Bug 1968680

Summary:	opm index add fails during image extraction
Product:	OpenShift Container Platform	Reporter:	OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component:	OLM	Assignee:	Nick Hale <nhale>
OLM sub component:	OLM	QA Contact:	xzha
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	medium	CC:	anbhatta, dornelas, nhale, tflannag
Version:	4.8
Target Milestone:	---
Target Release:	4.7.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-06-29 04:19:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1965334
Bug Blocks:	1867598, 1954587, 1968681, 1995337, 1997492

Description OpenShift BugZilla Robot 2021-06-07 19:34:20 UTC

+++ This bug was initially created as a clone of Bug #1965334 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during opm index add because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:be60702488bf04a221324a911abcbd734cc94a0edfb05349a332c69f56d163d0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest


RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.

The fix to opm will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.


Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image results in opm index command failure

Expected results:
files are extracted successfully/opm index command succeeds

Comment 2 xzha 2021-06-21 02:18:36 UTC

verify:

[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm version
Version: version.Version{OpmVersion:"v1.15.4-16-g06e950de", GitCommit:"06e950de", BuildDate:"2021-06-21T01:38:26Z", GoOs:"linux", GoArch:"amd64"}

[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest
INFO[0000] building the index                            bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] Pulling previous image registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 to get metadata  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:bafa97bd4e6cd2e8f3c0f526b112c320e5f3b079dbd7f66b8339841d58d5be3d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:496fe1c1394d856a8d0906cb4e1c83a14bafc134512b12ded7af66959872aebc"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:0bcdc538457073f1bc03c1c7fbfe26c9ce7059a242985204004948286a24bee0"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:a505d8bec212905c700ba145985177bbef5596c3ff6e5399bad8efaa88bfa4b8"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:fca450a845cf43f5b01eb4a8a6f90c638c74c3410a14ce715ea73755a8cf918e"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:0f758562a62b98aa28dab9325543d3cc945a1e3b84084769ad698ddcbd190915"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:7ec7e7c02020ff6f6c27a05b95a2b1fb2c1dba5caf4880a90896900cbf061bf2"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:990150affea1535300599c5d7d95e41d983004be306b68cc3606e28f5e14b583"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:c049aeb87eebd112b814baa2f4a0e2d1a5d7543d91a3b7e6ac013d15db9a205f"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:5baa8b576929f24e6530d9775ae1f64b872fc5761b247d12ba8c37e79f66d6a2"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:41b5560940c6c64f21a93ed62524179ce9f0c1590e33de59b2fd1667fae69c96"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:6d728e8c122b3829901f90f16d62830e6c4cfd8a6778f6fc998d24bb8d41d347"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:b1f6570db3a95c48761a529f941a448b663ed875b8be3974cf24d46da2f75bb6"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:479091616906b08f90a2b6eb076889752004b96d7c361c4677aa1b8ddd983ce0"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:4e1875f5dbc4996515217df03891684f8f23652127ed2d568dfe30c70628efad"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:284062d6df409fe945fc23a3785fcb545564dc702b96e34644361b33756e91ba"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:ee94519688b8f9c645d63c3d30a455a945c216618cff65292af265ba791e4fe5"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:54858178077977ea226c3b50331f40f61baa004acebb01fdd26d00f3c848e4c1"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:c1e45f1800b9dd6392c6af3d5510a7abebf40da5004fd9d91c4d8a101b6d780c"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061"
WARN[0002] {"created":"2021-05-21T13:31:25.685855303Z","architecture":"amd64","os":"linux","config":{"User":"1001","ExposedPorts":{"50051/tcp":{}},"Env":["__doozer=merge","BUILD_RELEASE=202105210425.p0.assembly.test","BUILD_VERSION=v4.8.0","OS_GIT_MAJOR=4","OS_GIT_MINOR=8","OS_GIT_PATCH=0","OS_GIT_TREE_STATE=clean","OS_GIT_VERSION=4.8.0-202105210425.p0.assembly.test-ca1f0b6","SOURCE_GIT_TREE_STATE=clean","KUBE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","KUBE_GIT_MAJOR=1","KUBE_GIT_MINOR=13+","KUBE_GIT_TREE_STATE=clean","KUBE_GIT_VERSION=v1.13.0+ca1f0b6","OS_GIT_COMMIT=ca1f0b6","SOURCE_DATE_EPOCH=1621490278","SOURCE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","SOURCE_GIT_TAG=ca1f0b69c","SOURCE_GIT_URL=https://github.com/openshift/operator-framework-olm","GODEBUG=x509ignoreCN=0,madvdontneed=1","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"Entrypoint":["/bin/opm"],"Cmd":["registry","serve","--database","/database/index.db"],"WorkingDir":"/registry","Labels":{"License":"GPLv2+","architecture":"x86_64","build-date":"2021-05-21T11:01:06.328945","com.redhat.build-host":"cpt-1001.osbs.prod.upshift.rdu2.redhat.com","com.redhat.component":"operator-registry-container","com.redhat.index.delivery.distribution_scope":"stage","com.redhat.index.delivery.version":"v4.8","com.redhat.license_terms":"https://www.redhat.com/agreements","description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","distribution-scope":"public","io.buildah.version":"1.16.7","io.k8s.description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","io.k8s.display-name":"OpenShift Operator Registry","io.openshift.build.commit.id":"ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.commit.url":"https://github.com/openshift/operator-framework-olm/commit/ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.source-location":"https://github.com/openshift/operator-framework-olm","io.openshift.expose-services":"","io.openshift.maintainer.component":"OLM","io.openshift.maintainer.product":"OpenShift Container Platform","io.openshift.tags":"openshift,base","maintainer":"Odin Team \u003caos-odin\u003e","name":"openshift/ose-operator-registry","operators.operatorframework.io.index.database.v1":"/database/index.db","release":"202105210425.p0.assembly.test","summary":"Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.","url":"https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-operator-registry/images/v4.8.0-202105210425.p0.assembly.test","vcs-ref":"114496b3398732f59c5b5ce482dadce50666a0cd","vcs-type":"git","vendor":"Red Hat, Inc.","version":"v4.8.0"}},"rootfs":{"type":"layers","diff_ids":["sha256:98469092e6042f8c9cc81dcb1a710957fb5ef27817c9b178f7b71c4f242cb2ed","sha256:bfb9caafb0fc0d8496a27709f1698ac90d1a306556387a75b92a86063544f4c8","sha256:7a88ee3fa5631ca7531842db33bed9f22292645cb4d5a9040e1db4e2e8356073","sha256:6629e8425178cd34a682ed777ead805eb6bd38b6371c97da299007f2d1d58499","sha256:6ceef9186f44c1161211e08a64b7c19cb2cf9000700b055c1be0605498315434","sha256:6c9cbfa0a5cba69042563ad957841168edba7b072e37601a555ee0e97854991f"]},"history":[{"created":"2021-05-04T17:22:13.711896193Z","comment":"Imported from -"},{"created":"2021-05-04T17:22:23.540345Z"},{"created":"2021-05-21T10:13:21.835072176Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T10:20:13.653432134Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T11:06:00.179431387Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T09:31:24.965348922-04:00","created_by":"/bin/sh -c #(nop) LABEL operators.operatorframework.io.index.database.v1=/database/index.db","empty_layer":true},{"created":"2021-05-21T09:31:25.463298473-04:00","created_by":"/bin/sh -c #(nop) ADD file:96ccda2c0fa8bd1e7f4baeaf11429c28b25dfde938ff0db8577e35c87c2aef86 in /database/index.db ","empty_layer":true},{"created":"2021-05-21T09:31:25.502201577-04:00","created_by":"/bin/sh -c #(nop) EXPOSE 50051","empty_layer":true},{"created":"2021-05-21T09:31:25.548473324-04:00","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/bin/opm\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.597493979-04:00","created_by":"/bin/sh -c #(nop) CMD [\"registry\", \"serve\", \"--database\", \"/database/index.db\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.63843865-04:00","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.version=\"v4.8\"","empty_layer":true},{"created":"2021-05-21T13:31:28.214290017Z","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.distribution_scope=\"stage\""}]}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0002] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 88972019 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d 1879 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5 2199276 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381 11660479 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc 129924145 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0007] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d 10125898 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0008] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0 
INFO[0008] fetched                                       digest="sha256:694b76217a611ad6c8acec81c4ad700155bb0c055843bb0a8c9b63a7dff0569a"
INFO[0008] fetched                                       digest="sha256:ef846247198c7a9a05e6990e2dc321091fbf832d8e5c52d57bd3f25017a5b7ee"
INFO[0008] fetched                                       digest="sha256:370583ca2fdee0560d3965f8bb88d7a214142509319393a0efeaff18bc0a1513"
INFO[0008] fetched                                       digest="sha256:987b30f4960545e8cc93dfa2f1b5448a77b0c40b465272a142cb2257eaa44f49"
INFO[0008] fetched                                       digest="sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
INFO[0009] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32 [] map[] <nil>} 
INFO[0009] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:370583ca2fdee0560d3965f8bb88d7a214142509319393a0efeaff18bc0a1513 7618 [] map[] <nil>} 
INFO[0009] Could not find optional dependencies file     dir=bundle_tmp855629950 file=bundle_tmp855629950/metadata load=annotations
INFO[0009] found csv, loading bundle                     dir=bundle_tmp855629950 file=bundle_tmp855629950/manifests load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance-addon-operator.v4.7.0.clusterserviceversion.yaml load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0009] Could not find optional dependencies file     dir=bundle_tmp855629950 file=bundle_tmp855629950/metadata load=annotations
INFO[0009] found csv, loading bundle                     dir=bundle_tmp855629950 file=bundle_tmp855629950/manifests load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance-addon-operator.v4.7.0.clusterserviceversion.yaml load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0009] Generating dockerfile                         bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0009] writing dockerfile: index.Dockerfile          bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
[cloud-user@preserve-olm-agent-test ~]$ 

There is no error "Error: operation not permitted"

LGTM, verified.

Comment 5 errata-xmlrpc 2021-06-29 04:19:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2502