search

projectatomic / atomic

Atomic Run Tool for installing/running/managing container images.
Other
524 stars 139 forks source link

"fsetxattr: Operation not supported" when running in a podman container #1247

Closed TomasTomecek closed 5 years ago

TomasTomecek commented 5 years ago

Hi,

I am running atomic command in a container created via podman (no user namespaces, the container was created as root).

My use case is that I need to download a container image and unpack the container filesystem so that our tooling can analyze it.

It seems that the container process doesn't have permissions to manipulate extended file attributes:

[root@75a3856735b6 tmp]# ATOMIC_OSTREE_REPO=/tmp/asdqwe atomic --debug pull --storage ostree dockertar://var/tmp/rsyslog.tar                                                                                      
Namespace(_class=<class 'Atomic.pull.Pull'>, assumeyes=False, debug=True, func='pull_image', ignore=False, image='dockertar://var/tmp/rsyslog.tar', profile=False, reg_type=None, src_creds=None, storage='ostree')
Getting image source signatures                                                                                                                                                                                   
Copying blob sha256:75391df2c87e076b0c2f72d20c95c57dc8be7ee684cc07273416cce622b43367                 
 200.91 MB / 200.91 MB [====================================================] 3s                                                                                                                                  
Copying blob sha256:7dd303f041039bfe8f0833092673ac35f93137d10e0fbc4302021ea65ad57731                     
 10.00 KB / 10.00 KB [======================================================] 0s                                                                                                                                  
Copying blob sha256:08c433f90884f2084efdde4e657d3c69aeeadc877dc81b280b136f4efd5168a1                     
 19.39 MB / 19.39 MB [======================================================] 0s                                                                                                                                  
Copying config sha256:87f15a4e37c70cad96f6646d2c4b95e08d8a09456daa97117549cc89fb77eb71               
 5.69 KB / 5.69 KB [========================================================] 0s                                                                                                                                  
Writing manifest to image destination
Storing signatures
FATA[0008] Error committing the finished image: /builddir/build/BUILD/skopeo-e3034e1d91056b480b28a5ae7c56526e084588cf/vendor/src/github.com/ostreedev/ostree-go/pkg/otbuiltin/commit.go:407 - Writing content objec
t: fsetxattr: Operation not supported

Traceback (most recent call last):
  File "/usr/bin/atomic", line 185, in <module>
    sys.exit(_func())
  File "/usr/lib/python3.6/site-packages/Atomic/pull.py", line 62, in pull_image
    be.pull_image(self.args.image, remote_image_obj, debug=self.args.debug, assumeyes=self.args.assumeyes, src_creds=src_creds)
  File "/usr/lib/python3.6/site-packages/Atomic/backends/_ostree.py", line 113, in pull_image
    return self.syscontainers.pull_image(image, **kwargs)
  File "/usr/lib/python3.6/site-packages/Atomic/syscontainers.py", line 256, in pull_image
    self._pull_image_to_ostree(self._get_ostree_repo(), image or self.args.image, True, src_creds=src_creds)
  File "/usr/lib/python3.6/site-packages/Atomic/syscontainers.py", line 241, in _pull_image_to_ostree
    image = self._pull_docker_tar(tarpath, os.path.basename(tarpath).replace(".tar", ""))
  File "/usr/lib/python3.6/site-packages/Atomic/syscontainers.py", line 2389, in _pull_docker_tar
    self._skopeo_copy_img_to_ostree(image_name, skopeo_source)
  File "/usr/lib/python3.6/site-packages/Atomic/syscontainers.py", line 2417, in _skopeo_copy_img_to_ostree
    util.skopeo_copy(skopeo_img_source, destination, dest_ostree_tmp_dir=temp_dir, insecure=insecure, src_creds=src_creds)
  File "/usr/lib/python3.6/site-packages/Atomic/util.py", line 454, in skopeo_copy
    return check_call(cmd, env=os.environ)
  File "/usr/lib/python3.6/site-packages/Atomic/util.py", line 214, in check_call
    return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True)
  File "/usr/lib64/python3.6/subprocess.py", line 291, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/bin/skopeo', 'copy', '--dest-ostree-tmp-dir', '/var/lib/containers/atomic/.w0h7gaes', 'docker-archive:/var/tmp/rsyslog.tar', 'ostree:rsyslog@/tmp/asdqwe']' returned
 non-zero exit status 1.
atomic-1.22.1-25.gitb507039.fc29

Is there an easy fix/workaround here?

giuseppe commented 5 years ago

I think the reason is that the ostree repository is on tmpfs (ATOMIC_OSTREE_REPO=/tmp/asdqwe), and xattrs are not supported there. I'd suggest to not use tmpfs.

Alternatively, but it is a less ideal solution, you could initialize the ostree repository to "bare-user":

ostree init --repo=/tmp/asdqwe --mode=bare-user

cgwalters commented 5 years ago

ostree init --repo=/tmp/asdqwe --mode=bare-user

It's bare-user-only that doesn't use xattrs. But this is a lossy operation then.

TomasTomecek commented 5 years ago

neat, I haven't realized that; I'll go for /var/tmp instead

Thank you very much for helping me out!