Description of problem:
A container image is built with a particular sequence of steps where a file with multiple hard links is deleted then recreated. The resulting image generates errors when exported or pushed to a repository. The file has the wrong content when a container is run from this image.
Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux release 8.2 Beta
from AWS image RHEL-8.2.0_HVM_BETA-20191219-x86_64-0-Hourly2-GP2
Steps to Reproduce:
1. Create the following Dockerfile in a directory
RUN echo foo >/a && ln /a /b
RUN rm /a && echo bar >/a
2. Build a container image from it using podman from a non-root account
podman build -t foo <DIRECTORY>
3. Save the image
podman save -o /dev/null foo
4. Push the image to a Docker repository
podman push foo <REPOSITORY>
5. Run image and check contents of files:
podman run --rm foo cat /a /b
- Steps 3. and 4. both fail with error:
file integrity checksum failed for "a"
- Step 5. returns:
- Steps 3. and 4. should succeed
- Step 5. should return:
The problem does not show up if the same Dockerfile is built from a root account.
The above problem was isolated from an initial real-world example triggered by Python packages installation using pip.
I think it is a dup of: https://bugzilla.redhat.com/show_bug.cgi?id=1802907
I doubt it is a duplicate of 1802907 although it is close (both are related to the handling of hard links in fuse-overlayfs)
We were first hit by 1802907 in RHEL 8.1, and that one has been fixed in RHEL 8.2 beta, at least in our use case. This one is present in RHEL 8.2 beta.
As far as I understand, the effect of 1802907 was an incorrect count of hard links returned on just-created, multiply-linked file. This would impact useradd/groupadd, but not other uses of the container.
Here the content of one of the files is wrong, and the container image triggers an error when exported or pushed to a repository.
I was able to reproduce locally, it was fixed upstream with: https://github.com/containers/fuse-overlayfs/issues/177
We need to backport:
Author: Giuseppe Scrivano <firstname.lastname@example.org>
Date: Fri Jan 31 13:46:07 2020 +0100
main: lookup skip ino if there is no origin
if there is no origin xattr specified, do not overwrite the ino
Signed-off-by: Giuseppe Scrivano <email@example.com>
Assigning to Jindrich to handle packaging needs.
Created attachment 1667550 [details]
Test with podman-1.9.3-1.module+el8.2.1+6750+e53a300c.x86_64 with the given steps. And it is works as expect now. So update this to verified.
Output from step 3,4,5
$ podman save -o /dev/null foo
$ podman push --tls-verify=false foo localhost:5000/mytest/foo
Getting image source signatures
Copying blob 3643e528c4a1 skipped: already exists
Copying blob f0081d431d95 skipped: already exists
Copying blob edf3aa290fb3 [--------------------------------------] 0.0b / 0.0b
Writing manifest to image destination
$ podman run --rm foo cat /a /b
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.