What were you trying to do that didn't work?

Buildah (and by extension `podman build`) cannot at present deal with files containing IMA xattrs when run by a rootless user. These xattrs cannot be set by non-root users. Most userspace applications (e.g. `cp`) will just strip them if they can't be set, but we presently do not. This is most acutely noticed on systems with rpm-plugin-ima installed, as the catatonit binary which Podman uses to build our rootless pause image receives an IMA xattr, preventing rootless Podman from running pods.

What is the impact of this issue to you?

Rootless Podman functionality severely degraded

Please provide the package NVR for which the bug is seen:

All Podman and Buildah versions released are affected

How reproducible is this bug?:

100%

Steps to reproduce

As a non-root user:

1. dnf install rpm-plugin-ima
2. podman system reset
3. dnf reinstall catatonit
4. podman pod create testpod

Expected results

Pod created successfully

Actual results

 
Error: building local pause image: building at STEP "COPY /usr/libexec/podman/catatonit /catatonit": storing "/usr/libexec/podman/catatonit": error during bulk transfer for copier.request{Request:"PUT", Root:"/", preservedRoot:"/home/opc/.local/share/containers/storage/overlay/0adae3dcb1489aaa997f3706f3ab8e8d101c3e7fd0598b33189a877f8a3200d5/merged", rootPrefix:"/home/opc/.local/share/containers/storage/overlay/0adae3dcb1489aaa997f3706f3ab8e8d101c3e7fd0598b33189a877f8a3200d5/merged", Directory:"/", preservedDirectory:"/home/opc/.local/share/containers/storage/overlay/0adae3dcb1489aaa997f3706f3ab8e8d101c3e7fd0598b33189a877f8a3200d5/merged", Globs:[]string{}, preservedGlobs:[]string{}, StatOptions:copier.StatOptions{CheckForArchives:false, Excludes:[]string(nil)}, GetOptions:copier.GetOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), Excludes:[]string(nil), ExpandArchives:false, ChownDirs*idtools.IDPair)(nil), ChmodDirs*fs.FileMode)(nil), ChownFiles*idtools.IDPair)(nil), ChmodFiles*fs.FileMode)(nil), StripSetuidBit:false, StripSetgidBit:false, StripStickyBit:false, StripXattrs:false, KeepDirectoryNames:false, Rename:map[string]string(nil), NoDerefSymlinks:false, IgnoreUnreadable:false, NoCrossDevice:false}, PutOptions:copier.PutOptions{UIDMap:[]idtools.IDMap{}, GIDMap:[]idtools.IDMap{}, DefaultDirOwner*idtools.IDPair)(0xc0005dddb0), DefaultDirMode*fs.FileMode)(nil), ChownDirs*idtools.IDPair)(nil), ChmodDirs*fs.FileMode)(nil), ChownFiles*idtools.IDPair)(nil), ChmodFiles*fs.FileMode)(nil), StripSetuidBit:false, StripSetgidBit:false, StripStickyBit:false, StripXattrs:false, IgnoreXattrErrors:false, IgnoreDevices:true, NoOverwriteDirNonDir:false, NoOverwriteNonDirDir:false, Rename:map[string]string(nil)}, MkdirOptions:copier.MkdirOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), ChownNew*idtools.IDPair)(nil), ChmodNew*fs.FileMode)(nil)}, RemoveOptions:copier.RemoveOptions{All:false: copier: put: error setting extended attributes on "/catatonit": setting value of extended attribute "security.ima" on "/catatonit": operation not permitted}}