Vasiliy Ulyanov

The failure does not seem related to the change in this PR: ``` === CONT TestClientGatewayIntegration/TestClientGatewayContainerSecurityMode/worker=dockerd/secmode=insecure build_test.go:1653: dockerd worker can not currently run this test due to missing features ()...

> but we should consider formalising the behaviour (and permissions) in the OCI specification And meanwhile, what about this fix? Does it make sense to make the permissions consistent across...

Yeah, that might be... but I now see that in the description I've specified wrong `0700` perms. It's in fact `0600` (this can be seen in the commands output). And...

I am not very familiar with the sources yet, but after a quick look, the `UnpackLayer` function looks suspicious (it sets `0600` for the created dir): https://github.com/moby/moby/blob/7860686a8df15eea9def9e6189c6f9eca031bb6f/pkg/archive/diff.go#L75-L89 Though, no idea...

Yeah, I am also not sure what `root` refers to in this context. But this code seems to be run for every unpacked file which does not have a trailing...

I think I have some more findings after having a closer look at the code in `daemon/graphdriver`. Neither `btrfs` nor `devicemapper` implement the `DiffDriver` interface (the one that manages image...

This problem seems to be relevant for the master branch as well. Did some builds and testing. Created a tentative PR: https://github.com/moby/moby/pull/44140

Thanks to everyone for fixing that!

/cc @aburdenthehand, @alicefr, @rmohr, @xpivarc

Took a bit of time to come back to that PR. But now should be ready for review.