Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to pull image : Error processing tar file(exit status 1): lsetxattr /vendor: invalid argument #1076

Closed
JayDoubleu opened this issue Nov 25, 2021 · 4 comments · Fixed by #1077
Closed

Unable to pull image : Error processing tar file(exit status 1): lsetxattr /vendor: invalid argument #1076

JayDoubleu opened this issue Nov 25, 2021 · 4 comments · Fixed by #1077
Assignees
@giuseppe

Comments

@JayDoubleu
Copy link

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Trying to pull image results in error.

Steps to reproduce the issue:

  1. podman pull docker.io/redroid/redroid:12.0.0-latest

Describe the results you received:

podman pull  docker.io/redroid/redroid:12.0.0-latest
Trying to pull docker.io/redroid/redroid:12.0.0-latest...
Getting image source signatures
Copying blob ceb15e8db176 done  
Error: writing blob: adding layer with blob "sha256:ceb15e8db176ee6ef1a642f8dd04724269e75d73a4b5525cca6872f7146e2a9c": Error processing tar file(exit status 1): lsetxattr /vendor: invalid argument

Describe the results you expected:

Getting image source signatures
Copying blob ceb15e8db176 done  
Copying config 0ef314d6ee done  
Writing manifest to image destination
Storing signatures

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      3.4.2
API Version:  3.4.2
Go Version:   go1.16.8
Built:        Fri Nov 12 20:25:37 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.30-2.fc35.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.30, commit: '
  cpus: 16
  distribution:
    distribution: fedora
    variant: silverblue
    version: "35"
  eventLogger: journald
  hostname: thinkxps-sb
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.18-300.fc35.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 1234485248
  memTotal: 33364807680
  ociRuntime:
    name: crun
    package: crun-1.3-1.fc35.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 8e5757a4e68590326dafe8a8b1b4a584b10a1370
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc35.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 25h 54m 21.18s (Approximately 1.04 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/jaydoubleu/.config/containers/storage.conf
  containerStore:
    number: 126
    paused: 0
    running: 1
    stopped: 125
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/jaydoubleu/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 62
  runRoot: /run/user/1000/containers
  volumePath: /var/home/jaydoubleu/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.2
  Built: 1636748737
  BuiltTime: Fri Nov 12 20:25:37 2021
  GitCommit: ""
  GoVersion: go1.16.8
  OsArch: linux/amd64
  Version: 3.4.2

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.4.2-1.fc35.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional details:

Seems to work ok when running the same command as sudo.

Skopeo copy to containers-storage returns the same results:

skopeo copy docker://docker.io/redroid/redroid:12.0.0-amd64 containers-storage:docker.io/redroid/redroid:12.0.0-amd64 
Getting image source signatures
Copying blob ceb15e8db176 done  
FATA[0042] writing blob: adding layer with blob "sha256:ceb15e8db176ee6ef1a642f8dd04724269e75d73a4b5525cca6872f7146e2a9c": Error processing tar file(exit status 1): lsetxattr /vendor: invalid argument 
ERRO[0042] exit status 1

Skopeo copy to dir or oci returns:

skopeo copy docker://docker.io/redroid/redroid:12.0.0-amd64 oci:test
Getting image source signatures
Copying blob ceb15e8db176 done  
Copying config 0ef314d6ee done  
Writing manifest to image destination
Storing signatures
@giuseppe
Copy link
Member

how was the image created?

The file /vendor has an extended attribute: security.selinux=u:object_r:vendor_file:s0 which probably doesn't exist on your system.

@rhatdan should we ignore security.selinux when we extract the image?

@giuseppe giuseppe transferred this issue from containers/podman Nov 26, 2021
@giuseppe giuseppe self-assigned this Nov 26, 2021
giuseppe added a commit to giuseppe/storage that referenced this issue Nov 26, 2021
@giuseppe
archive: ignore the security.selinux xattr
64241dd 
ignore the security.selinux xattr if it is present in the tarball
header, since invalid labels cannot be set by unprivileged users and
the `lsetxattr` syscall fails with EINVAL.

Closes: containers#1076

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Nov 26, 2021
Merged
@giuseppe
Copy link
Member

opened a PR: #1077

giuseppe added a commit to giuseppe/storage that referenced this issue Nov 26, 2021
@giuseppe
archive: ignore the security.selinux xattr
9408ac3 
ignore the security.selinux xattr if it is present in the tarball
header, since invalid labels cannot be set by unprivileged users and
the `lsetxattr` syscall fails with EINVAL.

Closes: containers#1076

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@JayDoubleu
Copy link
Author

I'm not 100% sure how these images are getting created.
redroid provides some Container files to build it here https://github.com/remote-android/redroid-doc/tree/master/android-builder-docker

However It seems that the filesystem is built by some build system used to build android.

@rhatdan
Copy link
Member

rhatdan commented Nov 29, 2021

Yes we should ignore selinux labels in an image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@giuseppe giuseppe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

archive: ignore the security.selinux xattr giuseppe/storage
3 participants
@giuseppe @rhatdan @JayDoubleu