Skip to content

Copy of buildkit-qemu-emulator should ignore xattr failures #5544

New issue
New issue
Open
#6015
Open
Copy of buildkit-qemu-emulator should ignore xattr failures#5544
#6015
@rgov

Description

@rgov
rgov
opened on Nov 22, 2024

There are a number of bug reports in various places that look like the following.

executor failed running [/dev/.buildkit_qemu_emulator xyz]:
failed to copy xattrs: failed to set xattr "security.selinux" on
/tmp/buildkit-qemu-emulator538849571/dev/.buildkit_qemu_emulator:
operation not supported

The issue applies to systems with SELinux enabled; SELinux prevents the modification of an ACL attached to a file as an xattr.

The error arises when copying the emulator binary into a temporary location:

buildkit/solver/llbsolver/ops/exec_binfmt.go

Lines 67 to 72 in db6989a

if err := copy.Copy(context.TODO(), filepath.Dir(m.path), filepath.Base(m.path), tmpdir, qemuMountName, func(ci *copy.CopyInfo) {
m := 0555
ci.Mode = &m
}, copy.WithChown(uid, gid)); err != nil {
return nil, nil, err
}

The implementation of copy.Copy() is from tonistiigi/fsutil. The error string "failed to copy xattrs" originates here:

https://github.com/tonistiigi/fsutil/blob/0789dc562bd7099bec7be479164e261ac5334f5f/copy/copy.go#L425-L427

Several years ago the PR containerd/continuity#138 added an option to ignore xattr errors specifically due to this security.selinux issue. The tonistiigi/fsutil implementation mirrors this option, but it is unused in the BuildKit code.

I believe in the BuildKit code ci.XAttrErrorHandler should be set to a function that ignores ENOTSUP, as in this PR.

cc @tonistiigi.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions