Bug 1840727 - non-root opm fails when a layer contains a file owned by root
Summary: non-root opm fails when a layer contains a file owned by root
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: unspecified
Hardware: Unspecified
OS: Unspecified
urgent
medium
Target Milestone: ---
: 4.5.0
Assignee: Evan Cordell
QA Contact: Tom Buskey
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-27 13:46 UTC by Matt Prahl
Modified: 2020-07-13 17:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:42:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-registry pull 340 0 None closed Bug 1840727: fix(unpack): support unpacking readonly folders 2021-01-15 09:00:05 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:42:26 UTC

Description Matt Prahl 2020-05-27 13:46:22 UTC
The following command fails when running as a non-root user:

opm index add --generate --bundles registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:ed2481437d9713fc49d76d101ee0b5bd5f6b53a3e8b440ae3551563aea4ff2bf --from-index registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:985


This fails with:

INFO[0029] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5b8ca0a26d14dc05be7ace7233b529d56c3f42f0e994b01293ffe6b310df375f 80467927 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
Error: open index_tmp_731416721/root/.bash_logout: permission denied


If I run the same command as root, it is successful. Additionally, if I run the same command using `podman` v1.9.2 as shown here, it works just fine:

opm index add --generate --bundles registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:ed2481437d9713fc49d76d101ee0b5bd5f6b53a3e8b440ae3551563aea4ff2bf --from-index registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:985 --container-tool podman

Using podman would be a suitable workaround if podman v1.9.2 was released for RHEL 8, but the latest is 1.6.4 and that version does not have the following feature which is required https://github.com/containers/libpod/issues/5234 for using digests instead of tags.

By the way, here is the output of `opm version`:

Version: version.Version{OpmVersion:"", GitCommit:"", BuildDate:"2020-05-13T21:01:13Z", GoOs:"linux", GoArch:"amd64"}

Comment 1 Matt Prahl 2020-05-27 14:57:20 UTC
As posted in the chat, here is a reproducer script:

# Build an empty index image
opm index add --bundles '' --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:ed2481437d9713fc49d76d101ee0b5bd5f6b53a3e8b440ae3551563aea4ff2bf
# Push the image to any repository
podman push operator-registry-index:latest quay.io/mprahl/operator-registry-index:latest
# Build an index image from the pushed index image
opm index add --bundles '' --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:ed2481437d9713fc49d76d101ee0b5bd5f6b53a3e8b440ae3551563aea4ff2bf --from-index quay.io/mprahl/operator-registry-index:latest

Comment 2 Evan Cordell 2020-05-28 13:22:48 UTC
The underlying issue is that the directory unpacked (root) is read-only, so unpacking a child file into that directory would fail. The fact that the file is owned by root is not the issue.

The linked PR makes unpacked files owner-writable an will avoid the problem.

Comment 5 Tom Buskey 2020-06-01 18:58:13 UTC
LGTM
opm version
Version: version.Version{OpmVersion:"1.12.3", GitCommit:"a146011", BuildDate:"2020-06-01T18:26:58Z", GoOs:"linux", GoArch:"amd64"}

podman version
Version:            1.9.2
RemoteAPI Version:  1
Go Version:         go1.13.10
OS/Arch:            linux/amd64

cat /etc/redhat-release 
Fedora release 31 (Thirty One)



opm index add --generate --bundles registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:ed2481437d9713fc49d76d101ee0b5bd5f6b53a3e8b440ae3551563aea4ff2bf --from-index registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:985

INFO[0000] building the index                            bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0000] Pulling previous image registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:985 to get metadata  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0000] resolved name: registry-proxy-stage.engineering.redhat.com/rh-osbs-stage/iib:985  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0000] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:d7099d663468c5dfbc161c5a1ba612252e7facb818cee04d268aac580d73c96a"
INFO[0000] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:c1eb65b3a7885316667a0bb52c11846a010592ace3576f415475fec590d75a15"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:7b9ef3ae51d58f99af74aee78afa504baa8a83fe42b791f635fa36b0ad7b0a6d"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:7198dfe8836ca62135d839f142319897140679f4fb23dd8ca7541aaaf55b4f9c"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:29b124963f2b38a47ddb5632fad1e7a9566a7f367aae2237f65775875913151a"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:3ff1959701bab2039dd0f00554ea5c420ec7c8000b6b7277f2dd01752ca49171"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:5b8ca0a26d14dc05be7ace7233b529d56c3f42f0e994b01293ffe6b310df375f"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:0be2e9bb7fc3845f8976e9e741da2d8ec54e3b6b62a48c632891da2918ea4958"
INFO[0061] fetched                                       bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]" digest="sha256:5bbfe836d5ccc8af3804bac9c7d4da0a31883aad3068411b4f6640aeaa279802"
WARN[0077] {"architecture":"amd64","config":{"User":"1001","ExposedPorts":{"50051/tcp":{}},"Env":["__doozer=merge","BUILD_RELEASE=202005261537","BUILD_VERSION=v4.5.0","OS_GIT_MAJOR=4","OS_GIT_MINOR=5","OS_GIT_PATCH=0","OS_GIT_TREE_STATE=clean","OS_GIT_VERSION=4.5.0-202005261537-04e4e88","OS_GIT_COMMIT=04e4e88","SOURCE_DATE_EPOCH=1590505951","SOURCE_GIT_COMMIT=04e4e8820bbaecf36457bbec54b0c1cca07d6dfd","SOURCE_GIT_TAG=v1.12.4","SOURCE_GIT_URL=https://github.com/operator-framework/operator-registry","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"Entrypoint":["/bin/opm"],"Cmd":["registry","serve","--database","/database/index.db"],"WorkingDir":"/registry","Labels":{"License":"GPLv2+","architecture":"x86_64","build-date":"2020-05-26T15:49:21.742950","com.redhat.build-host":"cpt-1004.osbs.prod.upshift.rdu2.redhat.com","com.redhat.component":"operator-registry-container","com.redhat.license_terms":"https://www.redhat.com/en/about/red-hat-end-user-license-agreements","description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","distribution-scope":"public","io.k8s.description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","io.k8s.display-name":"OpenShift Operator Registry","io.openshift.build.commit.id":"04e4e8820bbaecf36457bbec54b0c1cca07d6dfd","io.openshift.build.commit.url":"https://github.com/operator-framework/operator-registry/commit/04e4e8820bbaecf36457bbec54b0c1cca07d6dfd","io.openshift.build.source-location":"https://github.com/operator-framework/operator-registry","io.openshift.maintainer.product":"OpenShift Container Platform","io.openshift.tags":"openshift,base","maintainer":"Odin Team \u003caos-odin@redhat.com\u003e","name":"openshift/ose-operator-registry","operators.operatorframework.io.index.database.v1":"/database/index.db","release":"202005261537","summary":"Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.","url":"https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-operator-registry/images/v4.5.0-202005261537","vcs-ref":"f44c05fefb3176db9ce241381ed5fb66f9fd3479","vcs-type":"git","vendor":"Red Hat, Inc.","version":"v4.5.0"}},"created":"2020-05-26T16:04:25.718976789Z","history":[{"created":"2020-05-11T17:22:43.455017502Z","comment":"Imported from -"},{"created":"2020-05-11T17:22:52.084344Z"},{"created":"2020-05-23T01:57:15.61011Z"},{"created":"2020-05-23T16:00:16.936581391Z","created_by":"sleep 86400"},{"created":"2020-05-26T15:54:46.952667835Z","created_by":"sleep 86400"},{"created":"2020-05-26T12:04:25.280272012-04:00","created_by":"/bin/sh -c #(nop) LABEL operators.operatorframework.io.index.database.v1=/database/index.db","empty_layer":true},{"created":"2020-05-26T12:04:25.718391977-04:00","created_by":"/bin/sh -c #(nop) ADD file:68d52134c96e252f169ebfbc8a4806ffe8e5b5aaee830471115c872bbd140669 in /database/index.db ","empty_layer":true},{"created":"2020-05-26T12:04:25.718449909-04:00","created_by":"/bin/sh -c #(nop) EXPOSE 50051","empty_layer":true},{"created":"2020-05-26T12:04:25.718462244-04:00","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/bin/opm\"]","empty_layer":true},{"created":"2020-05-26T16:04:25.718976789Z"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:895d16eabfa1424f3c371109d11b354c08e548373dc8ad270a535b6bee183a50","sha256:933e707b3698616b1814e54a8fcafce7e79ff89ac3d899c670de031a0719e149","sha256:f0407da8a3f9bd1cea41f1834368538997d5c07cca6deed89ccdc157bdfe587e","sha256:c4063c9828683dc24ef385037a563634a94daaead03481f2b2e6520b1d8de562","sha256:307957f14c430acf673b90e8de98e3187dff2061b86bf1ae2bdf9fc980d6c49f","sha256:7f85f693f0ee46aafd40931ec186c006a2af2f702363e9fdd79b215bf9e13155"]}}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0077] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5b8ca0a26d14dc05be7ace7233b529d56c3f42f0e994b01293ffe6b310df375f 80467927 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0078] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:29b124963f2b38a47ddb5632fad1e7a9566a7f367aae2237f65775875913151a 1679 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0078] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:0be2e9bb7fc3845f8976e9e741da2d8ec54e3b6b62a48c632891da2918ea4958 3665119 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0078] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5bbfe836d5ccc8af3804bac9c7d4da0a31883aad3068411b4f6640aeaa279802 8617626 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0079] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:7198dfe8836ca62135d839f142319897140679f4fb23dd8ca7541aaaf55b4f9c 95594667 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0079] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:7b9ef3ae51d58f99af74aee78afa504baa8a83fe42b791f635fa36b0ad7b0a6d 34581 [] map[] <nil>}  bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0080] resolved name: registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89 
INFO[0080] fetched                                       digest="sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89"
INFO[0080] fetched                                       digest="sha256:0c052450fe0380fb9bd9bc89c46dd17d6c5760d40c001171e14deff2f01c828f"
INFO[0080] fetched                                       digest="sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
INFO[0080] fetched                                       digest="sha256:32d78e0e6b7ba5b5763a1a7048d5ed04f2de3c62012d529073c81a8cd6cd440a"
INFO[0081] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32 [] map[] <nil>} 
INFO[0081] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:0c052450fe0380fb9bd9bc89c46dd17d6c5760d40c001171e14deff2f01c828f 4545 [] map[] <nil>} 
INFO[0081] Could not find optional dependencies file     dir=bundle_tmp484722821 file=bundle_tmp484722821/metadata load=annotations
INFO[0081] found csv, loading bundle                     dir=bundle_tmp484722821 file=bundle_tmp484722821/manifests load=bundle
INFO[0081] loading bundle file                           dir=bundle_tmp484722821/manifests file=elasticsearch-operator.v4.3.0.clusterserviceversion.yaml load=bundle
INFO[0081] loading bundle file                           dir=bundle_tmp484722821/manifests file=elasticsearches.crd.yaml load=bundle
INFO[0081] Generating dockerfile                         bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"
INFO[0081] writing dockerfile: index.Dockerfile          bundles="[registry-proxy-stage.engineering.redhat.com:443/rh-osbs-stage/e2e-e2e-test-rhel8-operator@sha256:6a525f684641298088ced4a7df91a7937d00a433cc5ddf404d6409bc5e2d9b89]"

Comment 6 errata-xmlrpc 2020-07-13 17:42:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.