Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Copy of buildkit-qemu-emulator should ignore xattr failures #5544

Open
rgov opened this issue Nov 22, 2024 · 0 comments
Open

Copy of buildkit-qemu-emulator should ignore xattr failures #5544

rgov opened this issue Nov 22, 2024 · 0 comments

Comments

@rgov
Copy link

rgov commented Nov 22, 2024

There are a number of bug reports in various places that look like the following.

executor failed running [/dev/.buildkit_qemu_emulator xyz]:
failed to copy xattrs: failed to set xattr "security.selinux" on
/tmp/buildkit-qemu-emulator538849571/dev/.buildkit_qemu_emulator:
operation not supported

The issue applies to systems with SELinux enabled; SELinux prevents the modification of an ACL attached to a file as an xattr.

The error arises when copying the emulator binary into a temporary location:

if err := copy.Copy(context.TODO(), filepath.Dir(m.path), filepath.Base(m.path), tmpdir, qemuMountName, func(ci *copy.CopyInfo) {
m := 0555
ci.Mode = &m
}, copy.WithChown(uid, gid)); err != nil {
return nil, nil, err
}

The implementation of copy.Copy() is from tonistiigi/fsutil. The error string "failed to copy xattrs" originates here:

https://github.com/tonistiigi/fsutil/blob/0789dc562bd7099bec7be479164e261ac5334f5f/copy/copy.go#L425-L427

Several years ago the PR containerd/continuity#138 added an option to ignore xattr errors specifically due to this security.selinux issue. The tonistiigi/fsutil implementation mirrors this option, but it is unused in the BuildKit code.

I believe in the BuildKit code ci.XAttrErrorHandler should be set to a function that ignores ENOTSUP, as in this PR.

cc @tonistiigi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant