Bug 1809648 - Pushing container image built with rootless podman fails with: "file integrity checksum failed"
Summary: Pushing container image built with rootless podman fails with: "file integrit...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fuse-overlayfs
Version: 8.2
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Giuseppe Scrivano
QA Contact: atomic-bugs@redhat.com
Depends On: 1810498 1810499 1810502
TreeView+ depends on / blocked
Reported: 2020-03-03 15:46 UTC by Patrice Bertin
Modified: 2020-07-21 15:32 UTC (History)
10 users (show)

Fixed In Version: fuse-overlayfs-0.7.8 and higher
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-07-21 15:31:55 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
patch backport (3.85 KB, application/mbox)
2020-03-04 16:52 UTC, Giuseppe Scrivano
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3053 0 None None None 2020-07-21 15:32:38 UTC

Description Patrice Bertin 2020-03-03 15:46:00 UTC
Description of problem:
A container image is built with a particular sequence of steps where a file with multiple hard links is deleted then recreated. The resulting image generates errors when exported or pushed to a repository. The file has the wrong content when a container is run from this image.

Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux release 8.2 Beta
  from AWS image RHEL-8.2.0_HVM_BETA-20191219-x86_64-0-Hourly2-GP2
- fuse-overlayfs-0.7.2-1.module+el8.2.0+4973+eb529f8e.x86_64
- podman-1.6.4-1.module+el8.2.0+5182+3136e5d4.x86_64

How reproducible:

Steps to Reproduce:
1. Create the following Dockerfile in a directory
  FROM centos:7
  RUN echo foo >/a && ln /a /b
  RUN rm /a && echo bar >/a
2. Build a container image from it using podman from a non-root account
  podman build -t foo <DIRECTORY>
3. Save the image
  podman save -o /dev/null foo
4. Push the image to a Docker repository
  podman push foo <REPOSITORY>
5. Run image and check contents of files:
  podman run --rm foo cat /a /b

Actual results:
- Steps 3. and 4. both fail with error:
  file integrity checksum failed for "a"
- Step 5. returns:

Expected results:
- Steps 3. and 4. should succeed
- Step 5. should return:

Additional info:
The problem does not show up if the same Dockerfile is built from a root account.
The above problem was isolated from an initial real-world example triggered by Python packages installation using pip.

Comment 1 Giuseppe Scrivano 2020-03-03 17:12:29 UTC
I think it is a dup of: https://bugzilla.redhat.com/show_bug.cgi?id=1802907

Comment 2 Patrice Bertin 2020-03-04 09:22:44 UTC
I doubt it is a duplicate of 1802907 although it is close (both are related to the handling of hard links in fuse-overlayfs)

We were first hit by 1802907 in RHEL 8.1, and that one has been fixed in RHEL 8.2 beta, at least in our use case. This one is present in RHEL 8.2 beta.
As far as I understand, the effect of 1802907 was an incorrect count of hard links returned on just-created, multiply-linked file. This would impact useradd/groupadd, but not other uses of the container.

Here the content of one of the files is wrong, and the container image triggers an error when exported or pushed to a repository.

Comment 3 Giuseppe Scrivano 2020-03-04 10:43:38 UTC
I was able to reproduce locally, it was fixed upstream with: https://github.com/containers/fuse-overlayfs/issues/177

We need to backport:

commit f8b554aa9adcd61fb5dfff03528176dbec387c58
Author: Giuseppe Scrivano <gscrivan@redhat.com>
Date:   Fri Jan 31 13:46:07 2020 +0100

    main: lookup skip ino if there is no origin
    if there is no origin xattr specified, do not overwrite the ino
    Closes: https://github.com/containers/fuse-overlayfs/issues/177
    Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Comment 4 Tom Sweeney 2020-03-04 15:42:03 UTC
Assigning to Jindrich to handle packaging needs.

Comment 6 Giuseppe Scrivano 2020-03-04 16:52:23 UTC
Created attachment 1667550 [details]
patch backport

Comment 20 Joy Pu 2020-06-04 03:45:07 UTC
Test with podman-1.9.3-1.module+el8.2.1+6750+e53a300c.x86_64 with the given steps. And it is works as expect now. So update this to verified.

Output from step 3,4,5
$ podman save -o /dev/null foo
$ podman push --tls-verify=false foo localhost:5000/mytest/foo
Getting image source signatures
Copying blob 3643e528c4a1 skipped: already exists  
Copying blob f0081d431d95 skipped: already exists  
Copying blob edf3aa290fb3 [--------------------------------------] 0.0b / 0.0b
Writing manifest to image destination
Storing signatures
$ podman run --rm foo cat /a /b

Comment 22 errata-xmlrpc 2020-07-21 15:31:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.