April upcoming gitpod: cap_net_bind_service lost from docker image on restore

[rfay]

Bug description

When an image is pulled that has setcap cap_net_bind_service, it works correctly on first use. Unfortunately, if the instance is stopped and then restarted, the cap_net_bind_service is lost. The same thing would result from a prebuild followed by launching an instance.

Steps to reproduce

I prepared a repo to demonstrate this, https://github.com/rfay/cap-add-demo - it has a README with full instructions.

Basically:

1. In a gitpod workspace, docker-up and pull a docker image that has cap_net_bind_service set (I'm sure this is any setcap)
2. Verify that the setcap is functional using getcap
3. Stop the gitpod workspace
4. Start the gitpod workspace. You'll find that the cap_net_bind_service is lost

Expected behavior

An image should behave the same after restore or after prebuild as they do originally. Capabilities should not be lost.

Example repository

https://github.com/rfay/cap-add-demo

[aledbf]

@rfay thank you for the report

[aledbf]

@csweichel the capabilities are not present in the generated tar file

extended attributes are present now but missing permissions

{"@type":"type.googleapis.com/google.devtools.clouderrorreporting.v1beta1.ReportedErrorEvent","error":"operation not permitted","file":"/dst/.docker-root/overlay2/9e3bf27672b86fbfb9aa4f52e32d286b2db358b22e31b4363ee02f987617daae/diff/bin/nc.traditional","level":"error","message":"restoring extended attributes","name":"security.capability","severity":"ERROR","time":"2021-04-02T00:05:07Z","value":"\u0001\u0000\u0000\u0003\u0000\u0004\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00005\ufffd\u0000\u0000"}

WIP: #3722