Bug 1965330

Summary: oc image extract fails due to security capabilities on files
Product: OpenShift Container Platform Reporter: Ben Parees <bparees>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: RamaKasturi <knarra>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, dornelas, jokerman, knarra, mfojtik
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Insufficient privileges to set extended attributes during untaring. Consequence: oc image extract was failing with operation not permitted error when run as non-root user. Fix: Check user and set extended security attributes only when run as root. Result: oc image extract works correctly for both root and non-root user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:10:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1867598, 1954587, 1969928, 1995337, 1997492    

Description Ben Parees 2021-05-27 13:26:23 UTC 
Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info:
Comment 2 RamaKasturi 2021-06-11 12:30:36 UTC 
verified with the payload below and i see that the issue has been fixed:

[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-11-024306   True        False         4h9m    Cluster version is 4.8.0-0.nightly-2021-06-11-024306

[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc version -o yaml
clientVersion:
  buildDate: "2021-06-10T07:01:41Z"
  compiler: gc
  gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355
  gitTreeState: clean
  gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43
  goVersion: go1.16.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306
releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306
serverVersion:
  buildDate: "2021-06-10T13:52:39Z"
  compiler: gc
  gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924
  gitTreeState: clean
  gitVersion: v1.21.0-rc.0+a5ec692
  goVersion: go1.16.4
  major: "1"
  minor: 21+
  platform: linux/amd64


with 4.8:
=====================
with root user:
+++++++++++++++++++++++++++++++++
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ sudo ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
[sudo] password for knarra: 
W0611 17:17:49.964034   41190 manifest.go:440] Chose linux/amd64 manifest from the manifest list.

non-root user:
+++++++++++++++++++++++++++++++++++++
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0611 16:54:22.067605   31361 manifest.go:440] Chose linux/amd64 manifest from the manifest list.
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls -l

with 4.7:
===========================
Hit below issue with root & non root user

[knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0611 17:07:53.407155   37813 manifest.go:440] Chose linux/amd64 manifest from the manifest list.
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted


Based on the above moving bug to verified state.
Comment 3 RamaKasturi 2021-06-11 12:37:48 UTC 
(In reply to RamaKasturi from comment #2)
> verified with the payload below and i see that the issue has been fixed:
> 
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc get clusterversion
> NAME      VERSION                             AVAILABLE   PROGRESSING  
> SINCE   STATUS
> version   4.8.0-0.nightly-2021-06-11-024306   True        False         4h9m
> Cluster version is 4.8.0-0.nightly-2021-06-11-024306
> 
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc version -o yaml
> clientVersion:
>   buildDate: "2021-06-10T07:01:41Z"
>   compiler: gc
>   gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355
>   gitTreeState: clean
>   gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43
>   goVersion: go1.16.4
>   major: ""
>   minor: ""
>   platform: linux/amd64
> openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306
> releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306
> serverVersion:
>   buildDate: "2021-06-10T13:52:39Z"
>   compiler: gc
>   gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924
>   gitTreeState: clean
>   gitVersion: v1.21.0-rc.0+a5ec692
>   goVersion: go1.16.4
>   major: "1"
>   minor: 21+
>   platform: linux/amd64
> 
> 
> with 4.8:
> =====================
> with root user:
> +++++++++++++++++++++++++++++++++
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> sudo ./oc image extract
> registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
> [sudo] password for knarra: 
> W0611 17:17:49.964034   41190 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> 
> non-root user:
> +++++++++++++++++++++++++++++++++++++
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
> --confirm
> W0611 16:54:22.067605   31361 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls
> -l
> 
> with 4.7:
> ===========================
> Hit below issue with non-root user, for root user it worked well in 4.7 as well
> 
> [knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$
> ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
> --confirm
> W0611 17:07:53.407155   37813 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> error: unable to extract layer
> sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from
> registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not
> permitted
> 
> 
> Based on the above moving bug to verified state.
Comment 6 errata-xmlrpc 2021-07-27 23:10:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438