Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filesystem driver does not honor umask #1295

Closed
mkanderson opened this issue Dec 22, 2015 · 2 comments
Closed

Filesystem driver does not honor umask #1295

mkanderson opened this issue Dec 22, 2015 · 2 comments
Assignees
@BrianBland
Labels
bug

Comments

@mkanderson
Copy link

I would like to have the registry data be group-writable in order to allow automation of periodic cleanup tasks by a non-root user.
I'm using this wrapper as the entrypoint in my Dockerfile to set the umask to 002:

#!/bin/bash  
umask 002

# Test umask
touch /UMASK_FILE
mkdir /UMASK_DIR

exec registry "$@"

/UMASK_FILE and /UMASK_DIR are created with the correct permissions (664/775), and I've verified that the registry process is running with the correct umask by attaching a debugger to the running process:

(gdb) call umask(0)
$1 = 2

However, after pushing an image to the registry, the files and directories under /var/lib/registry/ have permissions 644 and 755 respectively:

root@74d3bca0018e:/go/src/github.com/docker/distribution# find /var/lib/registry/ | xargs stat --format %a - | sort | uniq   
644
755

Here's the setup:

mand@docker1:~$ docker --version
Docker version 1.8.3, build f4bf5c7

mand@docker1:~$ docker info
Containers: 8
Images: 298
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 314
 Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
CPUs: 2
Total Memory: 3.873 GiB
Name: docker1
ID: HPR4:7SK5:RDZJ:JHGU:ZKOM:PYJO:TBQF:7QCW:32IO:HEHM:BSJF:IZA4
WARNING: No memory limit support
WARNING: No swap limit support

mand@docker1:~$ docker exec regtest registry --version
registry github.com/docker/distribution v2.1.1-279-g55ca526
@aaronlehmann
Copy link
Contributor

Looks like this is because the filesystem driver explicitly specifies 0644 permissions:

https://github.com/docker/distribution/blob/master/registry/storage/driver/filesystem/driver.go#L142

It's probably more correct to use 0666 here, and 0777 for the MkdirAll call above, and let umask do its work.

@dmp42 dmp42 added the bug label Dec 22, 2015
@BrianBland BrianBland mentioned this issue Dec 28, 2015
Merged
@stevvooe
Copy link
Collaborator

Closed by #1304.

@AkihiroSuda AkihiroSuda mentioned this issue Feb 14, 2018
Closed
stefannica added a commit to stefannica/distribution that referenced this issue Jul 16, 2020
@stefannica
Relax filesystem driver folder permissions to 0777 (cont)
2672c0e 
There was a previous PR relaxing the filsystem driver permissions
for files and folders to 0666 and 0777 respectively [1][2], but it was
incomplete. This is required to get the registry to honor the umask
value.

[1] distribution#1304
[2] distribution#1295

Signed-off-by: Stefan Nica <snica@suse.com>
@stefannica stefannica mentioned this issue Jul 16, 2020
Merged
dylanrhysscott pushed a commit to digitalocean/docker-distribution that referenced this issue Jan 5, 2023
@stefannica @dylanrhysscott
Relax filesystem driver folder permissions to 0777 (cont)
1469ced 
There was a previous PR relaxing the filsystem driver permissions
for files and folders to 0666 and 0777 respectively [1][2], but it was
incomplete. This is required to get the registry to honor the umask
value.

[1] distribution#1304
[2] distribution#1295

Signed-off-by: Stefan Nica <snica@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BrianBland BrianBland

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stevvooe @dmp42 @BrianBland @aaronlehmann @mkanderson