-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
3
-
False
-
-
False
-
rhel-container-tools
-
-
-
3
-
RUN 263
-
Customer Facing
[2671816529] Upstream Reporter: Manu
Upstream issue status: Closed
Upstream description:
Issue Description
This is a bit of an edge case. When extracting an image that has a named pip inside, setting the xattr user.containers.override_stat for force_mask=shared fails. Using setfattr directly also fails.
I'm assuming this is a limitation of extended attributes, but wonder if Podman should ignore such errors instead of failing to pull the image.
Steps to reproduce the issue
Steps to reproduce the issue. (All run as root user)
Pulling the image with podman pull
# podman --storage-opt=overlay.force_mask=shared pull docker.io/privatebin/fs:1.7.5 Trying to pull docker.io/privatebin/fs:1.7.5... Getting image source signatures Copying blob 4f4fb700ef54 skipped: already exists Copying blob 06ad7d3e6d44 done | Copying blob da9db072f522 skipped: already exists Copying blob a1e61df148cb done | Copying blob f6ba44d80dfe done | Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:a1e61df148cbf56a174660fbc701191105f58fa4dcd60ca7ba56ce5e42b6e485"/""/"sha256:4bef5d03909cda3717dbf5caa1fc1f64a63b5e3b4072b87cf6c281cb20997f88": unpacking failed (error: exit status 1; output: lsetxattr /etc/s6/services/nginx/supervise/control: operation not permitted)Using setfattr directly fails on the same file:
# setfattr -n user.myattribute -v "value" .../diff/etc/s6/services/nginx/supervise/control setfattr: .../diff/etc/s6/services/nginx/supervise/control: Operation not permittedFile seems to be a named pipe:
# ls -lh .../diff/etc/s6/services/nginx/supervise/control prw-r--r--. 1 165533 100081 0 Nov 16 07:41 .../diff/etc/s6/services/nginx/supervise/controlDescribe the results you received
Pulling the image fails with force_mask=shared setting.
Describe the results you expected
Pulling the image should succeed, even if the xattr of this one file isn't set.
podman info output
# podman info host: arch: amd64 buildahVersion: 1.37.3 cgroupControllers: - cpuset - cpu - io - memory - hugetlb - pids - rdma - misc cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-2.1.12-1.el9.x86_64 path: /usr/bin/conmon version: 'conmon version 2.1.12, commit: 7ba5bd6c81ff2c10e07aee8c4281d12a2878fa12' cpuUtilization: idlePercent: 67.42 systemPercent: 8.86 userPercent: 23.72 cpus: 6 databaseBackend: sqlite distribution: distribution: centos version: "9" eventLogger: journald freeLocks: 2048 hostname: podhost24.test.pikapods.com idMappings: gidmap: null uidmap: null kernel: 5.14.0-513.el9.x86_64 linkmode: dynamic logDriver: journald memFree: 525811712 memTotal: 25127485440 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.12.1-1.el9.x86_64 path: /usr/libexec/podman/aardvark-dns version: aardvark-dns 1.12.1 package: netavark-1.12.2-1.el9.x86_64 path: /usr/libexec/podman/netavark version: netavark 1.12.2 ociRuntime: name: crun package: crun-1.16.1-1.el9.x86_64 path: /usr/bin/crun version: |- crun version 1.16.1 commit: afa829ca0122bd5e1d67f1f38e6cc348027e3c32 rundir: /run/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux pasta: executable: /bin/pasta package: passt-0^20240806.gee36266-2.el9.x86_64 version: | pasta 0^20240806.gee36266-2.el9.x86_64 Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: false path: /run/podman/podman.sock rootlessNetworkCmd: pasta security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: false seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: true serviceIsRemote: false slirp4netns: executable: /bin/slirp4netns package: slirp4netns-1.3.1-1.el9.x86_64 version: |- slirp4netns version 1.3.1 commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.2 swapFree: 8008605696 swapTotal: 17061371904 uptime: 7h 51m 49.00s (Approximately 0.29 days) variant: "" plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: search: - registry.access.redhat.com - registry.redhat.io - docker.io store: configFile: /etc/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.14-1.el9.x86_64 Version: |- fusermount3 version: 3.10.2 fuse-overlayfs: version 1.13-dev FUSE library version 3.10.2 using FUSE kernel interface version 7.31 overlay.mountopt: nodev,metacopy=on graphRoot: /var/lib/containers/storage graphRootAllocated: 232300244992 graphRootUsed: 134731993088 graphStatus: Backing Filesystem: xfs Native Overlay Diff: "false" Supports d_type: "true" Supports shifting: "true" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 134 runRoot: /run/containers/storage transientStore: false volumePath: /var/lib/containers/storage/volumes version: APIVersion: 5.2.3 Built: 1728390864 BuiltTime: Tue Oct 8 12:34:24 2024 GitCommit: "" GoVersion: go1.22.5 (Red Hat 1.22.5-2.el9) Os: linux OsArch: linux/amd64 Version: 5.2.3Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
No response
Additional information
No response
Upstream URL: https://github.com/containers/storage/issues/2174
- links to
