
changed the title
If we open by default with fmReadWriteExisting mode during all codec chalk scans, it leaves all FDs open in write mode which means any other program using flock on the same file will not work. For example we scan docker binary to determine if its chalked and docker seems to use flock and so as chalk would open it in write mode docker would not be executable in a subprocess. By explicitly specifying the file mode it allows the caller to determine how to open the file hence avoiding these type of conflicts, which are especially pronounced when multiple chalks run in parallel on the same machine.
otherwise for example running lots of plugins on non-valid files such as docker image name was not working as expected as there is no corresponding file
miki725
changed the title
miki725
changed the title
otherwise any subscan triggered within chalk command would reset context directories and therefore plugin collection was not working as expected this was impacting zip codec so far
miki725
changed the title
src/commands/cmd_docker.nim
Outdated
| trace("New docker file: \n" & newcontents) | ||
| f.write(newcontents) | ||
| f.close() | ||
| let (f, path) = getNewTempFile() |
There was a problem hiding this comment.
This should have an analogue writeNewTempFile() that does the stuff you do below.
There was a problem hiding this comment.
good idea. added in crashappsec/nimutils@c523586
src/docker_git.nim
Outdated
| @@ -54,8 +54,10 @@ proc createTempKnownHosts(data: string): string = | |||
| if data == "": | |||
| return "" | |||
| let (f, path) = getNewTempFile() | |||
| f.write(data) | |||
| f.close() | |||
| try: | |||
There was a problem hiding this comment.
See above, should have a 'writeNewTempFile()`; Plus, it occurs to me we should have a semgrep rule to warn on new adds of getNewTempFile()
There was a problem hiding this comment.
cc @indecisivedragon was just mentioning semgrep to me as well. good idea to add that to chalk CI
src/fd_cache.nim
Outdated
| ## for all opened file streams. | ||
| ## | ||
| ## Some things you can do: | ||
| ## * yield - create or get existing file stream from cache. |
There was a problem hiding this comment.
'yield' generally means "I'm done with this (for now)". Generally, I would take that to mean the system can decide whether it needs to be closed (whereas close generally asserts we need to close). 'Acquire' is the right word to use here.
There was a problem hiding this comment.
was going between the 2 but yeah the logic for acquire makes more sense
There was a problem hiding this comment.
renamed in 411b868 (#229)
|
|
||
| # ---------------------------------------------------------------------------- | ||
|
|
||
| proc getOpenLimit(): int = |
There was a problem hiding this comment.
It may be worth limiting ourselves to some percentage of the rlimit (or subtract out a healthy number). Hard to know what 3rd party stuff we'll pull in that can't use the API.
There was a problem hiding this comment.
also for context default fd limit in the config is 50:
chalk/src/configs/chalk.c42spec
Lines 2524 to 2527 in 938e474
so we should be ok for most systems. dont imagine well see anything much lower with rlimit of 1024
src/plugins/codecMacOs.nim
Outdated
| "Replace the script or rename the executable") | ||
| scanFail() | ||
| # Drop down below for the chalk mark. | ||
| # chalked mac binary is a macho binary wrapped as shell script |
|
|
||
| return some(chalk) | ||
| let |
There was a problem hiding this comment.
Someday we should really use an in-memory option here :/ Not now of course.
also using writeNewTempFile from nimtuils for more consise temp file handling in chalk
Issue
none of the codecs were using chalk fd caching machinery and some of them were leaking FDs which was causing issues when trying to chalk a jar file with ~3K files
fixes #225
fixes #230
Description
ensure consistent use of the FD cache mechanism across chalk codebase. previous each
ChalkObjcontained its ownstream: FileStreamattribute which was used for caching that paths FD. that had some issues such as it was impossible to use that mechanism outside ofChalkObjsuch as in codecs as they are responsible for createChalkObjin the first place. to make it all consistent:fd_cacheimplementationstreamfromChalkObjand instead use thefd_cachefrom abovefd_cacheTesting
existing tests plus some tests on large zip files such as zap jar file which has ~3K files