-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong directory permissions with btrfs or devicemapper storage drivers #44106
Comments
Thanks for reporting! Thinking out loud; the difference here could be that both /cc @cpuguy83 any thoughts? |
Yeah, that might be... but I now see that in the description I've specified wrong |
I am not very familiar with the sources yet, but after a quick look, the Lines 75 to 89 in 7860686
Though, no idea why the result varies depending on the storage driver. |
Thanks! I'll need to do further digging (or asking around); from the looks of it, and the comment, that code-path is meant to not be hit for the "root" path, but admittedly, I'd have to look at the full code to see if that means "root" of the container's rootfs path, or "root" of the host's drive. Just to get a bit of context, I did do a quick search in history for that line;
|
Yeah, I am also not sure what |
Workaround for moby/moby#44106 Need to create the directory upfront, otherwise it gets assigned wrong permissions when unpacked. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
I think I have some more findings after having a closer look at the code in Neither Now if we look at the implementation of the Lines 1049 to 1062 in 924edb9
I've checked out the sources to the version I am not sure why there are actually two similar implementations for unpacking tar files. But anyway, I wonder: would it be okay to just change UPD:
Here |
This problem seems to be relevant for the master branch as well. Did some builds and testing. Created a tentative PR: #44140 |
Workaround for moby/moby#44106 Need to create the directory upfront, otherwise it gets assigned wrong permissions when unpacked. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
We've had a fair amount of discussion around what the correct (or less surprising) behavior is here, among many of the maintainers/regular contributors. In short, we've concluded that the OCI spec does not define any default permissions for 'implied' directories of an image. An implied directory is a directory which must for the file layout of a tar file to make sense, but it does not have an entry in the tar file, and thus the permissions are unknown. During a regular untar, mkdir(2) is called with However, as has been discovered here, those permissions are inconsistent by graph driver/extraction code path. While this is surprising, this is not necessarily a bug -- as this behavior is not defined by any spec or convention among container runtimes, the daemon may be surprising and inconsistent -- but not incorrect. As a near term fix for surprising behavior, we should unify both code paths to use the same permissions. Given In the medium term, if directory permissions matter (and they usually do), they should be captured in the layer for portability. Since the OCI image spec currently does not define this behavior, any image that wants to be portable really should control this explicitly rather than relying on implementation-specific behavior. I understand that the reproducer image in question comes from a Bazel-based build process. While I am not familiar with the specifics of Bazel-based OCI image builds, I suspect that one would have to start there to make sure that the metadata is fully captured in the image. In the longer term, it would make sense to try and standardize this across the whole ecosystem to increase the portability of images, reduce the ambiguity of the spec, and make it clear what image builders can expect when they strip directory metadata (rather than the current situation of "who knows?") -- a PR/improvement to the OCI spec (which, as I understand it, the Docker Image spec implicitly extends) would be the best way to start that discussion and process. |
Workaround for moby/moby#44106 Need to create the directory upfront, otherwise it gets assigned wrong permissions when unpacked. Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
Thanks to everyone for fixing that! |
The image specification currently does not describe how conformant implementations should handle the case of a layer that contains "implied directories" -- entries that imply parent directories exist through their path, without those parent directories having their own entires in the archive. As such, this behavior is currently implementation-defined and may not be consistent, even in the same implementation (e.g. moby/moby#44106). To resolve this, we explicitly define what behavior is expected in this situation, selecting 'neutral' attributes (e.g. using the container `USER`'s UID/GID, and using `0755` for mode, as derived from the default `umask(2)` of 0022). Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
The image specification currently does not describe how conformant implementations should handle the case of a layer that contains "implied directories" -- entries that imply parent directories exist through their path, without those parent directories having their own entires in the archive. As such, this behavior is currently implementation-defined and may not be consistent, even in the same implementation (e.g. moby/moby#44106). To resolve this, we explicitly define what behavior is expected in this situation, selecting 'neutral' attributes (e.g. using the container `USER`'s UID/GID, and using `0755` for mode, as derived from the default `umask(2)` of 0022). Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Description
Hello. We currently see an issue with one of our images. When we run a container, some directories end up to have
0600
permissions. This happens only when docker is configured with eitherbtrfs
ordevicemapper
storage drivers. Whenoverlay2
is used, the directories are created with0755
as expected.The image itself does not define explicitly the permissions for the affected directories. But I guess when unpacking the files, they should be created with defaults
0755
(or at least be consistent no matter what storage driver is in use). Might it be some bug in the unpack code?Reproduce
Run the commands below using docker configured with either
btrfs
ordevicemapper
storage drivers, and observe that/usr/lib64/qemu-kvm/
has0600
permissions:Expected behavior
/usr/lib64/qemu-kvm/
should have0755
permissions like when docker is configured to useoverlay2
storage:docker version
docker info
Additional Info
This was discovered while debugging kubevirt/kubevirt#8195
The text was updated successfully, but these errors were encountered: