Add --umask flag for create, run

[ashley-cui]

--umask sets the umask inside the container
Defaults to 0022

Replaces #6946

Co-authored-by: Daniel J Walsh [email protected]
Signed-off-by: Ashley Cui [email protected]

[TomSweeneyRedHat]

You're testing both create and confirming with inspect in here which is good. It might make sense to also add a part of this to the inspect test too, even though it would be redundant. I'll let @mheon make the call there.

[TomSweeneyRedHat]

All kinds of test unhappiness @ashley-cui

[rhatdan]

The random tests are blowing up with
time="2020-07-17T16:18:53-04:00" level=error msg="error starting some container dependencies"
time="2020-07-17T16:18:53-04:00" level=error msg=""Invalid Umask Value: strconv.ParseUint: parsing \"\": invalid syntax""

[rhatdan]

This looks like there is something wrong with the runtime-tools vendor, that is causing this issue.

# ./bin/podman pod create -p 8080:80 --name test1
d164202b886bb247f5b32b36ba0d6aa92aa14ab050a09eadc2fde0875cf1d13d
# ./bin/podman run --pod test1 fedora echo top
Error: open `/proc/1513113/ns/net`: No such file or directory: OCI runtime command not found error

@giuseppe @mheon PTAL

[rhatdan]

@ashley-cui I think you might want

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 53b7f31c4..ed0a0f2da 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -341,12 +341,13 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
                g.SetProcessGID(uint32(execUser.Gid))
        }
 
-       decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
-       if err != nil {
-               return nil, errors.Wrapf(err, "Invalid Umask Value")
+       if c.config.Umask != "" {
+               decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+               if err != nil {
+                       return nil, errors.Wrapf(err, "Invalid Umask Value: %q", c.config.Umask)
+               }
+               g.SetProcessUmask(uint32(decVal))
        }
-       g.SetProcessUmask(uint32(decVal))
-
        // Add addition groups if c.config.GroupAdd is not empty
        if len(c.config.Groups) > 0 {
                gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)

[ashley-cui]

@rhatdan already updated :) the runtime-tools i vendored in myself, so it might be a vendoring error caused by me..

[mheon]

Why are we storing this as a string? We should use whatever type the OCI spec uses - probably an int? Parsing should be done when we set the umask.

[rhatdan]

The value is actually an octal. Storing it as an int, may make it hard to convert and hard to view in inspect.

[ashley-cui]

yep, it's a octal representing a bitmap. setting umask to 0022 would actually show up as 18 if stored as an int. i got stuck on this for a good hour or two when implementing LOL

[rhatdan]

Coud you add a test for

podman run --umask 0077 fedora umask
And make sure it outputs 0077

[ashley-cui]

I'm unable to reproduce locally the system tests that are failing but I confirmed that umask doesn't work on ubuntu at all. Any pointers on how to proceed? @rhatdan

[edsantiago]

The system-test failures look suspiciously like something I may have introduced in #6958 - probably a bad interaction with a missing-cleanup bug in one of the integration tests. PR in progress.

The umask-on-ubuntu issue looks real though. FW(little)IW my guess is it's runc vs crun.

[ashley-cui]

@edsantiago thanks! any idea who i should talk to about the ubuntu stuff?

[edsantiago]

#7026 should fix the system-test flake. I'm sorry, I have no experience with Ubuntu and no idea how to investigate there. If you want to look into crun vs runc, you can reboot a Fedora system into cgroups v1 mode by booting with systemd.unified_cgroup_hierarchy=0

[edsantiago]

Ed's standard rant: it's important to check error messages, not just error codes:

    Expect(session.ErrorToString()).To(ContainSubstring("Invalid umask"))

Without that, the test could be failing for infinite unrelated reasons: too often a misspelled option or command name yields the expected nonzero exit status, but the test isn't actually testing anything.

Aside from that, lgtm. Nice set of tests.

[ashley-cui]

Sounds good, will keep in mind for future tests too :)

[giuseppe]

LGTM

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashley-cui, giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

/lgtm