Bug 1968680 - opm index add fails during image extraction
Summary: opm index add fails during image extraction
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.z
Assignee: Nick Hale
QA Contact: xzha
URL:
Whiteboard:
Depends On: 1965334
Blocks: 1867598 1954587 1968681 1995337 1997492
TreeView+ depends on / blocked
 
Reported: 2021-06-07 19:34 UTC by OpenShift BugZilla Robot
Modified: 2021-08-25 11:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-29 04:19:45 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github operator-framework operator-registry pull 676 0 None open [release-4.7] Bug 1968680: fix(containerd): drop xattrs during unpack 2021-06-09 01:08:24 UTC
Red Hat Product Errata RHBA-2021:2502 0 None None None 2021-06-29 04:20:08 UTC

Description OpenShift BugZilla Robot 2021-06-07 19:34:20 UTC
+++ This bug was initially created as a clone of Bug #1965334 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during opm index add because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:be60702488bf04a221324a911abcbd734cc94a0edfb05349a332c69f56d163d0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest


RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.

The fix to opm will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.


Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image results in opm index command failure

Expected results:
files are extracted successfully/opm index command succeeds

Comment 2 xzha 2021-06-21 02:18:36 UTC
verify:

[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm version
Version: version.Version{OpmVersion:"v1.15.4-16-g06e950de", GitCommit:"06e950de", BuildDate:"2021-06-21T01:38:26Z", GoOs:"linux", GoArch:"amd64"}

[cloud-user@preserve-olm-agent-test ~]$ /tmp/opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  --overwrite-latest
INFO[0000] building the index                            bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] Pulling previous image registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 to get metadata  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/iib:76743  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:bafa97bd4e6cd2e8f3c0f526b112c320e5f3b079dbd7f66b8339841d58d5be3d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:496fe1c1394d856a8d0906cb4e1c83a14bafc134512b12ded7af66959872aebc"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:0bcdc538457073f1bc03c1c7fbfe26c9ce7059a242985204004948286a24bee0"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:a505d8bec212905c700ba145985177bbef5596c3ff6e5399bad8efaa88bfa4b8"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:fca450a845cf43f5b01eb4a8a6f90c638c74c3410a14ce715ea73755a8cf918e"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:0f758562a62b98aa28dab9325543d3cc945a1e3b84084769ad698ddcbd190915"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:7ec7e7c02020ff6f6c27a05b95a2b1fb2c1dba5caf4880a90896900cbf061bf2"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:990150affea1535300599c5d7d95e41d983004be306b68cc3606e28f5e14b583"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:c049aeb87eebd112b814baa2f4a0e2d1a5d7543d91a3b7e6ac013d15db9a205f"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:5baa8b576929f24e6530d9775ae1f64b872fc5761b247d12ba8c37e79f66d6a2"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:41b5560940c6c64f21a93ed62524179ce9f0c1590e33de59b2fd1667fae69c96"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:6d728e8c122b3829901f90f16d62830e6c4cfd8a6778f6fc998d24bb8d41d347"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:b1f6570db3a95c48761a529f941a448b663ed875b8be3974cf24d46da2f75bb6"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:479091616906b08f90a2b6eb076889752004b96d7c361c4677aa1b8ddd983ce0"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:4e1875f5dbc4996515217df03891684f8f23652127ed2d568dfe30c70628efad"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:284062d6df409fe945fc23a3785fcb545564dc702b96e34644361b33756e91ba"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:ee94519688b8f9c645d63c3d30a455a945c216618cff65292af265ba791e4fe5"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:54858178077977ea226c3b50331f40f61baa004acebb01fdd26d00f3c848e4c1"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:c1e45f1800b9dd6392c6af3d5510a7abebf40da5004fd9d91c4d8a101b6d780c"
INFO[0000] fetched                                       bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]" digest="sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061"
WARN[0002] {"created":"2021-05-21T13:31:25.685855303Z","architecture":"amd64","os":"linux","config":{"User":"1001","ExposedPorts":{"50051/tcp":{}},"Env":["__doozer=merge","BUILD_RELEASE=202105210425.p0.assembly.test","BUILD_VERSION=v4.8.0","OS_GIT_MAJOR=4","OS_GIT_MINOR=8","OS_GIT_PATCH=0","OS_GIT_TREE_STATE=clean","OS_GIT_VERSION=4.8.0-202105210425.p0.assembly.test-ca1f0b6","SOURCE_GIT_TREE_STATE=clean","KUBE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","KUBE_GIT_MAJOR=1","KUBE_GIT_MINOR=13+","KUBE_GIT_TREE_STATE=clean","KUBE_GIT_VERSION=v1.13.0+ca1f0b6","OS_GIT_COMMIT=ca1f0b6","SOURCE_DATE_EPOCH=1621490278","SOURCE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","SOURCE_GIT_TAG=ca1f0b69c","SOURCE_GIT_URL=https://github.com/openshift/operator-framework-olm","GODEBUG=x509ignoreCN=0,madvdontneed=1","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"Entrypoint":["/bin/opm"],"Cmd":["registry","serve","--database","/database/index.db"],"WorkingDir":"/registry","Labels":{"License":"GPLv2+","architecture":"x86_64","build-date":"2021-05-21T11:01:06.328945","com.redhat.build-host":"cpt-1001.osbs.prod.upshift.rdu2.redhat.com","com.redhat.component":"operator-registry-container","com.redhat.index.delivery.distribution_scope":"stage","com.redhat.index.delivery.version":"v4.8","com.redhat.license_terms":"https://www.redhat.com/agreements","description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","distribution-scope":"public","io.buildah.version":"1.16.7","io.k8s.description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","io.k8s.display-name":"OpenShift Operator Registry","io.openshift.build.commit.id":"ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.commit.url":"https://github.com/openshift/operator-framework-olm/commit/ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.source-location":"https://github.com/openshift/operator-framework-olm","io.openshift.expose-services":"","io.openshift.maintainer.component":"OLM","io.openshift.maintainer.product":"OpenShift Container Platform","io.openshift.tags":"openshift,base","maintainer":"Odin Team \u003caos-odin@redhat.com\u003e","name":"openshift/ose-operator-registry","operators.operatorframework.io.index.database.v1":"/database/index.db","release":"202105210425.p0.assembly.test","summary":"Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.","url":"https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-operator-registry/images/v4.8.0-202105210425.p0.assembly.test","vcs-ref":"114496b3398732f59c5b5ce482dadce50666a0cd","vcs-type":"git","vendor":"Red Hat, Inc.","version":"v4.8.0"}},"rootfs":{"type":"layers","diff_ids":["sha256:98469092e6042f8c9cc81dcb1a710957fb5ef27817c9b178f7b71c4f242cb2ed","sha256:bfb9caafb0fc0d8496a27709f1698ac90d1a306556387a75b92a86063544f4c8","sha256:7a88ee3fa5631ca7531842db33bed9f22292645cb4d5a9040e1db4e2e8356073","sha256:6629e8425178cd34a682ed777ead805eb6bd38b6371c97da299007f2d1d58499","sha256:6ceef9186f44c1161211e08a64b7c19cb2cf9000700b055c1be0605498315434","sha256:6c9cbfa0a5cba69042563ad957841168edba7b072e37601a555ee0e97854991f"]},"history":[{"created":"2021-05-04T17:22:13.711896193Z","comment":"Imported from -"},{"created":"2021-05-04T17:22:23.540345Z"},{"created":"2021-05-21T10:13:21.835072176Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T10:20:13.653432134Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T11:06:00.179431387Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T09:31:24.965348922-04:00","created_by":"/bin/sh -c #(nop) LABEL operators.operatorframework.io.index.database.v1=/database/index.db","empty_layer":true},{"created":"2021-05-21T09:31:25.463298473-04:00","created_by":"/bin/sh -c #(nop) ADD file:96ccda2c0fa8bd1e7f4baeaf11429c28b25dfde938ff0db8577e35c87c2aef86 in /database/index.db ","empty_layer":true},{"created":"2021-05-21T09:31:25.502201577-04:00","created_by":"/bin/sh -c #(nop) EXPOSE 50051","empty_layer":true},{"created":"2021-05-21T09:31:25.548473324-04:00","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/bin/opm\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.597493979-04:00","created_by":"/bin/sh -c #(nop) CMD [\"registry\", \"serve\", \"--database\", \"/database/index.db\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.63843865-04:00","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.version=\"v4.8\"","empty_layer":true},{"created":"2021-05-21T13:31:28.214290017Z","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.distribution_scope=\"stage\""}]}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0002] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 88972019 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d 1879 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5 2199276 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381 11660479 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc 129924145 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0007] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d 10125898 [] map[] <nil>}  bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0008] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0 
INFO[0008] fetched                                       digest="sha256:694b76217a611ad6c8acec81c4ad700155bb0c055843bb0a8c9b63a7dff0569a"
INFO[0008] fetched                                       digest="sha256:ef846247198c7a9a05e6990e2dc321091fbf832d8e5c52d57bd3f25017a5b7ee"
INFO[0008] fetched                                       digest="sha256:370583ca2fdee0560d3965f8bb88d7a214142509319393a0efeaff18bc0a1513"
INFO[0008] fetched                                       digest="sha256:987b30f4960545e8cc93dfa2f1b5448a77b0c40b465272a142cb2257eaa44f49"
INFO[0008] fetched                                       digest="sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
INFO[0009] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32 [] map[] <nil>} 
INFO[0009] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:370583ca2fdee0560d3965f8bb88d7a214142509319393a0efeaff18bc0a1513 7618 [] map[] <nil>} 
INFO[0009] Could not find optional dependencies file     dir=bundle_tmp855629950 file=bundle_tmp855629950/metadata load=annotations
INFO[0009] found csv, loading bundle                     dir=bundle_tmp855629950 file=bundle_tmp855629950/manifests load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance-addon-operator.v4.7.0.clusterserviceversion.yaml load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0009] Could not find optional dependencies file     dir=bundle_tmp855629950 file=bundle_tmp855629950/metadata load=annotations
INFO[0009] found csv, loading bundle                     dir=bundle_tmp855629950 file=bundle_tmp855629950/manifests load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance-addon-operator.v4.7.0.clusterserviceversion.yaml load=bundle
INFO[0009] loading bundle file                           dir=bundle_tmp855629950/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle
INFO[0009] Generating dockerfile                         bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
INFO[0009] writing dockerfile: index.Dockerfile          bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.7.0]"
[cloud-user@preserve-olm-agent-test ~]$ 

There is no error "Error: operation not permitted"

LGTM, verified.

Comment 5 errata-xmlrpc 2021-06-29 04:19:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2502


Note You need to log in before you can comment on or make changes to this bug.