Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup /tmp during realtime scanning #503

Closed
SISheogorath opened this issue Oct 16, 2023 · 2 comments
Closed

Cleanup /tmp during realtime scanning #503

SISheogorath opened this issue Oct 16, 2023 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@SISheogorath
Copy link

I'm currently using the sbom-operator for real-time scanning as described in the README:

https://github.com/ckotzbauer/sbom-operator/blob/main/README.md#real-time

I noticed the problem that the operator will fill up the /tmp/ directory without ever cleaning up after scanning. Currently I have ~400 stereoscope-<number> directories in /tmp in a relatively small cluster. The current workaround is to regularly delete the pod to clean these up.

It seems that the problem was also known upstream, but should be fixed by now(?), though I haven't really found why the cleanup doesn't take place using this operator.

Ideas, guidance and maybe a solution would be more than welcome.

@SISheogorath
Copy link
Author

I implemented a workaround today:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sbom-operator
spec:
  template:
    spec:
      #
      containers:
        - name: sbom-operator
          #
        - name: cleanup
          image: quay.io/fedora/fedora:38
          command:
            - bash
            - -c
            - while true; do find /tmp -type d -mmin +15 -maxdepth 1 -exec rm -rf {} + ; sleep 300; done
          resources:
            requests:
              cpu: 10m
              memory: 64Mi
            limits:
              cpu: 100m
              memory: 128Mi
          securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL
              privileged: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              runAsUser: 1001
              seccompProfile:
                type: RuntimeDefault
          volumeMounts:
            - name: tmp
              mountPath: /tmp

This will just delete directories older than 15 minutes, which should be enough time to complete the scan.

@ckotzbauer
Copy link
Owner

Thanks @SISheogorath for the report. I will add a cleanup in the next release.

@ckotzbauer ckotzbauer added the kind/bug Categorizes issue or PR as related to a bug. label Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

2 participants