+++ This bug was initially created as a clone of Bug #1965330 +++ Description of problem: RHEL images now contain two files with security capabilities that are being set, as described here: https://projects.engineering.redhat.com/browse/RHELBLD-4379 This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so): $ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities. The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume. Version-Release number of selected component (if applicable): 4.8 but expectation is that all versions are affected. How reproducible: always (when using an image w/ these files/capabilities set) Actual results: permission failure extracting the image Expected results: files are extracted successfully Additional info:
can't reproduce with latest oc now: [root@localhost ~]# oc version --client Client Version: 4.7.0-202106120124.p0.git.9b9f77a-9b9f77a [root@localhost ~]# oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm W0615 13:53:31.047584 2013527 manifest.go:442] Chose linux/amd64 manifest from the manifest list. [zhouying@localhost 6666]$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm W0615 14:07:00.104630 2013740 manifest.go:442] Chose linux/amd64 manifest from the manifest list.
OpenShift engineering has decided to not ship Red Hat OpenShift Container Platform 4.7.17 due a regression https://bugzilla.redhat.com/show_bug.cgi?id=1973006. All the fixes which were part of 4.7.17 will be now part of 4.7.18 and planned to be available in candidate channel on June 23 2021 and in fast channel on June 28th.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2502