oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard
verified publisher icon google

Upstream Clusterfuzzlite Image does not support Docker in Docker

Open mpherman2 opened this issue 4 years ago • 5 comments

Currently to use Clusterfuzzlite with Prow we use a different image that contains some bootstrap code that allows Docker in Docker to run. Ideally this would be upstreamed to help Prow's version of Clusterfuzz lite stay up to date with the upstream version.

Download Prow CFL image here: https://pantheon.corp.google.com/gcr/images/k8s-testimages/GLOBAL/ci_fuzz Dockerfile for it is here: https://github.com/kubernetes/test-infra/blob/master/experiment/ci-fuzz/Dockerfile

mpherman2 avatar Nov 04 '21 18:11 mpherman2

This is similar to https://github.com/google/oss-fuzz/issues/6710 @oliverchang WDYT of this? I think we will probably need to have different images for different platforms if we want to avoid making the image pull time too long. Already it takes about 50 seconds.

jonathanmetzman avatar Nov 04 '21 19:11 jonathanmetzman

It's not just a performance issue. I remember some CIFuzz users running out of diskspace and this would make it worse.

jonathanmetzman avatar Nov 04 '21 19:11 jonathanmetzman

Something that would solve both this issue and the performance issues would be to remove the need for Docker In Docker all together. I understand the reason we build a new Docker image with the source code we are fuzzing in order to build the fuzzers, but it would be much better if instead we could just build the fuzzers directly without this extra step. Something to consider for future improvements.

mpherman2 avatar Nov 05 '21 15:11 mpherman2

I think we don't like this solution for two reasons:

  1. It breaks assumptions for OSS-Fuzz users and causes CIFuzz to behave very differently than OSS-Fuzz does (e.g. certain runtime failures would not occur in CIFuzz but would occur on OSS-Fuzz).
  2. It would be very hard to prevent users from accidentally breaking things in ClusterFuzzLite (what if they uninstall the python version we installed and install their own).
  3. It's hard to manage. Right now the CFL images are based on the run-fuzzers image of OSS-Fuzz and can run commands from this image directly (e.g. check_build). To continue doing this, we'd have to copy scripts from that image too.

jonathanmetzman avatar Nov 05 '21 15:11 jonathanmetzman

This is similar to #6710 @oliverchang WDYT of this? I think we will probably need to have different images for different platforms if we want to avoid making the image pull time too long. Already it takes about 50 seconds.

+1 to a separate image for supporting Prow.

https://github.com/kubernetes/test-infra/blob/master/experiment/ci-fuzz/Dockerfile is broken but what needs to be added? Just a docker install step?

oliverchang avatar Nov 07 '21 23:11 oliverchang