1965334 – opm index add fails during image extraction

Bug 1965334 - opm index add fails during image extraction

Summary: opm index add fails during image extraction

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	OLM
Sub Component:
Version:	4.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Nick Hale
QA Contact:	xzha
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1867598 1954587 1968680 Red Hat1995337 1997492
TreeView+	depends on / blocked

Reported:	2021-05-27 13:34 UTC by Ben Parees
Modified:	2021-08-25 11:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: On some systems, creating files with certain extended attributes is a restricted operation (e.g. "security.compatibility" on SELinux). Consequence: Bundle and index unpacking to fail for unprivileged users on such systems. Fix: opm now drops all xattrs from unpacked files before writing them. Result: Bundle and index unpacking no longer fail on such systems.
Clone Of:
Environment:
Last Closed:	2021-07-27 23:10:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift operator-framework-olm pull 86	None	open	Bug 1965334: drop xattrs during unpack	2021-06-07 15:21:34 UTC
Red Hat Knowledge Base (Solution)	6090661	None	None	None	2021-06-01 21:27:07 UTC
Red Hat Product Errata	RHSA-2021:2438	None	None	None	2021-07-27 23:10:40 UTC

Description Ben Parees 2021-05-27 13:34:02 UTC

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during opm index add because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:be60702488bf04a221324a911abcbd734cc94a0edfb05349a332c69f56d163d0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest


RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.

The fix to opm will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.


Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image results in opm index command failure

Expected results:
files are extracted successfully/opm index command succeeds

Comment 2 xzha 2021-06-10 06:45:32 UTC

verify:
[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm version
Version: version.Version{OpmVersion:"59934e50e", GitCommit:"59934e50ebe3d59344cb8fe15f5fbba6b1b0219a", BuildDate:"2021-06-10T03:14:56Z", GoOs:"linux", GoArch:"amd64"}

login as cloud-user 
[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest
INFO[0000] building the index                            bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324]"
INFO[0000] Pulling previous image registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 to get metadata  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324]"
WARN[0003] {"created":"2021-05-21T13:31:25.685855303Z","architecture":"amd64","os":"linux","config":{"User":"1001","ExposedPorts":{"50051/tcp":{}},"Env":["__doozer=merge","BUILD_RELEASE=202105210425.p0.assembly.test","BUILD_VERSION=v4.8.0","OS_GIT_MAJOR=4","OS_GIT_MINOR=8","OS_GIT_PATCH=0","OS_GIT_TREE_STATE=clean","OS_GIT_VERSION=4.8.0-202105210425.p0.assembly.test-ca1f0b6","SOURCE_GIT_TREE_STATE=clean","KUBE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","KUBE_GIT_MAJOR=1","KUBE_GIT_MINOR=13+","KUBE_GIT_TREE_STATE=clean","KUBE_GIT_VERSION=v1.13.0+ca1f0b6","OS_GIT_COMMIT=ca1f0b6","SOURCE_DATE_EPOCH=1621490278","SOURCE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","SOURCE_GIT_TAG=ca1f0b69c","SOURCE_GIT_URL=https://github.com/openshift/operator-framework-olm","GODEBUG=x509ignoreCN=0,madvdontneed=1","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"Entrypoint":["/bin/opm"],"Cmd":["registry","serve","--database","/database/index.db"],"WorkingDir":"/registry","Labels":{"License":"GPLv2+","architecture":"x86_64","build-date":"2021-05-21T11:01:06.328945","com.redhat.build-host":"cpt-1001.osbs.prod.upshift.rdu2.redhat.com","com.redhat.component":"operator-registry-container","com.redhat.index.delivery.distribution_scope":"stage","com.redhat.index.delivery.version":"v4.8","com.redhat.license_terms":"https://www.redhat.com/agreements","description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","distribution-scope":"public","io.buildah.version":"1.16.7","io.k8s.description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","io.k8s.display-name":"OpenShift Operator Registry","io.openshift.build.commit.id":"ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.commit.url":"https://github.com/openshift/operator-framework-olm/commit/ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.source-location":"https://github.com/openshift/operator-framework-olm","io.openshift.expose-services":"","io.openshift.maintainer.component":"OLM","io.openshift.maintainer.product":"OpenShift Container Platform","io.openshift.tags":"openshift,base","maintainer":"Odin Team \u003caos-odin\u003e","name":"openshift/ose-operator-registry","operators.operatorframework.io.index.database.v1":"/database/index.db","release":"202105210425.p0.assembly.test","summary":"Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.","url":"https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-operator-registry/images/v4.8.0-202105210425.p0.assembly.test","vcs-ref":"114496b3398732f59c5b5ce482dadce50666a0cd","vcs-type":"git","vendor":"Red Hat, Inc.","version":"v4.8.0"}},"rootfs":{"type":"layers","diff_ids":["sha256:98469092e6042f8c9cc81dcb1a710957fb5ef27817c9b178f7b71c4f242cb2ed","sha256:bfb9caafb0fc0d8496a27709f1698ac90d1a306556387a75b92a86063544f4c8","sha256:7a88ee3fa5631ca7531842db33bed9f22292645cb4d5a9040e1db4e2e8356073","sha256:6629e8425178cd34a682ed777ead805eb6bd38b6371c97da299007f2d1d58499","sha256:6ceef9186f44c1161211e08a64b7c19cb2cf9000700b055c1be0605498315434","sha256:6c9cbfa0a5cba69042563ad957841168edba7b072e37601a555ee0e97854991f"]},"history":[{"created":"2021-05-04T17:22:13.711896193Z","comment":"Imported from -"},{"created":"2021-05-04T17:22:23.540345Z"},{"created":"2021-05-21T10:13:21.835072176Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T10:20:13.653432134Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T11:06:00.179431387Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T09:31:24.965348922-04:00","created_by":"/bin/sh -c #(nop) LABEL operators.operatorframework.io.index.database.v1=/database/index.db","empty_layer":true},{"created":"2021-05-21T09:31:25.463298473-04:00","created_by":"/bin/sh -c #(nop) ADD file:96ccda2c0fa8bd1e7f4baeaf11429c28b25dfde938ff0db8577e35c87c2aef86 in /database/index.db ","empty_layer":true},{"created":"2021-05-21T09:31:25.502201577-04:00","created_by":"/bin/sh -c #(nop) EXPOSE 50051","empty_layer":true},{"created":"2021-05-21T09:31:25.548473324-04:00","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/bin/opm\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.597493979-04:00","created_by":"/bin/sh -c #(nop) CMD [\"registry\", \"serve\", \"--database\", \"/database/index.db\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.63843865-04:00","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.version=\"v4.8\"","empty_layer":true},{"created":"2021-05-21T13:31:28.214290017Z","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.distribution_scope=\"stage\""}]}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324]"
INFO[0009] Could not find optional dependencies file     dir=bundle_tmp141155627 file=bundle_tmp141155627/metadata load=annotations
INFO[0009] found csv, loading bundle                     dir=bundle_tmp141155627 file=bundle_tmp141155627/manifests load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp141155627/manifests file=performance-addon-operator.v4.8.0.clusterserviceversion.yaml load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp141155627/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0011] Could not find optional dependencies file     dir=bundle_tmp141155627 file=bundle_tmp141155627/metadata load=annotations
INFO[0011] found csv, loading bundle                     dir=bundle_tmp141155627 file=bundle_tmp141155627/manifests load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp141155627/manifests file=performance-addon-operator.v4.8.0.clusterserviceversion.yaml load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp141155627/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0011] Could not find optional dependencies file     dir=bundle_tmp923437205 file=bundle_tmp923437205/metadata load=annotations
INFO[0011] found csv, loading bundle                     dir=bundle_tmp923437205 file=bundle_tmp923437205/manifests load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp923437205/manifests file=performance-addon-operator.v4.4.0.clusterserviceversion.yaml load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp923437205/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0011] Could not find optional dependencies file     dir=bundle_tmp266164976 file=bundle_tmp266164976/metadata load=annotations
INFO[0011] found csv, loading bundle                     dir=bundle_tmp266164976 file=bundle_tmp266164976/manifests load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp266164976/manifests file=performance-addon-operator.v4.5.4.clusterserviceversion.yaml load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp266164976/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0011] Could not find optional dependencies file     dir=bundle_tmp552131471 file=bundle_tmp552131471/metadata load=annotations
INFO[0011] found csv, loading bundle                     dir=bundle_tmp552131471 file=bundle_tmp552131471/manifests load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp552131471/manifests file=performance-addon-operator.v4.7.3.clusterserviceversion.yaml load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp552131471/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0011] Could not find optional dependencies file     dir=bundle_tmp272042638 file=bundle_tmp272042638/metadata load=annotations
INFO[0011] found csv, loading bundle                     dir=bundle_tmp272042638 file=bundle_tmp272042638/manifests load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp272042638/manifests file=performance-addon-operator.v4.6.3.clusterserviceversion.yaml load=bundle
INFO[0011] loading bundle file                           dir=bundle_tmp272042638/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0012] Generating dockerfile                         bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324]"
INFO[0012] writing dockerfile: index.Dockerfile          bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324]"


There is no error "Error: operation not permitted"

LGTM, verified.

Comment 5 errata-xmlrpc 2021-07-27 23:10:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.