+++ This bug was initially created as a clone of Bug #1968680 +++ +++ This bug was initially created as a clone of Bug #1965334 +++ Description of problem: RHEL images now contain two files with security capabilities that are being set, as described here: https://projects.engineering.redhat.com/browse/RHELBLD-4379 This results in failures during opm index add because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so): $ opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.8.0-324 --binary-image registry-proxy.engineering.redhat.com/rh-osbs/openshift-ose-operator-registry@sha256:be60702488bf04a221324a911abcbd734cc94a0edfb05349a332c69f56d163d0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --overwrite-latest RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities. The fix to opm will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume. Version-Release number of selected component (if applicable): 4.8 but expectation is that all versions are affected. How reproducible: always (when using an image w/ these files/capabilities set) Actual results: permission failure extracting the image results in opm index command failure Expected results: files are extracted successfully/opm index command succeeds
verify [cloud-user@preserve-olm-agent-test ~]$ /tmp/opm version Version: version.Version{OpmVersion:"v1.14.3-36-gd13e51ce", GitCommit:"d13e51ce", BuildDate:"2021-06-28T01:41:46Z", GoOs:"linux", GoArch:"amd64"} [cloud-user@preserve-olm-agent-test ~]$ /tmp/opm index add --generate --bundles registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0 --from-index registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --overwrite-latest INFO[0000] building the index bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0000] Pulling previous image registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 to get metadata bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0000] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:bafa97bd4e6cd2e8f3c0f526b112c320e5f3b079dbd7f66b8339841d58d5be3d" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:496fe1c1394d856a8d0906cb4e1c83a14bafc134512b12ded7af66959872aebc" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:0bcdc538457073f1bc03c1c7fbfe26c9ce7059a242985204004948286a24bee0" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:a505d8bec212905c700ba145985177bbef5596c3ff6e5399bad8efaa88bfa4b8" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:c1e45f1800b9dd6392c6af3d5510a7abebf40da5004fd9d91c4d8a101b6d780c" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:fca450a845cf43f5b01eb4a8a6f90c638c74c3410a14ce715ea73755a8cf918e" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:5baa8b576929f24e6530d9775ae1f64b872fc5761b247d12ba8c37e79f66d6a2" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:41b5560940c6c64f21a93ed62524179ce9f0c1590e33de59b2fd1667fae69c96" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:c049aeb87eebd112b814baa2f4a0e2d1a5d7543d91a3b7e6ac013d15db9a205f" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:7ec7e7c02020ff6f6c27a05b95a2b1fb2c1dba5caf4880a90896900cbf061bf2" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:0f758562a62b98aa28dab9325543d3cc945a1e3b84084769ad698ddcbd190915" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:990150affea1535300599c5d7d95e41d983004be306b68cc3606e28f5e14b583" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:6d728e8c122b3829901f90f16d62830e6c4cfd8a6778f6fc998d24bb8d41d347" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:b1f6570db3a95c48761a529f941a448b663ed875b8be3974cf24d46da2f75bb6" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:ee94519688b8f9c645d63c3d30a455a945c216618cff65292af265ba791e4fe5" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:54858178077977ea226c3b50331f40f61baa004acebb01fdd26d00f3c848e4c1" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:4e1875f5dbc4996515217df03891684f8f23652127ed2d568dfe30c70628efad" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:479091616906b08f90a2b6eb076889752004b96d7c361c4677aa1b8ddd983ce0" INFO[0000] fetched bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" digest="sha256:284062d6df409fe945fc23a3785fcb545564dc702b96e34644361b33756e91ba" WARN[0003] {"created":"2021-05-21T13:31:25.685855303Z","architecture":"amd64","os":"linux","config":{"User":"1001","ExposedPorts":{"50051/tcp":{}},"Env":["__doozer=merge","BUILD_RELEASE=202105210425.p0.assembly.test","BUILD_VERSION=v4.8.0","OS_GIT_MAJOR=4","OS_GIT_MINOR=8","OS_GIT_PATCH=0","OS_GIT_TREE_STATE=clean","OS_GIT_VERSION=4.8.0-202105210425.p0.assembly.test-ca1f0b6","SOURCE_GIT_TREE_STATE=clean","KUBE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","KUBE_GIT_MAJOR=1","KUBE_GIT_MINOR=13+","KUBE_GIT_TREE_STATE=clean","KUBE_GIT_VERSION=v1.13.0+ca1f0b6","OS_GIT_COMMIT=ca1f0b6","SOURCE_DATE_EPOCH=1621490278","SOURCE_GIT_COMMIT=ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","SOURCE_GIT_TAG=ca1f0b69c","SOURCE_GIT_URL=https://github.com/openshift/operator-framework-olm","GODEBUG=x509ignoreCN=0,madvdontneed=1","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"Entrypoint":["/bin/opm"],"Cmd":["registry","serve","--database","/database/index.db"],"WorkingDir":"/registry","Labels":{"License":"GPLv2+","architecture":"x86_64","build-date":"2021-05-21T11:01:06.328945","com.redhat.build-host":"cpt-1001.osbs.prod.upshift.rdu2.redhat.com","com.redhat.component":"operator-registry-container","com.redhat.index.delivery.distribution_scope":"stage","com.redhat.index.delivery.version":"v4.8","com.redhat.license_terms":"https://www.redhat.com/agreements","description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","distribution-scope":"public","io.buildah.version":"1.16.7","io.k8s.description":"This is a component of OpenShift Operator Lifecycle Manager and is the base for operator catalog API containers.","io.k8s.display-name":"OpenShift Operator Registry","io.openshift.build.commit.id":"ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.commit.url":"https://github.com/openshift/operator-framework-olm/commit/ca1f0b69c3e2eb06ab4e62517fe5bd11e59a3239","io.openshift.build.source-location":"https://github.com/openshift/operator-framework-olm","io.openshift.expose-services":"","io.openshift.maintainer.component":"OLM","io.openshift.maintainer.product":"OpenShift Container Platform","io.openshift.tags":"openshift,base","maintainer":"Odin Team \u003caos-odin\u003e","name":"openshift/ose-operator-registry","operators.operatorframework.io.index.database.v1":"/database/index.db","release":"202105210425.p0.assembly.test","summary":"Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.","url":"https://access.redhat.com/containers/#/registry.access.redhat.com/openshift/ose-operator-registry/images/v4.8.0-202105210425.p0.assembly.test","vcs-ref":"114496b3398732f59c5b5ce482dadce50666a0cd","vcs-type":"git","vendor":"Red Hat, Inc.","version":"v4.8.0"}},"rootfs":{"type":"layers","diff_ids":["sha256:98469092e6042f8c9cc81dcb1a710957fb5ef27817c9b178f7b71c4f242cb2ed","sha256:bfb9caafb0fc0d8496a27709f1698ac90d1a306556387a75b92a86063544f4c8","sha256:7a88ee3fa5631ca7531842db33bed9f22292645cb4d5a9040e1db4e2e8356073","sha256:6629e8425178cd34a682ed777ead805eb6bd38b6371c97da299007f2d1d58499","sha256:6ceef9186f44c1161211e08a64b7c19cb2cf9000700b055c1be0605498315434","sha256:6c9cbfa0a5cba69042563ad957841168edba7b072e37601a555ee0e97854991f"]},"history":[{"created":"2021-05-04T17:22:13.711896193Z","comment":"Imported from -"},{"created":"2021-05-04T17:22:23.540345Z"},{"created":"2021-05-21T10:13:21.835072176Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T10:20:13.653432134Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T11:06:00.179431387Z","created_by":"#(imagebuilder)\nsleep 86400"},{"created":"2021-05-21T09:31:24.965348922-04:00","created_by":"/bin/sh -c #(nop) LABEL operators.operatorframework.io.index.database.v1=/database/index.db","empty_layer":true},{"created":"2021-05-21T09:31:25.463298473-04:00","created_by":"/bin/sh -c #(nop) ADD file:96ccda2c0fa8bd1e7f4baeaf11429c28b25dfde938ff0db8577e35c87c2aef86 in /database/index.db ","empty_layer":true},{"created":"2021-05-21T09:31:25.502201577-04:00","created_by":"/bin/sh -c #(nop) EXPOSE 50051","empty_layer":true},{"created":"2021-05-21T09:31:25.548473324-04:00","created_by":"/bin/sh -c #(nop) ENTRYPOINT [\"/bin/opm\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.597493979-04:00","created_by":"/bin/sh -c #(nop) CMD [\"registry\", \"serve\", \"--database\", \"/database/index.db\"]","empty_layer":true},{"created":"2021-05-21T09:31:25.63843865-04:00","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.version=\"v4.8\"","empty_layer":true},{"created":"2021-05-21T13:31:28.214290017Z","created_by":"/bin/sh -c #(nop) LABEL com.redhat.index.delivery.distribution_scope=\"stage\""}]} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0003] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 88972019 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:a538c9b9760931040405e4c827d816c820fc4738284b4f51a1bb0c872fb4b45d 1879 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d35048e2a09abcb6720d8ce0854138c095442bafc1d1f541b59a3928819561e5 2199276 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0005] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:d9c0aa9ea9b40745b1a95c90f903e9df09515e944e6ae70540c989bfb1427381 11660479 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0006] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:3ba53496f683622e237626058f3a75df337db094f708f180dee271db5b5ad9fc 129924145 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0008] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:5462a6102decd896b6f4f3b698399dab4bc45835d1d30435bc2ac9ac06bacf1d 10125898 [] map[] <nil>} bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0009] resolved name: registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0 INFO[0009] fetched digest="sha256:1b99b6964cee956b72156be7aa3100ab983d86611fb4a23f566b91fcca68a8b4" INFO[0009] fetched digest="sha256:6aa03d6cff2de94e0b1888b4f307f6284e79a1fbbaede0194194cd0ea8db0a91" INFO[0009] fetched digest="sha256:e02b13791eb18f5d8626a6d2daef6b73e73481bb7444b590fc97503e3a29ee32" INFO[0009] fetched digest="sha256:28e1b1b1da3b3437533f39621e0083985dc3f51c35d99156274871b9c19415cb" INFO[0009] fetched digest="sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1" INFO[0010] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1 32 [] map[] <nil>} INFO[0010] unpacking layer: {application/vnd.docker.image.rootfs.diff.tar.gzip sha256:e02b13791eb18f5d8626a6d2daef6b73e73481bb7444b590fc97503e3a29ee32 6050 [] map[] <nil>} INFO[0010] Could not find optional dependencies file dir=bundle_tmp544089140 file=bundle_tmp544089140/metadata load=annotations INFO[0010] found csv, loading bundle dir=bundle_tmp544089140 file=bundle_tmp544089140/manifests load=bundle INFO[0010] loading bundle file dir=bundle_tmp544089140/manifests file=performance-addon-operator.v4.6.0.clusterserviceversion.yaml load=bundle INFO[0010] loading bundle file dir=bundle_tmp544089140/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle INFO[0010] Could not find optional dependencies file dir=bundle_tmp544089140 file=bundle_tmp544089140/metadata load=annotations INFO[0010] found csv, loading bundle dir=bundle_tmp544089140 file=bundle_tmp544089140/manifests load=bundle INFO[0010] loading bundle file dir=bundle_tmp544089140/manifests file=performance-addon-operator.v4.6.0.clusterserviceversion.yaml load=bundle INFO[0010] loading bundle file dir=bundle_tmp544089140/manifests file=performance.openshift.io_performanceprofiles_crd.yaml load=bundle INFO[0010] Generating dockerfile bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" INFO[0010] writing dockerfile: index.Dockerfile bundles="[registry-proxy.engineering.redhat.com/rh-osbs/openshift4-performance-addon-operator-bundle-registry-container-rhel8:v4.6.0]" [cloud-user@preserve-olm-agent-test ~]$ no error LGTM, verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6.38 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2641