1965330 – oc image extract fails due to security capabilities on files

Bug 1965330 - oc image extract fails due to security capabilities on files

Summary: oc image extract fails due to security capabilities on files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Maciej Szulik
QA Contact:	RamaKasturi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1867598 1954587 1969928 1995337 1997492
TreeView+	depends on / blocked

Reported:	2021-05-27 13:26 UTC by Ben Parees
Modified:	2021-08-25 11:48 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Insufficient privileges to set extended attributes during untaring. Consequence: oc image extract was failing with operation not permitted error when run as non-root user. Fix: Check user and set extended security attributes only when run as root. Result: oc image extract works correctly for both root and non-root user.
Clone Of:
Environment:
Last Closed:	2021-07-27 23:10:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift oc pull 835	None	open	WIP: Bug 1965330: exclude security during exctraction	2021-06-08 14:17:53 UTC
Red Hat Knowledge Base (Solution)	6090661	None	None	None	2021-06-01 21:27:01 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 23:10:40 UTC

Description Ben Parees 2021-05-27 13:26:23 UTC

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info:

Comment 2 RamaKasturi 2021-06-11 12:30:36 UTC

verified with the payload below and i see that the issue has been fixed:

[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-11-024306   True        False         4h9m    Cluster version is 4.8.0-0.nightly-2021-06-11-024306

[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc version -o yaml
clientVersion:
  buildDate: "2021-06-10T07:01:41Z"
  compiler: gc
  gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355
  gitTreeState: clean
  gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43
  goVersion: go1.16.4
  major: ""
  minor: ""
  platform: linux/amd64
openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306
releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306
serverVersion:
  buildDate: "2021-06-10T13:52:39Z"
  compiler: gc
  gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924
  gitTreeState: clean
  gitVersion: v1.21.0-rc.0+a5ec692
  goVersion: go1.16.4
  major: "1"
  minor: 21+
  platform: linux/amd64


with 4.8:
=====================
with root user:
+++++++++++++++++++++++++++++++++
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ sudo ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
[sudo] password for knarra: 
W0611 17:17:49.964034   41190 manifest.go:440] Chose linux/amd64 manifest from the manifest list.

non-root user:
+++++++++++++++++++++++++++++++++++++
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0611 16:54:22.067605   31361 manifest.go:440] Chose linux/amd64 manifest from the manifest list.
[knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls -l

with 4.7:
===========================
Hit below issue with root & non root user

[knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$ ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0611 17:07:53.407155   37813 manifest.go:440] Chose linux/amd64 manifest from the manifest list.
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted


Based on the above moving bug to verified state.

Comment 3 RamaKasturi 2021-06-11 12:37:48 UTC

(In reply to RamaKasturi from comment #2)
> verified with the payload below and i see that the issue has been fixed:
> 
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc get clusterversion
> NAME      VERSION                             AVAILABLE   PROGRESSING  
> SINCE   STATUS
> version   4.8.0-0.nightly-2021-06-11-024306   True        False         4h9m
> Cluster version is 4.8.0-0.nightly-2021-06-11-024306
> 
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc version -o yaml
> clientVersion:
>   buildDate: "2021-06-10T07:01:41Z"
>   compiler: gc
>   gitCommit: 10cec43f6fce6df1f8f9d769b70640579c827355
>   gitTreeState: clean
>   gitVersion: 4.8.0-202106100628.p0.git.10cec43.assembly.stream-10cec43
>   goVersion: go1.16.4
>   major: ""
>   minor: ""
>   platform: linux/amd64
> openshiftVersion: 4.8.0-0.nightly-2021-06-11-024306
> releaseClientVersion: 4.8.0-0.nightly-2021-06-11-024306
> serverVersion:
>   buildDate: "2021-06-10T13:52:39Z"
>   compiler: gc
>   gitCommit: a5ec692e05fadcc702bae6f655e000eb306f7924
>   gitTreeState: clean
>   gitVersion: v1.21.0-rc.0+a5ec692
>   goVersion: go1.16.4
>   major: "1"
>   minor: 21+
>   platform: linux/amd64
> 
> 
> with 4.8:
> =====================
> with root user:
> +++++++++++++++++++++++++++++++++
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> sudo ./oc image extract
> registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
> [sudo] password for knarra: 
> W0611 17:17:49.964034   41190 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> 
> non-root user:
> +++++++++++++++++++++++++++++++++++++
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$
> ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
> --confirm
> W0611 16:54:22.067605   31361 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> [knarra@knarra openshift-client-linux-4.8.0-0.nightly-2021-06-11-024306]$ ls
> -l
> 
> with 4.7:
> ===========================
> Hit below issue with non-root user, for root user it worked well in 4.7 as well
> 
> [knarra@knarra openshift-client-linux-4.7.0-0.nightly-2021-06-06-160728]$
> ./oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
> --confirm
> W0611 17:07:53.407155   37813 manifest.go:440] Chose linux/amd64 manifest
> from the manifest list.
> error: unable to extract layer
> sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from
> registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not
> permitted
> 
> 
> Based on the above moving bug to verified state.

Comment 6 errata-xmlrpc 2021-07-27 23:10:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.