Question: Feasibility of using "oc image extract --preserve-ownership=true" to pull and unpack images for check-payload scans?

[zxiong]

Is it feasible to use oc image extract --preserve-ownership=true to pull and unpack an image for check-payload scans? We’ve observed that oc image extract is faster than skopeo copy + umoci raw unpack --rootless --image, reducing pull and unpack time by approximately 20–30% for large images.

I compared the unpacked directories produced by both approaches. The only differences observed are in file ownership and group, for example:

$ rsync -avnc --delete --itemize-changes unpacked-dir1 unpacked-dir2

.d....o.... opt/app-root/
.L....o.... opt/app-root/lib64 -> lib
.f....o.... opt/app-root/pyvenv.cfg
.d....o.... opt/app-root/bin/
.f....o.... opt/app-root/bin/Activate.ps1
.f....o.... opt/app-root/bin/activate
.f....o.... opt/app-root/bin/activate.csh
.f....o.... opt/app-root/bin/activate.fish
...

[smith-xyz]

@zxiong I didn't think this tool used skopeo+umoci. podman is used to mount the images we find in a given payload. Were you seeing something different.

[zxiong]

@smith-xyz, yes, you’re right — I know this tool itself does not use skopeo + umoci. In our case, however, we run the check-payload scan inside a Tekton task on OpenShift. As part of that workflow, before scanning an image, we currently use skopeo copy to pull the image to local disk in OCI format, and then unpack it using umoci raw unpack --rootless --image.

I’m exploring if we could replace this step with oc image extract --preserve-ownership=true, as initial testing shows it provides better performance for pulling and unpacking images. I know that it's not part of the tool.

[smith-xyz]

oh I see - interesting, so if I'm following before scanning with this tool, you'll pull the image (I assume the ocp payload) and its much more efficient to pull the image with oc image extract --preserve-ownership=true.

Within this tool if the payload url provided isn't already there, then it leverages ocp to get all the component images, then pull each individually. (very slow)

I'll play around with this today, but at face value it sounds like it could be more performant, thanks for sharing your findings!

[zxiong]

Thanks for looking into this! Just to clarify, my question is if it would be possible to replace the skopeo copy + umoci raw unpack --rootless step with oc image extract --preserve-ownership=true?

The key concern on my side is making sure we get the same scanning results from the check-payload tool after this change — does that seem feasible?