Unpacking layers fails on FreeBSD due to missing xattr support #2168
Description
Description
On FreeBSD, pulling linux container images that contain files with xattr attributes in their layers fails during the unpacking of tar archives.
Background
FreeBSD lacks native support for xattr – instead, it provides extattr feature. While both systems are comparable, xattr offers four namespaces (user, system, trusted, and security), while FreeBSD's extattr only supports two (user and system).
FreeBSD includes a Linux compatibility layer known as linuxulator. Inspecting its implementation(source), it partially handles the conversion of xattr to extattr. However, it only supports user and system namespaces, while trusted and security remain unsupported.
Proposed Solution
We can handle xattr by using FreeBSD's extattr system calls to mimic the way FreeBSD's Linux compatibility layer handles it. For unsupported xattr namespaces, we can display a warning to the user and proceeds.
Platform
FreeBSD
Log
The example pulls apache/tika:latest-full (apache/tika:3.0.0.0-full) on FreeBSD.
% sudo skopeo --debug copy --override-os=linux docker://docker.io/apache/tika:latest-full containers-storage:tika:latest-full
DEBU[0000] [graphdriver] trying provided driver "vfs"
DEBU[0000] parsed reference into "[vfs@/var/db/containers/storage+/var/run/containers/storage]docker.io/library/tika:latest-full"
DEBU[0000] Using registries.d directory /usr/local/etc/containers/registries.d
DEBU[0000] Loading registries configuration "/usr/local/etc/containers/registries.conf"
DEBU[0000] Trying to access "docker.io/apache/tika:latest-full"
DEBU[0000] No credentials matching docker.io/apache/tika found in /root/.config/containers/auth.json
DEBU[0000] No credentials matching docker.io/apache/tika found in /root/.config/containers/auth.json
DEBU[0000] No credentials matching docker.io/apache/tika found in /root/.docker/config.json
DEBU[0000] No credentials matching docker.io/apache/tika found in /root/.dockercfg
DEBU[0000] No credentials for docker.io/apache/tika found
DEBU[0000] No signature storage configuration found for docker.io/apache/tika:latest-full, using built-in default file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /usr/local/etc/docker/certs.d/docker.io
DEBU[0000] GET https://registry-1.docker.io/v2/
DEBU[0000] Ping https://registry-1.docker.io/v2/ status 401
DEBU[0000] GET https://auth.docker.io/token?scope=repository%3Aapache%2Ftika%3Apull&service=registry.docker.io
DEBU[0001] GET https://registry-1.docker.io/v2/apache/tika/manifests/latest-full
DEBU[0002] Content-Type from manifest GET is "application/vnd.oci.image.index.v1+json"
DEBU[0002] Using SQLite blob info cache at /var/lib/containers/cache/blob-info-cache-v1.sqlite
DEBU[0002] Source is a manifest list; copying (only) instance sha256:6824d920f0547ac952f8119a39293919e9dc1b068d2ffb8a6f46bd376d98bc3c for current system
DEBU[0002] GET https://registry-1.docker.io/v2/apache/tika/manifests/sha256:6824d920f0547ac952f8119a39293919e9dc1b068d2ffb8a6f46bd376d98bc3c
DEBU[0003] Content-Type from manifest GET is "application/vnd.oci.image.manifest.v1+json"
DEBU[0003] IsRunningImageAllowed for image docker:docker.io/apache/tika:latest-full
DEBU[0003] Using default policy section
DEBU[0003] Requirement 0: allowed
DEBU[0003] Overall: allowed
DEBU[0003] Downloading /v2/apache/tika/blobs/sha256:6c5f30726faaa0744b6fa65707a70209aea70ae3a868f3d550498f9ac6eb24ae
DEBU[0003] GET https://registry-1.docker.io/v2/apache/tika/blobs/sha256:6c5f30726faaa0744b6fa65707a70209aea70ae3a868f3d550498f9ac6eb24ae
Getting image source signatures
DEBU[0003] Reading /var/lib/containers/sigstore/apache/tika@sha256=6824d920f0547ac952f8119a39293919e9dc1b068d2ffb8a6f46bd376d98bc3c/signature-1
DEBU[0003] Not looking for sigstore attachments: disabled by configuration
DEBU[0003] Manifest has MIME type application/vnd.oci.image.manifest.v1+json, ordered candidate list [application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0003] ... will first try using the original manifest unmodified
DEBU[0003] Checking if we can reuse blob sha256:7db88cabce9299a37c309e1f1ee68642c245bd65cfa3d32b266a8a6d7bee3d1b: general substitution = true, compression for MIME type "application/vnd.oci.image.layer.v1.tar+gzip" = true
DEBU[0003] Checking if we can reuse blob sha256:f46a6e5575ed5ef79db13bd64210caf1e69f0444bfa1b4daae09fa49d62d9ddd: general substitution = true, compression for MIME type "application/vnd.oci.image.layer.v1.tar+gzip" = true
DEBU[0003] Checking if we can reuse blob sha256:ff65ddf9395be21bfe1f320b7705e539ee44c1053034f801b1a3cbbf2d0f4056: general substitution = true, compression for MIME type "application/vnd.oci.image.layer.v1.tar+gzip" = true
DEBU[0003] Failed to retrieve partial blob: format not supported on this system
DEBU[0003] Downloading /v2/apache/tika/blobs/sha256:7db88cabce9299a37c309e1f1ee68642c245bd65cfa3d32b266a8a6d7bee3d1b
DEBU[0003] GET https://registry-1.docker.io/v2/apache/tika/blobs/sha256:7db88cabce9299a37c309e1f1ee68642c245bd65cfa3d32b266a8a6d7bee3d1b
DEBU[0003] Skipping blob sha256:ff65ddf9395be21bfe1f320b7705e539ee44c1053034f801b1a3cbbf2d0f4056 (already present):
DEBU[0003] Failed to retrieve partial blob: format not supported on this system
DEBU[0003] Downloading /v2/apache/tika/blobs/sha256:f46a6e5575ed5ef79db13bd64210caf1e69f0444bfa1b4daae09fa49d62d9ddd
DEBU[0003] GET https://registry-1.docker.io/v2/apache/tika/blobs/sha256:f46a6e5575ed5ef79db13bd64210caf1e69f0444bfa1b4daae09fa49d62d9ddd
Copying blob 7db88cabce92 [--------------------------------------] 0.0b / 55.6MiB (skipped: 0.0b = 0.00%)
Copying blob 7db88cabce92 [--------------------------------------] 0.0b / 55.6MiB | 0.0 b/s
Copying blob 7db88cabce92 [==>-----------------------------------] 4.0MiB / 55.6MiB | 22.8 MiB/s
Copying blob ff65ddf9395b skipped: already exists
Copying blob 7db88cabce92 done |
Copying blob ff65ddf9395b skipped: already exists
Copying blob f46a6e5575ed done |
DEBU[0025] Creating dest directory: /var/db/containers/storage/vfs/dir/44a4aea81ed2c8ad278c452b4e475cd733c948df767e12392e8266945f87264d
DEBU[0025] Calling TarUntar(/var/db/containers/storage/vfs/dir/a46a5fb872b554648d9d0262f302b2c1ded46eeb1ef4dc727ecc5274605937af, /var/db/containers/storage/vfs/dir/44a4aea81ed2c8ad278c452b4e475cd733c
Copying blob 7db88cabce92 done |
Copying blob 7db88cabce92 done |
Copying blob 7db88cabce92 done |
Copying blob ff65ddf9395b skipped: already exists
Copying blob f46a6e5575ed done |
FATA[0027] copying system image from manifest list: writing blob: adding layer with blob "sha256:f46a6e5575ed5ef79db13bd64210caf1e69f0444bfa1b4daae09fa49d62d9ddd": ApplyLayer stdout: stderr: platform and architecture is not supported exit status 1