Skip to content

ROX-32459: Bump claircore to v1.5.50 to fix node/vm indexing#19422

Draft
vikin91 wants to merge 2 commits intomasterfrom
piotr/ROX-32459-agent-avoids-proc
Draft

ROX-32459: Bump claircore to v1.5.50 to fix node/vm indexing#19422
vikin91 wants to merge 2 commits intomasterfrom
piotr/ROX-32459-agent-avoids-proc

Conversation

@vikin91
Copy link
Contributor

@vikin91 vikin91 commented Mar 13, 2026
edited
Loading

Description

This PR updates node indexing to work with newer ClairCore filesystem URI handling and improves resilience/correctness for the ROX-32459 scenario.

  • Bump github.com/quay/claircore from v1.5.44 to v1.5.50.
  • Convert node indexer filesystem layer input to normalized absolute file:// URIs before claircore.Layer.Init.
  • Add/adjust node indexer tests to validate URI behavior and updated error handling for empty host paths.

Why:

  • Newer ClairCore versions require file:// URI semantics for filesystem layers.
  • Versions after v1.5.44 include improvements relevant to ROX-32459 context (including filtering problematic filesystem access and package-scanner error propagation behavior).

Acknowledgments:

  • The issue documentation and discussion in ROX-32459 provided clear problem framing and validation targets.
  • This implementation was inspired by prior work and rationale in stackrox/stackrox#18341.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

  • CI
  • By running the reproduction steps from the Jira ticket on a VM

Confirming the bug is fixed

# Building smaller root to save some time
sudo mkdir -p /tmp/roxroot/{etc,var,usr,root,proc}
sudo mount --bind /etc /tmp/roxroot/etc
sudo mount --bind /var /tmp/roxroot/var
sudo mount --bind /usr /tmp/roxroot/usr
sudo mount --bind /root /tmp/roxroot/root
sudo mount --bind /proc /tmp/roxroot/proc  # mounting on purpose to reproduce the issue

# starting zombie
$ (sleep 1 & exec /bin/sleep 180) &

$ time sudo /home/cloud-user/vm-agent-amd64 --port 818 --host-path /tmp/roxroot
2026/03/13 18:52:20 WARN rpm source packages always record 0 epoch; this may cause incorrect matching see-also="https://github.com/rpm-software-management/rpm/issues/2796 https://github.com/rpm-software-management/rpm/discussions/3703 https://github.com/rpm-software-management/rpm/pull/3755"
virtualmachines/roxagent/vsock: 2026/03/13 18:52:24.781263 client.go:79: Info: Sent message with index report containing 517 packages to host

real    1m22.010s
user    0m22.752s
sys     0m54.774s

# some time later the zombie finishes
[1]+  Done                    ( sleep 1 & exec /bin/sleep 180 )

✅ The fix is a solution to the issue. However, it makes the indexing pretty slow...

Observing performance

The change seem to significantly increase indexing times. Here few observations (still need more data for a conclusion).

Scanning limited root (works)

sudo mkdir -p /tmp/roxroot/{etc,var,usr,root}
sudo mount --bind /etc /tmp/roxroot/etc
sudo mount --bind /var /tmp/roxroot/var
sudo mount --bind /usr /tmp/roxroot/usr
sudo mount --bind /root /tmp/roxroot/root


time sudo /home/cloud-user/vm-agent-amd64 --port 818 --host-path /tmp/roxroot

2026/03/13 18:32:17 WARN rpm source packages always record 0 epoch; this may cause incorrect matching see-also="https://github.com/rpm-software-management/rpm/issues/2796 https://github.com/rpm-software-management/rpm/discussions/3703 https://github.com/rpm-software-management/rpm/pull/3755"
virtualmachines/roxagent/vsock: 2026/03/13 18:32:21.564264 client.go:79: Info: Sent message with index report containing 517 packages to host

real    0m22.315s
user    0m9.513s
sys     0m11.275s

Scanning full root:

[cloud-user@rhel9-1 ~]$ time sudo /home/cloud-user/vm-agent-amd64 --port 818 --host-path /
2026/03/13 18:49:31 WARN rpm source packages always record 0 epoch; this may cause incorrect matching see-also="https://github.com/rpm-software-management/rpm/issues/2796 https://github.com/rpm-software-management/rpm/discussions/3703 https://github.com/rpm-software-management/rpm/pull/3755"
virtualmachines/roxagent/vsock: 2026/03/13 18:49:35.245293 client.go:79: Info: Sent message with index report containing 517 packages to host

                                               real    1m45.496s
user    0m31.055s
sys     1m7.528s

In case multiple agents run in parallel (one daemon, other one-shot), then the running times are very long - I killed one run after 10 minutes of waiting.

@vikin91
chore(scanner): bump claircore to v1.5.50 for node indexing
bcf84ea 
Bump ClairCore to v1.5.50 and switch node index layer paths to normalized file:// URIs so VM/node indexing remains compatible with newer ClairCore URI handling and benefits from /proc access robustness plus correct package-scan error propagation.

User request: "update to 1.5.50 and implement the full ACS change for nodeIndexer/ROX-32459 context."

AI generated the dependency bump, URI conversion, and tests; user validated scope, selected version direction, and reviewed/corrected requirements during implementation.
@vikin91
Copy link
Contributor Author

vikin91 commented Mar 13, 2026
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@openshift-ci
Copy link

openshift-ci bot commented Mar 13, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 13, 2026

Images are ready for the commit at f710db5.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-320-gf710db53f3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikin91 @rhacs-bot