Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52173

[release-4.18] OLMv1: fails to unpack cert-manager-operator-bundle

XMLWordPrintable

    • Important
    • None
    • Glaceon OLM Sprint 267
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, you could not use catalog or bundle images that contained files with restricted extended attributes. With this release, the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-52173[*OCPBUGS-52173*])
      -----
      Cause – user attempts to use catalog or bundle images that contain files that have restrictive extended attributes
      Consequence – catalog and bundle images are unusable
      Fix – when applying files from image to disk, clear these attributes
      Result – catalog and bundle images can be successfully unpacked and used
      Show
      * Previously, you could not use catalog or bundle images that contained files with restricted extended attributes. With this release, the issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-52173 [* OCPBUGS-52173 *]) ----- Cause – user attempts to use catalog or bundle images that contain files that have restrictive extended attributes Consequence – catalog and bundle images are unusable Fix – when applying files from image to disk, clear these attributes Result – catalog and bundle images can be successfully unpacked and used
    • Bug Fix
    • Done

      Description of problem:

      When installing cert-manager-operator 1.15.0 (registry.redhat.io/cert-manager/cert-manager-operator-bundle@sha256:9a212e5a65ec7a71b4462539902515cfeecf5b02fd8a3f3beaaa6c5ecfc49ec2), operator-controller fails unpacking the bundle contents due to the operator-controller user's lack of permission to setxattr properties that are present on files in the imamge.

      Version-Release number of selected component (if applicable):

      4.18.0

      How reproducible:

      100%

      Steps to Reproduce:

      $ cat <<'EOF' | kubectl delete -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-operator-installer
  namespace: cert-manager-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-operator-installer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cert-manager-operator-installer
  namespace: cert-manager-operator
---
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: cert-manager-operator
spec:
  namespace: cert-manager-operator
  serviceAccount:
    name: cert-manager-operator-installer
  source:
    catalog:
      channels:
      - stable-v1
      packageName: openshift-cert-manager-operator
      upgradeConstraintPolicy: CatalogProvided
      version: 1.15.0
    sourceType: Catalog
EOF    

      Actual results:

      error unpacking image: error applying layer[0]: failed to setxattr "/var/cache/unpack/cert-manager-operator/sha256:9a212e5a65ec7a71b4462539902515cfeecf5b02fd8a3f3beaaa6c5ecfc49ec2/usr/bin/newgidmap" for key "security.capability": operation not permitted for resolved bundle "cert-manager-operator.v1.15.0" with version "1.15.0"'       

      Expected results:

      The bundle unpacks successfully (and likely proceeds successfully through installation)

      Additional info:

              rh-ee-cchantse Catherine Chan-Tse
              jlanford@redhat.com Joe Lanford
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: