Setting shared xattr fails on images with named pipes

[m3nu]

Issue Description

This is a bit of an edge case. When extracting an image that has a named pip inside, setting the xattr user.containers.override_stat for force_mask=shared fails. Using setfattr directly also fails.

I'm assuming this is a limitation of extended attributes, but wonder if Podman should ignore such errors instead of failing to pull the image.

Steps to reproduce the issue

Steps to reproduce the issue. (All run as root user)

Pulling the image with podman pull

 # podman --storage-opt=overlay.force_mask=shared pull docker.io/privatebin/fs:1.7.5

Trying to pull docker.io/privatebin/fs:1.7.5...
Getting image source signatures
Copying blob 4f4fb700ef54 skipped: already exists
Copying blob 06ad7d3e6d44 done   |
Copying blob da9db072f522 skipped: already exists
Copying blob a1e61df148cb done   |
Copying blob f6ba44d80dfe done   |
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:a1e61df148cbf56a174660fbc701191105f58fa4dcd60ca7ba56ce5e42b6e485"/""/"sha256:4bef5d03909cda3717dbf5caa1fc1f64a63b5e3b4072b87cf6c281cb20997f88": unpacking failed (error: exit status 1; output: lsetxattr /etc/s6/services/nginx/supervise/control: operation not permitted)

Using setfattr directly fails on the same file:

# setfattr -n user.myattribute -v "value" .../diff/etc/s6/services/nginx/supervise/control
setfattr: .../diff/etc/s6/services/nginx/supervise/control: Operation not permitted

File seems to be a named pipe:

# ls -lh .../diff/etc/s6/services/nginx/supervise/control
prw-r--r--. 1 165533 100081 0 Nov 16 07:41 .../diff/etc/s6/services/nginx/supervise/control

Describe the results you received

Pulling the image fails with force_mask=shared setting.

Describe the results you expected

Pulling the image should succeed, even if the xattr of this one file isn't set.

podman info output

# podman info
host:
  arch: amd64
  buildahVersion: 1.37.3
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: 7ba5bd6c81ff2c10e07aee8c4281d12a2878fa12'
  cpuUtilization:
    idlePercent: 67.42
    systemPercent: 8.86
    userPercent: 23.72
  cpus: 6
  databaseBackend: sqlite
  distribution:
    distribution: centos
    version: "9"
  eventLogger: journald
  freeLocks: 2048
  hostname: podhost24.test.pikapods.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-513.el9.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 525811712
  memTotal: 25127485440
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.12.1-1.el9.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.1
    package: netavark-1.12.2-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun-1.16.1-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.16.1
      commit: afa829ca0122bd5e1d67f1f38e6cc348027e3c32
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /bin/pasta
    package: passt-0^20240806.gee36266-2.el9.x86_64
    version: |
      pasta 0^20240806.gee36266-2.el9.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.3.1-1.el9.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 8008605696
  swapTotal: 17061371904
  uptime: 7h 51m 49.00s (Approximately 0.29 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.14-1.el9.x86_64
      Version: |-
        fusermount3 version: 3.10.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.10.2
        using FUSE kernel interface version 7.31
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 232300244992
  graphRootUsed: 134731993088
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 134
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.2.3
  Built: 1728390864
  BuiltTime: Tue Oct  8 12:34:24 2024
  GitCommit: ""
  GoVersion: go1.22.5 (Red Hat 1.22.5-2.el9)
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.3

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response

[rhatdan]

I think this probably should be ignored. @giuseppe WDYT?

[m3nu]

Thanks for considering this. Found one more image with a similar error:

Image: lscr.io/linuxserver/bookstack:24.10.2

copying system image from manifest list: writing blob: adding layer with blob "sha256:68c4ea3779b6af5b39b50c9db4969933126112e7a1bddfd7d229687e8e4229fe"/""/"sha256:877036b083444b81229692659857a1c806d1c4bb7bbc505c05ba4276967c9a33":
unpacking failed (error: exit status 1; output: lsetxattr /dev/console: operation not permitted)

Identifies as character device file.

 # ls -l .../diff/dev/console
crwxr-xr-x. 1 root root 5, 1 Sep 28 13:38 .../diff/dev/console

[m3nu]

Third example that fails.

Image: docker.io/danielszabo99/microbin

Error: lsetxattr /dev/ptmx: operation not permitted

[rhatdan]

I know that you are not allowed to set User XATTRS on symbolic links.

[m3nu]

Right. I think setting xattrs should be skipped for those special file types. I think they end up in container images by accident and having their permissions slightly off due to missing override_stat xattr isn't an issue.

[m3nu]

I know that you are not allowed to set User XATTRS on symbolic links.

I didn't see errors from symbolic links. Maybe those files are already skipped by Podman?

[giuseppe]

symlinks are already ignored.

Right. I think setting xattrs should be skipped for those special file types. I think they end up in container images by accident and having their permissions slightly off due to missing override_stat xattr isn't an issue.

I am not sure. Ignoring the issue is easy, but it could cause a different behavior in the container.

It is safer to extend ignore_chown_errors to cover failures from lsetxattr as well

[giuseppe]

opened a PR: #2175