Bug 1969928 - oc image extract fails due to security capabilities on files
Summary: oc image extract fails due to security capabilities on files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.z
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On: 1965330
Blocks: 1867598 1995337 1997492 1954587 1969929 1970203
TreeView+ depends on / blocked
 
Reported: 2021-06-09 13:21 UTC by OpenShift BugZilla Robot
Modified: 2021-08-25 11:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Insufficient privileges to set extended attributes during untaring. Consequence: oc image extract was failing with operation not permitted error when run as non-root user. Fix: Check user and set extended security attributes only when run as root. Result: oc image extract works correctly for both root and non-root user.
Clone Of:
Environment:
Last Closed: 2021-06-29 04:20:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 844 0 None open [release-4.7] Bug 1969928: exclude security during exctraction 2021-06-11 13:39:34 UTC
Red Hat Product Errata RHBA-2021:2502 0 None None None 2021-06-29 04:20:37 UTC

Description OpenShift BugZilla Robot 2021-06-09 13:21:34 UTC
+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:
https://projects.engineering.redhat.com/browse/RHELBLD-4379

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.



Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully


Additional info:

Comment 3 zhou ying 2021-06-15 06:14:32 UTC
can't reproduce with latest oc now:

[root@localhost ~]# oc version --client
Client Version: 4.7.0-202106120124.p0.git.9b9f77a-9b9f77a

[root@localhost ~]# oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0615 13:53:31.047584 2013527 manifest.go:442] Chose linux/amd64 manifest from the manifest list.


[zhouying@localhost 6666]$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743 --confirm
W0615 14:07:00.104630 2013740 manifest.go:442] Chose linux/amd64 manifest from the manifest list.

Comment 4 OpenShift Automated Release Tooling 2021-06-17 12:29:08 UTC
OpenShift engineering has decided to not ship Red Hat OpenShift Container Platform 4.7.17 due a regression https://bugzilla.redhat.com/show_bug.cgi?id=1973006. All the fixes which were part of 4.7.17 will be now part of 4.7.18 and planned to be available in candidate channel on June 23 2021 and in fast channel on June 28th.

Comment 8 errata-xmlrpc 2021-06-29 04:20:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.18 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2502


Note You need to log in before you can comment on or make changes to this bug.