Don't call umask in subscriptions#1421
Conversation
|
This is some ancient code that came from early days of Docker. Are you 100% sure this will not break some user of Podman or Buildah. Rootfull of rootless? Also what about using in podman-remote, where the service umask gets involved? |
|
@giuseppe @mtrmac @nalind @vrothberg WDYT? |
I can't be sure that it won't break anything, but manually checking the code paths actually involved creating files/dirs with the correct mode. For what would we need the umask then? I vendored the change into CRI-O to see if it fixes the umask issue: cri-o/cri-o#6785 |
|
As I read the code the goal is to keep the same permission as they are on the host. So if your umask is |
|
Yes, AFAICS this must use an explicit And if it is confusing or risky, it should ideally have unit tests that verify the expected behavior, before&after the refactoring. (It would, also, uh, be useful for the subpackage to document what it does, and to have some discussion for why a single piece of code deals with RHEL subscription and with FIPS state.) |
|
Hm, we need a somewhat urgent workaround for CRI-O, so I’ll see if I can restore the umask after the parallel calls to this method. Let’s leave this PR open to aim for a cleaner mid-term solution which probably does also not require a backport. |
|
A fix adding the I worry that adding more |
It depends, I’ll have to double check that when I’m back from kubecon how many backports we need for CRI-O. |
|
Yes, |
|
Gave it a push from the airport, will come up with testing at some later point in time. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM |
|
LGTM, but it would be nice to have a test before merge |
saschagrunert
force-pushed
the
umask
branch
3 times, most recently
from
ed02a6d to
a5b8b7f
Compare
|
Updated the code as well as added tests. |
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
The …IgnoreUmask functions are a nice idea.
saschagrunert
force-pushed
the
umask
branch
3 times, most recently
from
d9effc7 to
0fc225e
Compare
|
I moved the functions to the |
This call will be done in parallel which messes up the umask on CRI-O on container creation. We now call `chmod` after directory and file creation to enforce the right permissions. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
mtrmac
left a comment
mtrmac
left a comment
There was a problem hiding this comment.
We can re-use them in podman later on to fix …
Good thinking.
LGTM. Thanks!
|
/lgtm Really like the new umask package, that will definitely be useful. |
This fixes the umask `0` bug because it contains: containers/common#1421 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This fixes the umask `0` bug because it contains: containers/common#1421 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
7 participants
This call will be done in parallel which messes up the umask on CRI-O on container creation. This call will be done in parallel which messes up the umask on CRI-O on container creation. We now call
chmodafter directory and file creation to enforce the right permissions.