Untar does not support symbolic links

[rrileyca]

Summary

When creating an OCIRepository to monitor the following docker repo: https://artifacthub.io/packages/helm/kiwigrid/spring-cloud-config-server, I get an error saying failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx.

The errors at loglevel=debug are:

{"level":"error","ts":"2023-04-19T18:53:43.631Z","msg":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","OCIRepository":{"name":"sck-config-server","namespace":"sck-config-server"},"namespace":"sck-config-server","name":"sck-config-server","reconcileID":"2c263b98-2fc8-4522-9ec1-bf3eae575868","error":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","stacktrace":"github.com/fluxcd/source-controller/internal/reconcile/summarize.logError\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/processor.go:99\ngithub.com/fluxcd/source-controller/internal/reconcile/summarize.ErrorActionHandler\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/processor.go:77\ngithub.com/fluxcd/source-controller/internal/reconcile/summarize.(*Helper).SummarizeAndPatch\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/summary.go:193\ngithub.com/fluxcd/source-controller/controllers.(*OCIRepositoryReconciler).Reconcile.func1\n\tgithub.com/fluxcd/source-controller/controllers/ocirepository_controller.go:210\ngithub.com/fluxcd/source-controller/controllers.(*OCIRepositoryReconciler).Reconcile\n\tgithub.com/fluxcd/source-controller/controllers/ocirepository_controller.go:244\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235"}
{"level":"debug","ts":"2023-04-19T18:53:43.631Z","logger":"events","msg":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","type":"Warning","object":{"kind":"OCIRepository","namespace":"sck-config-server","name":"sck-config-server","uid":"64986821-33a6-4f1b-b300-45f1b65bdac0","apiVersion":"source.toolkit.fluxcd.io/v1beta2","resourceVersion":"7228322"},"reason":"OCIArtifactLayerOperationFailed"}
{"level":"error","ts":"2023-04-19T18:53:43.652Z","msg":"Reconciler error","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","OCIRepository":{"name":"sck-config-server","namespace":"sck-config-server"},"namespace":"sck-config-server","name":"sck-config-server","reconcileID":"2c263b98-2fc8-4522-9ec1-bf3eae575868","error":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235"}
{"level":"error","ts":"2023-04-19T18:53:46.223Z","msg":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","OCIRepository":{"name":"sck-config-server","namespace":"sck-config-server"},"namespace":"sck-config-server","name":"sck-config-server","reconcileID":"72bbd7aa-d46b-47ec-8b06-3ad679897b56","error":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","stacktrace":"github.com/fluxcd/source-controller/internal/reconcile/summarize.logError\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/processor.go:99\ngithub.com/fluxcd/source-controller/internal/reconcile/summarize.ErrorActionHandler\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/processor.go:77\ngithub.com/fluxcd/source-controller/internal/reconcile/summarize.(*Helper).SummarizeAndPatch\n\tgithub.com/fluxcd/source-controller/internal/reconcile/summarize/summary.go:193\ngithub.com/fluxcd/source-controller/controllers.(*OCIRepositoryReconciler).Reconcile.func1\n\tgithub.com/fluxcd/source-controller/controllers/ocirepository_controller.go:210\ngithub.com/fluxcd/source-controller/controllers.(*OCIRepositoryReconciler).Reconcile\n\tgithub.com/fluxcd/source-controller/controllers/ocirepository_controller.go:244\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:122\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235"}
{"level":"debug","ts":"2023-04-19T18:53:46.223Z","logger":"events","msg":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","type":"Warning","object":{"kind":"OCIRepository","namespace":"sck-config-server","name":"sck-config-server","uid":"64986821-33a6-4f1b-b300-45f1b65bdac0","apiVersion":"source.toolkit.fluxcd.io/v1beta2","resourceVersion":"7228334"},"reason":"OCIArtifactLayerOperationFailed"}
{"level":"error","ts":"2023-04-19T18:53:46.247Z","msg":"Reconciler error","controller":"ocirepository","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"OCIRepository","OCIRepository":{"name":"sck-config-server","namespace":"sck-config-server"},"namespace":"sck-config-server","name":"sck-config-server","reconcileID":"72bbd7aa-d46b-47ec-8b06-3ad679897b56","error":"failed to extract layer contents from artifact: tar file entry bin/bzcmp contained unsupported file type Lrwxrwxrwx","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:274\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.14.5/pkg/internal/controller/controller.go:235"}

Potential cause

This case statement seems to be the culprit because it does not support FileMode.ModeSymlink. https://github.com/fluxcd/pkg/blob/a39c9610423d1e456f8bb2d4c77f69fbc695a22b/tar/tar.go#L112-L174.

Is this intentional?

Steps to Reproduce:

flux create source oci sck-config-server \
  --namespace sck-config-server \
  --url oci://docker.io/springcloud/spring-cloud-kubernetes-configserver \
  --tag 3.0.3-SNAPSHOT

Versions

flux CLI version

• 0.41.2

Container versions:

• image: docker.io/fluxcd/helm-controller:v0.31.2
• image: docker.io/fluxcd/kustomize-controller:v0.35.1
• image: docker.io/fluxcd/notification-controller:v0.33.0
• image: docker.io/fluxcd/source-controller:v0.36.1

[darkowlzz]

Hi, thanks for reporting the issue. I did some inspection of the artifact you've used above and my conclusion is that it's not the type of OCI artifact that flux expects. The image contains full linux root filesystem of debian buster/sid. Please see https://fluxcd.io/flux/cheatsheets/oci-artifacts/#how-does-flux-oci-work for details about how flux works with OCI.

Regarding handling of symlinks, after digging into the history of the untar package, it looks like it was copied from upstream golang project and that was copied from another internal package which was for their specific use case, which didn't account for symlinks. In case of flux, I don't think there would be common use cases for symlinking manifests or other files in an artifact, but because our OCI support is more like a universal artifact format, I think it'd be good to add symlink handling as well.

[rrileyca]

That's fair, thanks for the response.

Yes it might be a good idea to actually use the upstream Golang library instead of using this copy+paste.

[darkowlzz]

it might be a good idea to actually use the upstream Golang library instead of using this copy+paste.

Sounds like some misunderstanding. The upstream code isn't public, refer https://github.com/fluxcd/pkg/blob/2e870a1a4b5b3a1f4f954e6c2f7801b36013c3fb/tar/tar.go#L6 . And I meant that in the upstream's context, they may not need to care about symlinks but in our context, we may. So, we can diverge from the upstream and add symlink support.

[rashedkvm]

I am seeing the same issue while extracting image layer with symlink

    - lastTransitionTime: "2023-08-11T14:53:44Z"
      message: 'failed to extract layer contents from artifact: tar file entry ./etc/os-release
        contained unsupported file type Lrwxrwxrwx'
      observedGeneration: 1
      reason: OCIArtifactLayerOperationFailed

[djschny]

I'm seeing the same error as well. It appears that even though Docker images are OCI compliant there are problems.

https://www.docker.com/blog/demystifying-open-container-initiative-oci-specifications/

[stefanprodan]

I'm seeing the same error as well. It appears that even though Docker images are OCI compliant there are problems.

We never said we support Docker images, we made a conscious decision to reject OCI artifacts with symbolic links and other non-standard file types.

@djschny I see you work at VMware, so please sync up with your peer @rashedkvm, we've discuss this topic in detail on Flux dev meetings several times.

[rashedkvm]

@djschny as @stefanprodan mentioned we discussed in the last Flux community meeting and decided to reject the sym-link when untaring image layer(s). If you'd like to talk more hit me up on Slack.

[djschny]

It's OK, I can replace flux with a 4 line shell script in CronJob and be way more flexible.