runc
runc copied to clipboard
opencontainers
Umask behavior doesn't match spec
In the config section of runtime-spec, it states:
umask: [...] If unspecified, the umask should not be changed from the calling process' umask.
However runc does not seem to follow this:
~/mycontainer $ grep umask config.json
"umask": 5
~/mycontainer $ sudo runc run test
/ # umask
0005
~/mycontainer $ vim config.json
~/mycontainer $ grep umask config.json
~/mycontainer $ umask
0002
~/mycontainer $ sudo runc run test
/ # umask
0022
It looks like the issue originates in rootfs_linux.go:179, where the umask is set to 022 despite umask not being set in config.json.
The initial umask support was added in #2527. Before that, the umask was always set to 022.
crun does the same thing (sets the umask to 022 unless explicitly specified).
Adding umask support to runc was originally discussed in #1650.
The PR to runtime-spec that says "no change unless explicitly specified" is https://github.com/opencontainers/runtime-spec/pull/941 and is authored by @cyphar.
Clearly, we have to either change the spec or change runc (and crun). Changing runc might be backward-incompatible, so I am slightly in favor of runtime-spec change.
WDYT @opencontainers/runc-maintainers @opencontainers/runtime-spec-maintainers ?
In terms of usability, I think it makes more sense for the umask to not be changed from the calling process' umask. I ran into this issue in the first place because I was using an old version of runc and couldn't figure out why the umask from my shell was being ignored. Principle of least surprise and all. It definitely could cause backwards compatibility issues though, so I understand why it might be preferable to change it in the spec.