docker build does not preserve xattrs in the generated image

[mterron]

Description
Docker containers do not preserve extended attributes

Steps to reproduce the issue:

1. In the build phase, set an extended attribute on a file
2. Run the container and check for the existence of said attribute

I pushed a minimal image to the Docker Hub: mterron/xattrs
The Dockerfile for it is inside the image at /Dockerfile so you can build it yourself and reproduce.

Describe the results you received:
Build phase:

# attr -l /path/to/file
Attribute "pax.flags" has a 2 byte value for /path/to/file

Run phase

# attr -l /path/to/file
[empty response]

Describe the results you expected:
When running an image I expect the xattrs to be the same as the ones set during build.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      17.10.0-ce
 API version:  1.33
 Go version:   go1.9.2
 Git commit:   ba9946cf23
 Built:        Tue Nov 21 12:38:19 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.10.0-ce
 API version:  1.33 (minimum version 1.12)
 Go version:   go1.9.2
 Git commit:   v17.10.0-ce
 Built:        Tue Nov 21 12:37:42 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 4
 Running: 3
 Paused: 0
 Stopped: 1
Images: 47
Server Version: 17.10.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 0351df1c5a66838d0c392b4ac4cf9450de844e2d
init version: 949e6facb77383876aeff8a6944dde66b3089574
Kernel Version: 4.9.65-1-hardened
Operating System: Alpine Linux v3.7
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.732GiB
Name: nano
ID: 
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: 
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: true

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical environment

[thaJeztah]

Dockerfile from the image;

FROM alpine:latest

COPY Dockerfile /Dockerfile

WORKDIR /

RUN echo 'Demo for Docker issue #35699 - docker build does not preserve xattrs in the generated image #35699' &&\
	echo 'Dockerfile is:' &&\
	cat /Dockerfile &&\
	apk -q --no-cache add nodejs attr &&\
	echo '/usr/bin/node extended attributes: # attr -l /usr/bin/node' &&\
	attr -l /usr/bin/node

CMD attr -l /usr/bin/node

/cc @tonistiigi @kolyshkin

[mterron]

Build output:

Sending build context to Docker daemon  2.048kB
Step 1/5 : FROM alpine:latest
 ---> e21c333399e0
Step 2/5 : COPY Dockerfile /Dockerfile
 ---> b85479e6b72a
Step 3/5 : WORKDIR /
 ---> 7f41038e1fe6
Step 4/5 : RUN echo 'Demo for Docker issue #35699 - docker build does not preserve xattrs in the generated iattr && echo '/usr/bin/node extended attributes: # attr -l /usr/bin/node' &&    attr -l /usr/bin/node
 ---> Running in 470988f652be
Demo for Docker issue #35699 - docker build does not preserve xattrs in the generated image #35699
Dockerfile is:
FROM alpine:latest

COPY Dockerfile /Dockerfile

WORKDIR /

RUN echo 'Demo for Docker issue #35699 - docker build does not preserve xattrs in the generated image #35699
        echo 'Dockerfile is:' &&\
        cat /Dockerfile &&\
        apk -q --no-cache add nodejs attr &&\
        echo '/usr/bin/node extended attributes: # attr -l /usr/bin/node' &&\
        attr -l /usr/bin/node

CMD attr -l /usr/bin/node
/usr/bin/node extended attributes: # attr -l /usr/bin/node
Attribute "pax.flags" has a 2 byte value for /usr/bin/node
 ---> b40ec30b13f8
Step 5/5 : CMD attr -l /usr/bin/node
 ---> Running in 665e759e71fe
 ---> 539f0f20ada4
Removing intermediate container d50c024f14ba
Removing intermediate container 470988f652be
Removing intermediate container 665e759e71fe
Successfully built 539f0f20ada4
Successfully tagged mterron/xattrs:latest

[thaJeztah]

Digging a bit into history, because I recalled there were some discussions around this; the only extended attributes that are handles were added in #3845

I think the reason behind not keeping other attributes is related to portability; see #1070 (comment)

ping @unclejack @vbatts perhaps you can add some more information?

[mterron]

I read the comments on portability and I'm even more confused by the rationale. So since a container that has xattrs will not work on some systems (a host system that does not support xattrs), we just break it everywhere instead? If my host system does support xattrs, the current image doesn't work either because the xattrs that I set on build are silently discarded.

If I set an xattr on a file it is because that is required, so the build should either fail with a clear message like: "Docker does not support xattrs" or persist them and if the host system where the image run does not support them, fail on run, again with a clear message.

Sounds like the current rationale is make sure it's consistently broken vs inconsistently working.

[thaJeztah]

@mterron I only digged for history on this topic; the discussion I linked to is over 4 years old; many things changed since, and most storage drivers (including recent aufs versions) now support extended attributes.

There may be more background, for which I reached out to two people that may have more information.

If there is no specific reason for not supporting, then it may just be something that was never implemented and can possibly be added.

[thaJeztah]

I had a quick chat with @justincormack as well, and he had some more in-depth information regarding what groups of xattrs should be / could be included, and which not. I asked him to reply here as well but he's currently at KubeCon, so there may be some delay 😅

[vbatts]

Historically, xattrs have been much desired but tap-danced around due to inconsistent support. We Red Hat even got support added to golang for this, but the filesystem support like aufs mentioned were troubling. Maybe this is different now. Xattrs ought to be on all Linux runtimes

…

On Tue, Dec 5, 2017, 11:56 Sebastiaan van Stijn ***@***.***> wrote: I had a quick chat with @justincormack <https://github.com/justincormack> as well, and he had some more in-depth information regarding what groups of xattrs should be / could be included, and which not. I asked him to reply here as well but he's currently at KubeCon, so there may be some delay 😅 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#35699 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAEF6Y4QZq1AWWNFKwMtB84bUjx-zpSuks5s9YPHgaJpZM4Q1lWe> .

[mterron]

If there's an arbitrary whitelist of supported xattrs, it should be prominently displayed in the build documentation and a warning raised (on build) when extended attributes are dropped.
It's unreasonable to expect a user to dig into the code to see if a specific extended attribute is supported or not and by silently dropping them you introduce hard to debug failures into your users' environments.

This is the only mention of extended attributes I could find in the Docker site (searching for "extended attribute" in docs.docker.com):
For example, file capabilities are stored within a file's extended attributes, and extended attributes are stripped out when Docker images are built.
from:
https://github.com/docker/labs/blob/master/security/capabilities/README.md

EDIT: Add reference.

[justincormack]

I think we could support the whole of the security namespace, not just security.capabilities, and possible the trusted, security and system namespaces. user is the complicated one to support, as this is optional at file mount time, but the system special namespaces are always supported. It might make sense to do this in containerd now rather than here (or both; looks like much of the code is similar).

The pax namespace is a system namespace but not upstream in Linux, so it is a bit weird but I guess we could add it too.

[mterron]

That'd be great @justincormack! I think it's still a good idea to emit a warning (not a fatal error) on the build process to inform the builder that some attributes didn't make it into the final image.