public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Fixes #1837 : keep file capabilities on archival (#1838) 

Signed-off-by: JACQUES Francois <hypnoce@donarproject.org>
This commit is contained in:
François JACQUES 2021-12-23 02:05:39 +01:00 committed by GitHub
parent 17f5e55530
commit 5c81fa5774
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
integration/dockerfiles/Dockerfile_test_issue_1837 Normal file
View File

@ -0,0 +1,6 @@
FROM registry.access.redhat.com/ubi8/ubi:8.2 AS BASE
# Install ping
RUN yum --disableplugin=subscription-manager install -y iputils
FROM BASE
RUN set -e && [ ! -z "$(getcap /bin/ping)" ] || exit 1

4
pkg/util/fs_util.go
View File

@ -334,6 +334,10 @@ func ExtractFile(dest string, hdr *tar.Header, tr io.Reader) error {
return err return err
} }
if err = writeSecurityXattrToToFile(path, hdr); err != nil {
return err
}
if err = setFileTimes(path, hdr.AccessTime, hdr.ModTime); err != nil { if err = setFileTimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
return err return err
} }

40
pkg/util/tar_util.go
View File

@ -30,6 +30,7 @@ import (
"github.com/GoogleContainerTools/kaniko/pkg/config" "github.com/GoogleContainerTools/kaniko/pkg/config"
"github.com/docker/docker/pkg/archive" "github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/system"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -76,6 +77,10 @@ func (t *Tar) AddFileToTar(p string) error {
if err != nil { if err != nil {
return err return err
} }
err = readSecurityXattrToTarHeader(p, hdr)
if err != nil {
return err
}
if p == config.RootDir { if p == config.RootDir {
// allow entry for / to preserve permission changes etc. (currently ignored anyway by Docker runtime) // allow entry for / to preserve permission changes etc. (currently ignored anyway by Docker runtime)
@ -116,6 +121,41 @@ func (t *Tar) AddFileToTar(p string) error {
return nil return nil
} }
const (
securityCapabilityXattr = "security.capability"
)
// writeSecurityXattrToTarHeader writes security.capability
// xattrs from a a tar header to filesystem
func writeSecurityXattrToToFile(path string, hdr *tar.Header) error {
if hdr.Xattrs == nil {
return nil
}
if capability, ok := hdr.Xattrs[securityCapabilityXattr]; ok {
err := system.Lsetxattr(path, securityCapabilityXattr, []byte(capability), 0)
if err != nil && !errors.Is(err, syscall.EOPNOTSUPP) && err != system.ErrNotSupportedPlatform {
return errors.Wrapf(err, "failed to write %q attribute to %q", securityCapabilityXattr, path)
}
}
return nil
}
// readSecurityXattrToTarHeader reads security.capability
// xattrs from filesystem to a tar header
func readSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
if hdr.Xattrs == nil {
hdr.Xattrs = make(map[string]string)
}
capability, err := system.Lgetxattr(path, securityCapabilityXattr)
if err != nil && !errors.Is(err, syscall.EOPNOTSUPP) && err != system.ErrNotSupportedPlatform {
return errors.Wrapf(err, "failed to read %q attribute from %q", securityCapabilityXattr, path)
}
if capability != nil {
hdr.Xattrs[securityCapabilityXattr] = string(capability)
}
return nil
}
func (t *Tar) Whiteout(p string) error { func (t *Tar) Whiteout(p string) error {
dir := filepath.Dir(p) dir := filepath.Dir(p)
name := ".wh." + filepath.Base(p) name := ".wh." + filepath.Base(p)