Bug 1965330
Summary: | oc image extract fails due to security capabilities on files | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ben Parees <bparees> |
Component: | oc | Assignee: | Maciej Szulik <maszulik> |
Status: | CLOSED ERRATA | QA Contact: | RamaKasturi <knarra> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 4.8 | CC: | aos-bugs, dornelas, jokerman, knarra, mfojtik |
Target Milestone: | --- | ||
Target Release: | 4.8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
Insufficient privileges to set extended attributes during untaring.
Consequence:
oc image extract was failing with operation not permitted error when run as non-root user.
Fix:
Check user and set extended security attributes only when run as root.
Result:
oc image extract works correctly for both root and non-root user.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-07-27 23:10:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1867598, 1954587, 1969928, 1995337, 1997492 |
Description
Ben Parees
2021-05-27 13:26:23 UTC
verified with the payload below and i see that the issue has been fixed: [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.nightly-2021-06-11-024306 True False 4h9m Cluster version is 4.8.0-0.nightly-2021-06-11-024306 [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc version -o yaml clientVersion: buildDate: "2021-06-10T07:01:41Z" compiler: gc gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355 gitTreeState: clean gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43 goVersion: go1.16.4 major: "" minor: "" platform: linux/amd64 openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306 releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306 serverVersion: buildDate: "2021-06-10T13:52:39Z" compiler: gc gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924 gitTreeState: clean gitVersion: v1.21.0-rc.0+a5ec692 goVersion: go1.16.4 major: "1" minor: 21+ platform: linux/amd64 with 4.8: ===================== with root user: +++++++++++++++++++++++++++++++++ [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ sudo ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm [sudo] password for knarra: W0611 17:17:49.964034 41190 manifest.go:440] Chose linux/amd64 manifest from the manifest list. non-root user: +++++++++++++++++++++++++++++++++++++ [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm W0611 16:54:22.067605 31361 manifest.go:440] Chose linux/amd64 manifest from the manifest list. [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls -l with 4.7: =========================== Hit below issue with root & non root user [knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm W0611 17:07:53.407155 37813 manifest.go:440] Chose linux/amd64 manifest from the manifest list. error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted Based on the above moving bug to verified state. (In reply to RamaKasturi from comment #2) > verified with the payload below and i see that the issue has been fixed: > > [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ > ./oc get clusterversion > NAME VERSION AVAILABLE PROGRESSING > SINCE STATUS > version 4.8.0-0.nightly-2021-06-11-024306 True False 4h9m > Cluster version is 4.8.0-0.nightly-2021-06-11-024306 > > [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ > ./oc version -o yaml > clientVersion: > buildDate: "2021-06-10T07:01:41Z" > compiler: gc > gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355 > gitTreeState: clean > gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43 > goVersion: go1.16.4 > major: "" > minor: "" > platform: linux/amd64 > openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306 > releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306 > serverVersion: > buildDate: "2021-06-10T13:52:39Z" > compiler: gc > gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924 > gitTreeState: clean > gitVersion: v1.21.0-rc.0+a5ec692 > goVersion: go1.16.4 > major: "1" > minor: 21+ > platform: linux/amd64 > > > with 4.8: > ===================== > with root user: > +++++++++++++++++++++++++++++++++ > [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ > sudo ./oc image extract > registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm > [sudo] password for knarra: > W0611 17:17:49.964034 41190 manifest.go:440] Chose linux/amd64 manifest > from the manifest list. > > non-root user: > +++++++++++++++++++++++++++++++++++++ > [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ > ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 > --confirm > W0611 16:54:22.067605 31361 manifest.go:440] Chose linux/amd64 manifest > from the manifest list. > [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls > -l > > with 4.7: > =========================== > Hit below issue with non-root user, for root user it worked well in 4.7 as well > > [knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$ > ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 > --confirm > W0611 17:07:53.407155 37813 manifest.go:440] Chose linux/amd64 manifest > from the manifest list. > error: unable to extract layer > sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from > registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not > permitted > > > Based on the above moving bug to verified state. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |