Closed rafi-gh closed 4 months ago
This issue still persists in case anyone can confirm this bug report.
Yes, currently seeing the same issue (nerdctl 1.7.6, containerd 1.6.31).
I don't know if this is by design, but:
Looks to me that this is where the file is created: https://github.com/yankay/nerdctl/blob/b6436017ed6c318c2b28c24270e6c26479ef41eb/pkg/containerutil/container_network_manager.go#L401
Which would honor umask (because WriteFile does).
I suspect docker is instead using some AtomicFileWriter, which IIRC does not honor umask.
I personally believe this is a bug and not a feature.
The same problem also affects at least /etc/hostname and /etc/hosts (maybe others).
@AkihiroSuda what do you think?
If you agree this is a bug and if you have an opinion on the proper way to change this behavior, I could write a PR for it.
Yes, this is a bug if it behaves differently from Docker.
PR would be much appreciated, thanks
Description
I have been running into an issue running containers when setting umask on the host to something more restrictive than the default of
0022
. What I am observing is that the/etc/resolv.conf
file in the container conforms to the umask on the host which is not what I would expect. I would like for that file in the container to be world readable but when using a more restrictive umask on the host that file's permissions in the container are also restricted. You can observe this behavior by following the steps below. Note that the container image has a default non-root user ofbuildozer
.Steps to reproduce the issue
Default Umask
Restrictive Umask
Restrictive Umask as Root
You can observe the file permissions when running umask differently.
Note that with
0022
the file is world readable while with0027
it is not.Describe the results you received and expected
I observe that the
/etc/resolv.conf
file in the container is not world readable. I would expect that the umask on the host would not propagate to the container environment in such a way that the/etc/resolv.conf
file's permissions becomes restricted. This restrictions causes DNS queries to fail for non-root users. I suspect this is related to some kind of copy operation occurring on the host which applies the umask settings.What version of nerdctl are you using?
1.7.0
Are you using a variant of nerdctl? (e.g., Rancher Desktop)
None
Host information
No response