New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker load
fails with lsetxattr com.apple.provenance /manifest.json: operation not supported on Ventura & later
#47517
Comments
Similar issue w latest Docker desktop on OSX M3. /bin/bash -c '/Users/xxx/tmp/bazel/base/execroot/main/bazel-out/darwin_arm64-fastbuild/bin/test/integration/intenv/intenv_/intenv /Users/xxx/tmp/bazel/base/execroot/main/bazel-out/darwin_arm64-fastbuild-ST-4a519fd6d3e4/bin/cdr/cdr-events-in/container_image.executable ' To fix the issue, rolling back to
And it works again. |
Thanks for reporting. I think this is related to a bug-fix where previously failures on applying extended-attributes were silently ignored, which in some cases could result to an image that was silently broken (due to those attributes getting lost in the process). The expectation for There's also a difference between Linux and macOS (bsd) tar in handling extended attributes. On Linux, creating a tar by default omits all extended attributes, whereas on macOS the reverse is true, and extended-attributes are included by default. If the files you're adding to the tar are not expected to have extended attributes set that must be preserved (i.e., if they only contain extended attributes added by macOS), then I would recommend using the Looking at your report though, it looks like the failure is happening on the |
In contrast to #47483, which had to do with authoring of images where the source inputs were tarballs containing xattrs; this issue has to do with the importing of already-authored images. Images are an interchange format authored by specialized tooling so it would not necessarily be unreasonable for My read on this issue is that it mostly only impacts direct users of rules_oci -- image authors, by definition. End-users pulling images from registries will not be affected due to how image manifest lists are returned directly in HTTP responses when pulling images rather than being packed into tarballs. Given the users impacted are limited to direct users of the image authoring tooling and the fact that the root cause is being addressed in the authoring tooling, I am inclined to consider this a bug in rules_oci which Moby should not work around. |
Workaround for sourcegraph/devx-support#622. This is portable between both bsdtar and gnutar. On gnutar, this is the default, so this changes nothing for CI builds. This only changes behaviour in macOS with bsdtar. It is unclear to me where a final solution will exist: - An issue was opened upstream in docker/moby, but the latest opinion is that this is an issue with rules_oci _technically_ emitting docker-compatible formats that are incompatible with docker (Im not 100% sure yet that docker itself cant create a tarball that would fail to `docker load`, but I dont want to subject Christoph to more experiments lol) moby/moby#47517 - A PR exists in rules_oci to use a hermetic BSD tar instead of system tar (doesnt work on nixos though coz dynamic libraries :sadge:). It uses `mtree` format to add files, I don't know yet if that works around xattr issue without also passing `--no-xattr` (my current belief is that it does not) bazel-contrib/rules_oci#385 ## Test plan Had Christoph run `bazel run //cmd/batcheshelper:image_tarball`, which succeeded with this patch
We have Also, this behavior is strictly implementation-specific due to how It wouldn't happen with the containerd image store backend enabled, because it reads the |
Description
Starting with macOS Ventura 13, macOS adds additional xattr metadata to downloaded files. The following article explains this in more detail: https://eclecticlight.co/2023/05/10/how-macos-now-tracks-the-provenance-of-apps/
We've observed on some systems, when building OCI images (via Bazel), we would get the error in the title when attempting to
docker load --input <file>
the tarball. To workaround this issue, the affected users have had to untar the image, and retar usingtar --no-xattr
.Reproduce
If your system doesn't set these attributes already, you can recreate it with any existing image tarball:
Link to an affected image tarball for convenience (GH won't allow me to attach a tar file): https://cdn.discordapp.com/attachments/312648998328729603/1214914140821258320/tarball.tar. Built from
bazel build //cmd/batcheshelper:image_tarball
in https://github.com/sourcegraph/sourcegraphExpected behavior
docker load
ignores unsupported xattrs, similarly to #47483docker version
Client: Cloud integration: v1.0.35+desktop.10 Version: 25.0.3 API version: 1.44 Go version: go1.21.6 Git commit: 4debf41 Built: Tue Feb 6 21:13:26 2024 OS/Arch: darwin/arm64 Context: desktop-linux Server: Docker Desktop 4.27.2 (137060) Engine: Version: 25.0.3 API version: 1.44 (minimum version 1.24) Go version: go1.21.6 Git commit: f417435 Built: Tue Feb 6 21:14:22 2024 OS/Arch: linux/arm64 Experimental: false containerd: Version: 1.6.28 GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb runc: Version: 1.1.12 GitCommit: v1.1.12-0-g51d5e94 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Additional Info
No response
The text was updated successfully, but these errors were encountered: