From a30fd8f6107780f13f0274e5c5c8ed0ae9aaa363 Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <rothberg@redhat.com>
Date: Mon, 8 Feb 2021 13:51:31 +0100
Subject: make `podman rmi` more robust

The c/storage library is subject to TOCTOUs as the central container and
image storage may be shared by many instances of many tools.  As shown
in #6510, it's fairly easy to have multiple instances of Podman running
in parallel and yield image-lookup errors when removing them.

The underlying issue is the TOCTOU of removal being split into multiple
stages of first reading the local images and then removing them.  Some
images may already have been removed in between the two stages. To make
image removal more robust, handle errors at stage two when a given image
is not present (anymore) in the storage.

Fixes: #6510
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
---
 test/e2e/rmi_test.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'test/e2e')

diff --git a/test/e2e/rmi_test.go b/test/e2e/rmi_test.go
index 1f40e4928..c1fbe0440 100644
--- a/test/e2e/rmi_test.go
+++ b/test/e2e/rmi_test.go
@@ -1,7 +1,9 @@
 package integration
 
 import (
+	"fmt"
 	"os"
+	"sync"
 
 	. "github.com/containers/podman/v2/test/utils"
 	. "github.com/onsi/ginkgo"
@@ -276,4 +278,32 @@ RUN find $LOCAL
 		match, _ := session.ErrorGrepString("image name or ID must be specified")
 		Expect(match).To(BeTrue())
 	})
+
+	It("podman image rm - concurrent with shared layers", func() {
+		// #6510 has shown a fairly simple reproducer to force storage
+		// errors during parallel image removal.  Since it's subject to
+		// a race, we may not hit the condition a 100 percent of times
+		// but ocal reproducers hit it all the time.
+
+		var wg sync.WaitGroup
+
+		buildAndRemove := func(i int) {
+			defer GinkgoRecover()
+			defer wg.Done()
+			imageName := fmt.Sprintf("rmtest:%d", i)
+			containerfile := `FROM quay.io/libpod/cirros:latest
+RUN ` + fmt.Sprintf("touch %s", imageName)
+
+			podmanTest.BuildImage(containerfile, imageName, "false")
+			session := podmanTest.Podman([]string{"rmi", "-f", imageName})
+			session.WaitWithDefaultTimeout()
+			Expect(session).Should(Exit(0))
+		}
+
+		wg.Add(10)
+		for i := 0; i < 10; i++ {
+			go buildAndRemove(i)
+		}
+		wg.Wait()
+	})
 })
-- 
cgit v1.2.3-54-g00ecf