selinux xattr errors for Scientific Linux as with root #302
Comments
dtrudg
added a commit
to dtrudg/umoci
that referenced
this issue
Oct 16, 2019
Closes opencontainers#302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
dtrudg
added a commit
to dtrudg/umoci
that referenced
this issue
Oct 16, 2019
Closes opencontainers#302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
|
We can definitely change it to give a warning and ignore it -- Docker is just straight-up silently ignoring the forbidden xattrs (which is definitely the wrong thing to do -- though that's not a surprise, Docker has always silently ignored things it really shouldn't). |
dtrudg
added a commit
to dtrudg/umoci
that referenced
this issue
Oct 17, 2019
Closes opencontainers#302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
dtrudg
added a commit
to sylabs/umoci
that referenced
this issue
Oct 17, 2019
Closes opencontainers#302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
hallyn
pushed a commit
to hallyn/umoci
that referenced
this issue
Jan 28, 2020
Closes opencontainers#302 Rootless mode currently warns if a forbidden xattr is seen, while extractions as root error out. Make root extractions warn, so that docker images such as cern/sl6-base:latest can be extracted as root without failing due to this error. Signed-off-by: David Trudgian <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're now using
umocifor OCI layer extractions in https://github.com/sylabs/singularity due to the more faithful extraction of permissions compared tocontainers/image-tools- as recommended by @cyphar in opencontainers/image-tools#218In a recent issue https://github.com/sylabs/singularity/issues/4578 a user reports that umoci extraction errors out for the CERN Scientific Linux 6 docker image (cern/slc6-base:latest). The reason for this is that the layers for this image contain selinux xattrs. In the rootless flow (
--fakerootoption for Singularity builds) umoci will just warn about the forbidden xattr. In the flow for extraction with root it will error.I understand from @olifre who reported the issue to Singularity that the CERN SL6 docker image is built with koji. Following up the trail I see that koji is using redhat-imaging/imagefactory@8c61f3e to build a docker image. Since the referenced commit in mid 2016 that will be excluding selinux xattrs - so there's an argument here that the docker image is broken. However, given that docker can handle this without issue would it be reasonable for umoci to warn rather than error in extractions as root (like it already does rootless), by default or via an option?
The text was updated successfully, but these errors were encountered: