tar_extract: only warn for forbidden xattrs

Closes #302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
opencontainers · Oct 17, 2019 · 72ae591 · 72ae591
1 parent 3335a0d
commit 72ae591
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
@@ -158,11 +158,8 @@ func (te *TarExtractor) restoreMetadata(path string, hdr *tar.Header) error {
 					continue
 				}
 			}
-			if te.partialRootless {
-				log.Warnf("rootless{%s} ignoring forbidden xattr: %q", hdr.Name, name)
-				continue
-			}
-			return errors.Errorf("restore xattr metadata: saw forbidden xattr %q: %s", name, hdr.Name)
+			log.Warnf("xattr{%s} ignoring forbidden xattr: %q", hdr.Name, name)
+			continue
 		}
 		if err := te.fsEval.Lsetxattr(path, name, value, 0); err != nil {
 			// In rootless mode, some xattrs will fail (security.capability).