cnvm: Delete old snapshots on startup #3143

orestisfl · 2025-03-25T12:43:05Z

Summary of your changes

Change CNVM to add a background job cleaning up old snapshots.

The logic here is:

Background routine is started. Since the amount of leftover snapshots can be quite high (e.g. 40k in our account), 3 cleanup workers are used
IterOwnedSnapshots() is called which goes over all snapshots, returning an iterator. Snapshots are selected if:
1. They are more than 48 hours old
2. They have a tag with key "Name" and value starting with "elastic-vulnerability"
3. They are "self-owned"
Cleanup returns. On context cancelled, no extra grace period is added so the process doesn't block restarts/shutdown.

Screenshot/Data

Deleted 1178 snapshots from 2025-03-25T16:17:08.384Z to 2025-03-25T16:20:19.504Z

Related Issues

Closes #3105
Closes https://github.com/elastic/sdh-security-team/issues/1168

Checklist

I have added tests that prove my fix is effective or that my feature works
I have added the necessary README/documentation (if appropriate)

Introducing a new rule?

No

Pulling change out of elastic#3143 to ease reviewing. This is the result of running ```shell hermit upgrade mockery just validate-mocks ``` Reason is that old mockery complains about go 1.22's syntax ```go for i := range 10 { ... } ```

Pulling change out of #3143 to ease reviewing. This is the result of running ```shell hermit upgrade mockery just validate-mocks ``` Reason is that old mockery complains about go 1.22's syntax ```go for i := range 10 { ... } ```

Pulling change out of #3143 to ease reviewing. This is the result of running ```shell hermit upgrade mockery just validate-mocks ``` Reason is that old mockery complains about go 1.22's syntax ```go for i := range 10 { ... } ``` (cherry picked from commit 7d838d1)

Upgrade mockery (#3144) Pulling change out of #3143 to ease reviewing. This is the result of running ```shell hermit upgrade mockery just validate-mocks ``` Reason is that old mockery complains about go 1.22's syntax ```go for i := range 10 { ... } ``` (cherry picked from commit 7d838d1) Co-authored-by: Orestis Floros <orestis.floros@elastic.co>

romulets · 2025-03-28T12:58:22Z

internal/resources/providers/awslib/ec2/provider.go

+	for _, tag := range snap.Tags {
+		if aws.ToString(tag.Key) == "Name" {
+			return strings.HasPrefix(aws.ToString(tag.Value), snapshotPrefix)
+		}
+	}


Since we are already querying already the snapshots here:

Filters: []types.Filter{ { Name: aws.String("tag:Name"), Values: []string{fmt.Sprintf("%s-*", snapshotPrefix)}, }, },

Do we need this piece of filtering?

We need to filter for time anyway so the name check is there just as a sanity check.

moukoublen · 2025-03-28T13:00:59Z

internal/vulnerability/snapshot.go

+type contextualChan[T any] struct {
+	ch chan T
+}


[ just sharing thoughts - not suggesting to change it ]
I wonder which one of "wrapper struct vs just generic functions", is leaner in that case.

eg instead of a wrapper just having something like that

func SendToChannel[T any](ctx context.Context, ch chan<- T, t T) bool func ReadFromChannel[T any](ctx context.Context, ch <-chan T) (T, bool)

I wanted to completely avoid exposing the channel to prevent misusing it. Both can be valid approaches if direct access to the channel is needed.

### Summary of your changes Change CNVM to add a background job cleaning up old snapshots. The logic here is: 1. Background routine is started. Since the amount of leftover snapshots can be quite high (e.g. 40k in our account), 3 cleanup workers are used 2. `IterOwnedSnapshots()` is called which goes over all snapshots, returning an iterator. Snapshots are selected if: 1. They are more than 48 hours old 2. They have a tag with key "Name" and value starting with "elastic-vulnerability" 3. They are "self-owned" 3. Cleanup returns. On context cancelled, no extra grace period is added so the process doesn't block restarts/shutdown. ### Screenshot/Data Deleted 1178 snapshots from `2025-03-25T16:17:08.384Z` to `2025-03-25T16:20:19.504Z` ### Related Issues Closes #3105 Closes https://github.com/elastic/sdh-security-team/issues/1168 ### Checklist - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have added the necessary README/documentation (if appropriate) #### Introducing a new rule? No (cherry picked from commit 8860b9d)

cnvm: Delete old snapshots on startup (#3143) ### Summary of your changes Change CNVM to add a background job cleaning up old snapshots. The logic here is: 1. Background routine is started. Since the amount of leftover snapshots can be quite high (e.g. 40k in our account), 3 cleanup workers are used 2. `IterOwnedSnapshots()` is called which goes over all snapshots, returning an iterator. Snapshots are selected if: 1. They are more than 48 hours old 2. They have a tag with key "Name" and value starting with "elastic-vulnerability" 3. They are "self-owned" 3. Cleanup returns. On context cancelled, no extra grace period is added so the process doesn't block restarts/shutdown. ### Screenshot/Data Deleted 1178 snapshots from `2025-03-25T16:17:08.384Z` to `2025-03-25T16:20:19.504Z` ### Related Issues Closes #3105 Closes https://github.com/elastic/sdh-security-team/issues/1168 ### Checklist - [x] I have added tests that prove my fix is effective or that my feature works - [x] I have added the necessary README/documentation (if appropriate) #### Introducing a new rule? No (cherry picked from commit 8860b9d) Co-authored-by: Orestis Floros <orestis.floros@elastic.co>

cnvm: Delete old snapshots on startup

4eae248

mergify bot assigned orestisfl Mar 25, 2025

mergify bot added the backport-v8.x label Mar 25, 2025

elastic deleted a comment from mergify bot Mar 25, 2025

orestisfl mentioned this pull request Mar 25, 2025

Upgrade mockery #3144

Merged

mergify bot mentioned this pull request Mar 25, 2025

[8.x](backport #3144) Upgrade mockery #3145

Merged

orestisfl added 3 commits March 25, 2025 14:43

Merge branch 'main' into cnvm-delete-old-snapshots

9fb09be

improve tests & shutdown

a075e85

up

952133b

orestisfl linked an issue Mar 26, 2025 that may be closed by this pull request

CNVM: Clean-up old snapshots on startup #3105

Closed

2 tasks

orestisfl added 4 commits March 26, 2025 14:34

Merge branch 'main' into cnvm-delete-old-snapshots

a122ec7

better coverage

aadb8e1

cover ctx

08ecf74

use iterator / channel wrapper

e15f978

orestisfl marked this pull request as ready for review March 28, 2025 12:15

orestisfl requested a review from a team as a code owner March 28, 2025 12:15

romulets reviewed Mar 28, 2025

View reviewed changes

moukoublen reviewed Mar 28, 2025

View reviewed changes

moukoublen approved these changes Mar 28, 2025

View reviewed changes

orestisfl merged commit 8860b9d into elastic:main Mar 28, 2025
9 checks passed

orestisfl deleted the cnvm-delete-old-snapshots branch March 28, 2025 14:01

mergify bot mentioned this pull request Mar 28, 2025

[8.x](backport #3143) cnvm: Delete old snapshots on startup #3151

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cnvm: Delete old snapshots on startup #3143

cnvm: Delete old snapshots on startup #3143

orestisfl commented Mar 25, 2025 •

edited

Loading

romulets Mar 28, 2025 •

edited

Loading

orestisfl Mar 28, 2025

moukoublen Mar 28, 2025

orestisfl Mar 28, 2025

cnvm: Delete old snapshots on startup #3143

cnvm: Delete old snapshots on startup #3143

Conversation

orestisfl commented Mar 25, 2025 • edited Loading

Summary of your changes

Screenshot/Data

Related Issues

Checklist

Introducing a new rule?

romulets Mar 28, 2025 • edited Loading

Choose a reason for hiding this comment

orestisfl Mar 28, 2025

Choose a reason for hiding this comment

moukoublen Mar 28, 2025

Choose a reason for hiding this comment

orestisfl Mar 28, 2025

Choose a reason for hiding this comment

orestisfl commented Mar 25, 2025 •

edited

Loading

romulets Mar 28, 2025 •

edited

Loading