extended attributes in a container

[bpopovich44]

My dev team is launching containers that need to use xattr with cp. The command specifically is cp -afl --preserve=xattr. The host system is a XFS file system and the cp command works fine there. Inside a container, the cp command works but only for files. I get 'Operation not supported when the command is used against directories within the container. I've been searching for days and cannot find a solution. Why is this working on files but not directories.
Any help is appreciated. Thank you

[brandond]

Do you see the same issue when using ext4 as the underlying filesystem? XFS has some weird edge cases when used with overlayfs, especially on older kernels.

[bpopovich44]

I apologize for the late reply.
I ran some more tests. I rebuilt the rocky8 file system to ext4 and still get the same issue. Oddly, I tested in a container on Ubuntu which is also ext4 and it works there. So they are the same filesystems but doesn't work on rocky8 with ext4 but does on Ubuntu with ext4. Unfortunately, we cant switch to Ubuntu. On both, the command works on the host, just not in the container on rocky8 with ext4

[Martin-Weiss]

@bpopovich44 - do they run the command really against files in the container / in the image and not against a volume (persistent volume / emptyDir…) - it should be container best practice not to write into the containers filesystem and use persistent volumes for that.
In case they write to a persistent volume - what type of storage class do they use?

[bpopovich44]

I apologize for the late reply here too.
This is the command they are running for buildah and cp command is inside the build file. The cp command isnt really against /, I was just using that for testing.
buildah bud --storage-driver=vfs --isolation=chroot --format=docker --build-arg machine=ls2000ardb --build-arg target=xxxx-image-base-dev --build-arg arch=aarch64 -t repo.xxxx.com:8501/xxxx/example/sdk:ls2088ardb-coverity-dev --platform linux/amd64 -f Dockerfile-sdk --build-arg=base_image=repo.xxxx.com:8500/xxxx/ci-platform/coverity:0.4.0 docker

[bpopovich44]

I wanted to post my findings here for anyone else with this issue. xattr wouldn't work because, even though selinux was in permissive on the worker nodes, inside the container, if you run the ls -Z command you can see selinux context labels are still applied to the files. These context labels wont let you use extended attributes on container folders. If you set selinux to disabled in the selinux config on the worker nodes,then these context labels dont persist into the containers and extended attributes works. You can leave selinux enabled on the master nodes.