-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
layer: Xattr unpack code is broken on Fedora/RHEL #49
Comments
if I add |
Yup. I have a comment about "this probably breaks on RedHat" 😉. I'm not super familiar about What I currently do is this:
This is clearly not correct, so what should I be doing? Should I be modifying |
clearly my command fails there right? I would test if setting xattrs directly solves this |
No, it's failing when clearing. You can pass
I think the issue is that
It probably does. I will try it out, but is there a nice environment I can use to test SELinux? Will a Fedora VM work out-of-the box with SELinux in enforcing mode?
Not sure. The spec is quite hazy about |
I usually spin up fedora vms out of qcow2 images (fedora cloud images) and everything works great with Selinux and the rest |
Okay, it "works" if I just remove the diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index cb017d86f869..622b550e6d38 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -99,11 +99,7 @@ func (te *tarExtractor) restoreMetadata(path string, hdr *tar.Header) error {
// Apply xattrs. In order to make sure that we *only* have the xattr set we
// want, we first clear the set of xattrs from the file then apply the ones
// set in the tar.Header.
- // XXX: This will almost certainly break horribly on RedHat.
if !te.mapOptions.Rootless {
- if err := system.Lclearxattrs(path); err != nil {
- return errors.Wrapf(err, "clear xattr metadata: %s", path)
- }
for name, value := range hdr.Xattrs {
if err := system.Lsetxattr(path, name, []byte(value), 0); err != nil {
return errors.Wrapf(err, "restore xattr metadata: %s", path) |
@rhatdan do you have any idea here? |
Lclearxattr is actually not useful because on SELinux enabled systems, attempting to remove a security context label will always fail. There's probably nicer ways of dealing with this, but for the moment this fixes (on the surface) cyphar/umoci#49. Signed-off-by: Aleksa Sarai <asarai@suse.com>
I think it is fine to remove the xattrs or we could add a check for the selinux class and only remove the ones that are not security attributes. |
This probably would not happen on devicemapper back end. |
@rhatdan Do you think an
This is being done into a plain directory (I'm not using any storage drivers, it's just purely tar unpacking implemented in Go with some of my own tricks to ensure that the output is consistent). |
I would not include security attributes, since those can vary from machine to machine, and could be different based on the paths you install. |
Are there any other |
I think there is very little use of xattrs, other then for security. At least that I am aware of. |
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
Can you guys PTAL at #51 to see if that fixes the issue for you (it fixes the issue for me). |
I was looking it up, and |
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
On RHEL/Fedora this fixes issues under SELinux where trying to remove a "security.selinux" label is a capital-B bad idea. It also might be necessary to handle blacklisting "security.*" xattrs when we generate archives. Fixes: cyphar/umoci#49 Signed-off-by: Aleksa Sarai <asarai@suse.com>
LGTM |
By the way @runcom, the reason that
Just in case you were still wondering why |
@cyphar cool. I don't feel strongly about having that in OCI image tools. I do feel umoci is great on unpacking from my experience so I'll stick with it for now. Of course, pushing missing functionalities on image-tools would be great as well. |
security is the most standard use xattrs, but there a number of projects that store arbitrary data in the user xattrs. but those are probably more "nice to have" rather than "must have". |
Hi @cyphar I still see this issue on a RHEL7-based (CERN has its own flavor CERN Centos 7) distro:
on fedora-25 vagrant box it works fine. If that's a too niche use-case I understand, but if you have any ideas on what to look at e.g. in the debug output to try to fix it, I'd be happy to take a look (@traylenator -- perhaps this is interesting to you) |
@lukasheinrich Can you give me the list of |
Ah -- I think I figured it out. I was trying to unpack within a AFS share, which probably has all kinds of xattrs defined. On the local disk of that machine it works. |
just have a busybox image copied with skopeo to OCI format, then:
The text was updated successfully, but these errors were encountered: