Bug 1867598
| Summary: | newgidmap and newuidmap fail rpm verification caPabilities test | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | jcastran | |
| Component: | ubi8-container | Assignee: | Jindrich Novy <jnovy> | |
| Status: | CLOSED ERRATA | QA Contact: | David Darrah/Red Hat QE <ddarrah> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.0 | CC: | dornelas, ekasprzy, gscrivan, hartsjc, jnovy, jwboyer, tsweeney, ypu | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1954587 1995337 1997492 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 23:58:06 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1965330, 1965334, 1968680, 1968681, 1969928, 1969929 | |||
| Bug Blocks: | 1186913, 1954587, 1995337, 1997492 | |||
|
Description
jcastran
2020-08-10 13:01:57 UTC
This does appear to be specific to the image, or at least it doesn't seem to be something that podman/overlayfs is doing to the image/container Looking at just the image layers: # mkdir /tmp/test # skopeo copy docker://registry.access.redhat.com/ubi7:latest dir:/tmp/test Getting image source signatures Copying blob 1323a241cc06 done Copying blob 2bd25ca12457 done Copying config fdef99b341 done Writing manifest to image destination Storing signatures # tar xvf /tmp/test/1323a241cc068f2816dd88f00168be73339471d6dc6eb2e6c761b63b734501b6 ./usr/bin/newuidmap ./usr/bin/newuidmap # ls -l /root/usr/bin/newuidmap -rwxr-xr-x. 1 root root 38976 May 3 2019 /root/usr/bin/newuidmap # getcap -v /root/usr/bin/newuidmap /root/usr/bin/newuidmap I would guess their stripped during the image build process somehow. Reopening as this needs to be addressed in the future after this change no longer breaks RHAOS. FWIW it seems upstream Fedora also has the problem, probably because they use the same tooling to build their image. In https://www.redhat.com/sysadmin/podman-inside-container First pull fedora latest, and then update to the latest packages. Note it reinstalls shadow-utils, since there is a known issue in the shadow-utils install on the Fedora image where the filecaps on newsubuid and newsubgid are not set. Jindrich, any update on this one? Yes, this got committed to dist-git 20th Apr. Derrick, please let me know if you are unhappy about this going to 8.5. The oc bug is fixed in 4.7.z and should be fixed soon in 4.6.z and 4.8. The opm bug is fixed in 4.6.z and 4.7.z, and it should be fixed soon in 4.8. I think it will be safe to reintroduce this change with 8.5. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat Universal Base Image 8 Container Image Update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4551 |