Bug 1739315

Summary: Builds with Secrets fail with the error "Error processing tar file(exit status 1): invalid symlink "/opt/app-root/src/..data"
Product: Red Hat Enterprise Linux 7 Reporter: Venkata Tadimarri <ktadimar>
Component: dockerAssignee: Tom Sweeney <tsweeney>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.7CC: adam.kaplan, aivaraslaimikis, ajia, amurdaca, aos-bugs, benjamin.affolter, bparees, cshereme, cstark, dahernan, dornelas, gmontero, jnovy, ljenkin, lsm5, nate.childers, pthomas, rhowe, sakulkar, sparpate, sreber, tsweeney, vjaypurk, wzheng, yselkowi
Target Milestone: rcKeywords: BuildBlocker, Extras, Regression
Target Release: 7.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.13.1-104.git4ef4b30.el7_7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 09:05:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1731154    

Description Venkata Tadimarri 2019-08-09 03:17:03 UTC 
Description of problem:

Unable to execute builds with secrets as part of the configuration. 

- build fails on adding the secret to the build:
error: Uploading to container failed: Error response from daemon: Error processing tar file(exit status 1): invalid symlink "/opt/app-root/src/..data" -> "..2019_08_06_22_44_01.875817706"
ERROR: Error occurred during injecting "/var/run/secrets/openshift.io/build/secret" to "/opt/app-root/src": Error response from daemon: Error processing tar file(exit status 1): invalid symlink "/opt/app-root/src/..data" -> "..2019_08_06_22_44_01.875817706"


Version-Release number of selected component (if applicable):

atomic-openshift-3.11.98-1.git.0.0cbaff3.el7.x86_64
docker-1.13.1-102.git7f2769b.el7.x86_64
docker-client-1.13.1-102.git7f2769b.el7.x86_64
docker-common-1.13.1-102.git7f2769b.el7.x86_64

How reproducible:

Attached the buildconfig to the bug. Include the secrets as part of the build. 


Actual results:

Build fails with the error in the description. 

Additional info:

-> Downgrading the version helps to resolve the issue. The same bc works fine with a lower version of docker (96 for example) and fails for 102.
Comment 3 Adam Kaplan 2019-08-09 20:53:10 UTC 
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1738599.
Comment 8 Adam Kaplan 2019-08-20 13:52:21 UTC 
*** Bug 1738599 has been marked as a duplicate of this bug. ***
Comment 9 Adam Kaplan 2019-08-20 13:54:09 UTC 
Bug also impacts 3.9 and 3.10 (and earlier, though these versions have reached EOL). Updating impacted version.
Comment 10 Gabe Montero 2019-08-20 17:58:18 UTC 
So the original CVE fix 
has been cited as a regression upstream, noted via https://github.com/moby/moby/issues/39348 and the subsequent fixes from https://github.com/docker/engine/pull/275 and https://github.com/moby/moby/pull/39357 and https://github.com/docker/engine/pull/280

We are testing against 1.13.1-102

We need to determine what RHEL Docker level has https://github.com/docker/engine/pull/275 and https://github.com/moby/moby/pull/39357 and https://github.com/docker/engine/pull/280
Comment 11 Gabe Montero 2019-08-20 19:30:50 UTC 
I have confirmed that https://github.com/moby/moby/pull/39357 is not in https://github.com/projectatomic/docker/commits/docker-1.13.1-rhel and https://github.com/projectatomic/docker/blob/docker-1.13.1-rhel/

Sending it over to rhel7/docker ... what is the status of fixing the regressions introduced by https://github.com/moby/moby/pull/39292 ... do we know yet what version of the docker RPMs after 1.13.1-102 will have the fix?
Comment 54 errata-xmlrpc 2019-10-16 09:05:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3092