Bug 1969929

Summary: oc image extract fails due to security capabilities on files
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, dornelas, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Insufficient privileges to set extended attributes during untaring. Consequence: oc image extract was failing with operation not permitted error when run as non-root user. Fix: Check user and set extended security attributes only when run as root. Result: oc image extract works correctly for both root and non-root user.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-21 18:17:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1969928    
Bug Blocks: 1867598, 1954587, 1995337, 1997492    

Description OpenShift BugZilla Robot 2021-06-09 13:22:33 UTC
+++ This bug was initially created as a clone of Bug #1969928 +++

+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.

Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully

Additional info:

Comment 1 Maciej Szulik 2021-06-10 10:38:44 UTC
*** Bug 1970203 has been marked as a duplicate of this bug. ***

Comment 4 zhou ying 2021-07-13 02:18:58 UTC
[root@localhost ~]# oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
[root@localhost ~]# echo $?
[root@localhost ~]# oc version --client 
Client Version: 4.6.0-0.nightly-2021-07-09-014429

Can't reproduce the issue now .

Comment 6 errata-xmlrpc 2021-07-21 18:17:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.39 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.