Value Statement

restic upstream in v0.17.1 fixed an issue where it will fail on restore if any xattrs fail to be applied when the user is uid 0.

Detailed explanation here: https://issues.redhat.com/browse/ACM-14701

Essentially this means that when running in privileged, we would need CAP_SYS_ADMIN capability to be able to write `trusted.` and `security.` xattrs.

However even if we grant CAP_SYS_ADMIN to the privileged mover, in OpenShift it will still fail as it will not allow for rewriting the `security.selinux` parameters, as they need to match the namespace.

It's possible we may just need to document that the namespace to be restored to needs to match the selinux annotations from the source namespace - but I would like to explore seeing if we can get changes into restic upstream to perhaps get a parameter to exclude some xattrs.

Definition of Done for Engineering Story Owner (Checklist)

• ...

Development Complete

• The code is complete.
• Functionality is working.
• Any required downstream Docker file changes are made.

Tests Automated

• [ ] Unit/function tests have been automated and incorporated into the
  build.
• [ ] 100% automated unit/function test coverage for new or changed APIs.

Secure Design

• [ ] Security has been assessed and incorporated into your threat model.

Multidisciplinary Teams Readiness

• [ ] Create an informative documentation issue using the Customer

Portal Doc template that you can access from [The Playbook](

https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit#heading=h.9fvyr2rdriby),

and ensure doc acceptance criteria is met.

• Call out this sentence as it's own action:

• [ ] Link the development issue to the doc issue.

Support Readiness

• [ ] The must-gather script has been updated.