-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless docker cannot pull images with user xattrs on directories - lsetxattr operation not supported #47962
Comments
It looks like there may been a buildah PR that removes the setting of extra attributes - containers/storage#1847 But those attributes are still present in any images built by the standard podman installs on Debian, Ubuntu, and other distributions. And even when the fix does eventually roll down, those attributes will still be present in any existing images. |
No. That way lies madness, and subtly-broken containers. There is no way for dockerd to know whether or not any particular extended file attribute is critical for the proper functioning of a container. That is especially true for user xattrs, since the user namespace is reserved for userspace processes. Only the image author knows for sure whether an extended attribute is necessary for the proper functioning of a container. They can express that the image does not require a particular extended attribute by excluding it from the image. (Hence why we are more permissive about applying extended attributes when building images compared to extracting them.) User extended attributes are allowed to be set by unprivileged users (subject to permissions checks) so rootless dockerd should have been able to successfully set the The presence of a
The
The existence of such an xattr in a container image therefore makes the image inherently non-portable. While the overlay filesystem's index feature is forcefully disabled as of #37993, that is subject to change: |
@corhere - Thanks for the detailed explanation, especially as to the origin of where Had this incompatibility been known at the time the "stop silently ignoring xattr errors" PR was made, would the change still have been introduced to v25? Perhaps the intersection of "built with Podman/Buildah/Overlay2" and "run with rootless Docker" is small, but the potential scope of images that suddenly went from working to broken seems large.
I agree that the old behavior of silently ignoring extended attribute errors can lead to confusing breakages of images, but I don't think issuing a warning that directly names the failure along with one or more specific extended attributes is subtle. While I understand the distinction between the building images vs pulling/consuming them, it seems like it is not enough to warrant an inconsistent handling of extended attribute application failures.
I don't believe that is the case, as I was able to successfully |
Was it on the same filesystem, though? Rootful Docker defaults to |
Yes. This was tested on a bare bones Debian install with only a single partition/file system. |
I can reproduce the issue in a There is nothing terribly unusual about the image. The topmost layer is fairly straightforward. The only thing of note is the
I have no trouble setting user extended attributes using the |
Description
Error: failed to register layer: lsetxattr user.overlay.origin /etc: operation not supported
Starting with v25, docker will no longer silently remove extended attributes when unpacking layers, and will instead fail (see v25.0 release notes and PR #45464 - Fail unpacking images with xattrs to filesystems without xattr support)
Images built with podman and overlayfs set the
user.overlay.origin
extended attribute on (some? all?) layers.Rootless docker cannot run
lsetxattr
even if the underlying filesystem supports the operation.As a result,
docker pull
of podman built images will produce a failed to register layer: lsetxattr user.overlay.origin /etc: operation not supported error.Images built with Podman + VFS do not set extended attributes and can be pulled with rootless docker.
Images pulled with rootful docker can run
lsetxattr
and pull successfullyImages pulled with rootless docker + fuse_overlayfs can set extended attributes and pull successfully, but running fuse_overlayfs on newer kernels is no longer recommended or even mentioned in the rootless docker instructions.
Some related issues (and fixes)
ADDing
tar archives with xattrsdocker load
fails with lsetxattr com.apple.provenance /manifest.json: operation not supported on Ventura & later #47517 - Open issue withdocker load
of downloaded archives that contain extra attributesquay.io/bioconda/base-glibc-debian-bash:3.0
) for container builds yields docker images unusable on some systems bioconda/bioconda-utils#958 - A single project discussing attempts to locate where podman/buildah are setting the extended attributeTagging @thaJeztah since it looks like you have been involved in the extended attribute discussions and fixes. Can rootless docker fall back to the v25 behavior of ignoring (but maybe warning) failures to set extended attributes?
Reproduce
docker pull bhpiq/podman-docker-issue-test:latest
failed to register layer: lsetxattr user.overlay.origin /etc: operation not supported
Expected behavior
docker pull
should still proceed with unpacking and registering the layer, even if it cannot set extended attributesdocker version
docker info
Additional Info
Podman System Info from the build environment
MVP configuration for building the test image
Debian 12 base install (cloud image)
Install Podman
Confirm Podman is using the native, non-fuser overlay storage driver
Create a minimal Dockerfile
Build and push
The text was updated successfully, but these errors were encountered: