Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The /etc/resolv.conf file in the container is not world readable because the umask on the host machine is applied on launch #2684

Closed
rafi-gh opened this issue Dec 5, 2023 · 4 comments · Fixed by #2984
Closed

The /etc/resolv.conf file in the container is not world readable because the umask on the host machine is applied on launch #2684

rafi-gh opened this issue Dec 5, 2023 · 4 comments · Fixed by #2984
Labels
bug Something isn't working

Comments

@rafi-gh
Copy link

rafi-gh commented Dec 5, 2023

Description

I have been running into an issue running containers when setting umask on the host to something more restrictive than the default of 0022. What I am observing is that the /etc/resolv.conf file in the container conforms to the umask on the host which is not what I would expect. I would like for that file in the container to be world readable but when using a more restrictive umask on the host that file's permissions in the container are also restricted. You can observe this behavior by following the steps below. Note that the container image has a default non-root user of buildozer.

Steps to reproduce the issue

Default Umask

$ umask 0022; nerdctl run --rm -it alpinelinux/build-base:latest nslookup www.wikipedia.org

--- WORKS ---

Restrictive Umask

$ umask 0027; nerdctl run --rm -it alpinelinux/build-base:latest nslookup www.wikipedia.org

--- DOES NOT WORK ---

Restrictive Umask as Root

$ umask 0027; nerdctl run --rm -it -u root alpinelinux/build-base:latest nslookup www.wikipedia.org

--- WORKS ---

You can observe the file permissions when running umask differently.

$ umask 0022; nerdctl run --rm -it -u root alpinelinux/build-base:latest ls -l /etc/resolv.conf
$ umask 0027; nerdctl run --rm -it -u root alpinelinux/build-base:latest ls -l /etc/resolv.conf

Note that with 0022 the file is world readable while with 0027 it is not.

Describe the results you received and expected

I observe that the /etc/resolv.conf file in the container is not world readable. I would expect that the umask on the host would not propagate to the container environment in such a way that the /etc/resolv.conf file's permissions becomes restricted. This restrictions causes DNS queries to fail for non-root users. I suspect this is related to some kind of copy operation occurring on the host which applies the umask settings.

What version of nerdctl are you using?

1.7.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response
@rafi-gh rafi-gh added the kind/unconfirmed-bug-claim Unconfirmed bug claim label Dec 5, 2023
@rafi-gh rafi-gh changed the title The /etc/resolv.conf file in the container is not world readable because the umask on the host machine is applied on launch The /etc/resolv.conf file in the container is not world readable because the umask on the host machine is applied on launch Jan 15, 2024
@rafi-gh
Copy link
Author

rafi-gh commented Feb 19, 2024

This issue still persists in case anyone can confirm this bug report.

@apostasie
Copy link
Contributor

apostasie commented May 10, 2024
edited

Yes, currently seeing the same issue (nerdctl 1.7.6, containerd 1.6.31).

I don't know if this is by design, but:

  • it does diverge from docker behavior (which is working properly)
  • it does break any container that uses a non-root user inside

Looks to me that this is where the file is created:
https://github.com/yankay/nerdctl/blob/b6436017ed6c318c2b28c24270e6c26479ef41eb/pkg/containerutil/container_network_manager.go#L401

Which would honor umask (because WriteFile does).

I suspect docker is instead using some AtomicFileWriter, which IIRC does not honor umask.

I personally believe this is a bug and not a feature.

The same problem also affects at least /etc/hostname and /etc/hosts (maybe others).

@apostasie
Copy link
Contributor

@AkihiroSuda what do you think?

If you agree this is a bug and if you have an opinion on the proper way to change this behavior, I could write a PR for it.

@AkihiroSuda AkihiroSuda added bug Something isn't working and removed kind/unconfirmed-bug-claim Unconfirmed bug claim labels May 10, 2024
@AkihiroSuda
Copy link
Member

Yes, this is a bug if it behaves differently from Docker.

PR would be much appreciated, thanks

apostasie added a commit to apostasie/nerdctl that referenced this issue May 10, 2024
@apostasie
Fix containerd#2684
b081bc3
@apostasie apostasie mentioned this issue May 10, 2024
Merged
apostasie added a commit to apostasie/nerdctl that referenced this issue May 10, 2024
@apostasie
Fix containerd#2684
34242b1 
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
apostasie added a commit to apostasie/nerdctl that referenced this issue May 11, 2024
@apostasie
Fix some /etc/ file permissions (see containerd#2684)
762fe91 
Signed-off-by: apostasie <spam_blackhole@farcloser.world>
AkihiroSuda added a commit that referenced this issue May 11, 2024
@AkihiroSuda
Merge pull request #2984 from apostasie/main
ec9d9ca 
Fix some /etc/ file permissions (see #2684)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix some /etc/ file permissions (see containerd#2684) apostasie/nerdctl
3 participants
@AkihiroSuda @apostasie @rafi-gh