config: add "umask" field to POSIX "user" section#941
config: add "umask" field to POSIX "user" section#941vbatts merged 1 commit intoopencontainers:masterfrom
Conversation
Users may want to specify the umask(2) of the init process in a container. This value is identical in semantics to POSIX. This is in order to allow usage of an OCI container for a service which normally only inherits the umask given to it. Signed-off-by: Aleksa Sarai <asarai@suse.de>
cyphar
force-pushed
the
config-umask-option
branch
from
34da7a6 to
6b04c63
Compare
|
When do you plan to set this during init? Right before exec or when the rootfs is being setup like the existing umask settings? |
|
|
||
| * **`uid`** (int, REQUIRED) specifies the user ID in the [container namespace](glossary.md#container-namespace). | ||
| * **`gid`** (int, REQUIRED) specifies the group ID in the [container namespace](glossary.md#container-namespace). | ||
| * **`umask`** (int, OPTIONAL) specifies the [umask][umask_2] of the user. If unspecified, the umask should not be changed from the calling process' umask. |
There was a problem hiding this comment.
nit: the possessive of “process” is “process's”, see us here and the Linux man pages here.
nit: the “If unspecified…” sentence should go on its own line.
| "GID": { | ||
| "$ref": "#/definitions/uint32" | ||
| }, | ||
| "Umask": { |
There was a problem hiding this comment.
The indent here is a bit strange. You can automatically format these files by running make fmt in the schema directory.
The way the spec reads now (#700), runtimes will be able to chose either of those as they see fit. |
| [selinux]:http://selinuxproject.org/page/Main_Page | ||
| [no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt | ||
| [proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt | ||
| [umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html |
There was a problem hiding this comment.
nit: POSIX functions should go be in section 3 (or 3p), so umask.2 should be umask.3. umask.2 would be the Linux kernel docs for umask.
nit: you're linking to the 2004 edition of POSIX. I'd rather stay consistent with our other links and use the 2016 edition (#858).
| // GID is the group id. | ||
| GID uint32 `json:"gid" platform:"linux,solaris"` | ||
| // Umask is the umask for the init process. | ||
| Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"` |
There was a problem hiding this comment.
Zero is a valid umask (it means “leave the permissions entirely up to the process itself”), so I think we need a pointer here.
|
@crosbymichael In |
|
@cyphar @crosbymichael I interpret this as being set right before exec. Perhaps that could be clearer. |
|
On Wed, Apr 04, 2018 at 03:08:23PM -0700, Vincent Batts wrote:
@cyphar @crosbymichael I interpret this as being set right before
exec. Perhaps that could be clearer.
If you want that interpretation to be portable across compliant
runtimes, I think you'd want to land wording to that effect around
[1], with something like:
Runtimes MUST NOT apply process.user.umask as part of creation; that
property is only applied during [start](#start).
[1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.1/runtime.md#L103
|
|
As this is still pending approval since April - what needs to be done to progress this PR? |
|
Anything we can do here? |
| "user": { | ||
| "uid": 1, | ||
| "gid": 1, | ||
| "umask": 63, |
There was a problem hiding this comment.
i get that they're just ints, but i wish octals were a viewable in json, and 077 wouldn't be 77
I would see this as right before exec. What would you're hopes be? |
|
I think right before exec would be most reasonable, since it's a setting about the container and not about configuring devices and others such things. Generally most |
|
This has come up again in a request for Podman. Is there anything we could do to move this forward? |
doing it just before exec seems like the correct thing to me. Currently runc does it in |
|
LGTM |
|
RFC @opencontainers/runtime-spec-maintainers |
|
I think @wking's comments look to be relevant and should be addressed (especially the inconsistent formatting). It also seems like a good idea IMO to clarify when this is expected to be applied, per @crosbymichael's comments. |
|
LGTM |
|
Why |
opencontainers/runtime-spec#941 added umask field and released with v1.0.2. This commit add the missing helper function for this field. Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
opencontainers/runtime-spec#941 added umask field and released with v1.0.2. This commit add the missing helper function for this field. Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
opencontainers/runtime-spec#941 added umask field and released with v1.0.2. This commit add the missing helper function for this field. Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
opencontainers/runtime-spec#941 added umask field and released with v1.0.2. This commit add the missing helper function for this field. Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
11 participants
Users may want to specify the umask(2) of the init process in a
container. This value is identical in semantics to POSIX. This is in
order to allow usage of an OCI container for a service which normally
only inherits the umask given to it.
See-also: opencontainers/runc#1650
Requested-by: @leberknecht
Signed-off-by: Aleksa Sarai asarai@suse.de