Bug 1970203

Summary: oc image extract fails due to security capabilities on files
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED DUPLICATE QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.8CC: aos-bugs, dornelas, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-10 10:38:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969928    
Bug Blocks: 1954587    

Description OpenShift BugZilla Robot 2021-06-10 05:19:19 UTC 
+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info:
Comment 1 Maciej Szulik 2021-06-10 10:38:45 UTC 

*** This bug has been marked as a duplicate of bug 1969929 ***