Bug 1970203 - oc image extract fails due to security capabilities on files
Summary: oc image extract fails due to security capabilities on files
Status: CLOSED DUPLICATE of bug 1969929
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.z
Assignee: Maciej Szulik
QA Contact: zhou ying
Depends On: 1969928
Blocks: 1954587
TreeView+ depends on / blocked
Reported: 2021-06-10 05:19 UTC by OpenShift BugZilla Robot
Modified: 2021-07-16 14:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-06-10 10:38:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description OpenShift BugZilla Robot 2021-06-10 05:19:19 UTC
+++ This bug was initially created as a clone of Bug #1965330 +++

Description of problem:

RHEL images now contain two files with security capabilities that are being set, as described here:

This results in failures during oc image extract because the extraction process can't set the capability on the extracted file (because the user doesn't have permission to do so):

$ oc image extract registry-proxy.engineering.redhat.com/rh-osbs/iib:76743
error: unable to extract layer sha256:53732dad4680ae165f569331357b89605c03583057db7193a7a4fabdf312f061 from registry-proxy.engineering.redhat.com/rh-osbs/iib:76743: operation not permitted

RHEL has since reversed this change because of the impact on OCP, but will want to re-assert the change once OCP is patched to tolerate these files/capabilities.  

The fix to oc will need to be backported all the way to at least 4.6 to ensure customers have a working binary to consume.

Version-Release number of selected component (if applicable):
4.8 but expectation is that all versions are affected.

How reproducible:
always (when using an image w/ these files/capabilities set)

Actual results:
permission failure extracting the image

Expected results:
files are extracted successfully

Additional info:

Comment 1 Maciej Szulik 2021-06-10 10:38:45 UTC

*** This bug has been marked as a duplicate of bug 1969929 ***

Note You need to log in before you can comment on or make changes to this bug.