Description
Hello. We currently see an issue with one of our images. When we run a container, some directories end up to have 0600 permissions. This happens only when docker is configured with either btrfs or devicemapper storage drivers. When overlay2 is used, the directories are created with 0755 as expected.
The image itself does not define explicitly the permissions for the affected directories. But I guess when unpacking the files, they should be created with defaults 0755 (or at least be consistent no matter what storage driver is in use). Might it be some bug in the unpack code?
Reproduce
Run the commands below using docker configured with either btrfs or devicemapper storage drivers, and observe that /usr/lib64/qemu-kvm/ has 0600 permissions:
docker run --rm -ti --entrypoint /bin/bash quay.io/kubevirt/virt-launcher:v0.55.0
bash-4.4# ls -la /usr/lib64/qemu-kvm/
total 272
drw------- 1 root root 466 Sep 5 06:12 .
dr-xr-xr-x 1 root root 14218 Jan 1 1970 ..
-rwxr-xr-x 1 root root 11792 Jan 1 1970 accel-qtest-x86_64.so
-rwxr-xr-x 1 root root 24832 Jan 1 1970 accel-tcg-x86_64.so
-rwxr-xr-x 1 root root 7568 Jan 1 1970 hw-display-virtio-gpu-gl.so
-rwxr-xr-x 1 root root 7576 Jan 1 1970 hw-display-virtio-gpu-pci-gl.so
-rwxr-xr-x 1 root root 12688 Jan 1 1970 hw-display-virtio-gpu-pci.so
-rwxr-xr-x 1 root root 53792 Jan 1 1970 hw-display-virtio-gpu.so
-rwxr-xr-x 1 root root 7568 Jan 1 1970 hw-display-virtio-vga-gl.so
-rwxr-xr-x 1 root root 17368 Jan 1 1970 hw-display-virtio-vga.so
-rwxr-xr-x 1 root root 47688 Jan 1 1970 hw-usb-host.so
-rwxr-xr-x 1 root root 67584 Jan 1 1970 hw-usb-redirect.so
Expected behavior
/usr/lib64/qemu-kvm/ should have 0755 permissions like when docker is configured to use overlay2 storage:
docker run --rm -ti --entrypoint /bin/bash quay.io/kubevirt/virt-launcher:v0.55.0
bash-4.4# ls -la /usr/lib64/qemu-kvm/
total 300
drwxr-xr-x 2 root root 4096 Sep 5 06:12 .
dr-xr-xr-x 29 root root 20480 Jan 1 1970 ..
-rwxr-xr-x 1 root root 11792 Jan 1 1970 accel-qtest-x86_64.so
-rwxr-xr-x 1 root root 24832 Jan 1 1970 accel-tcg-x86_64.so
-rwxr-xr-x 1 root root 7568 Jan 1 1970 hw-display-virtio-gpu-gl.so
-rwxr-xr-x 1 root root 7576 Jan 1 1970 hw-display-virtio-gpu-pci-gl.so
-rwxr-xr-x 1 root root 12688 Jan 1 1970 hw-display-virtio-gpu-pci.so
-rwxr-xr-x 1 root root 53792 Jan 1 1970 hw-display-virtio-gpu.so
-rwxr-xr-x 1 root root 7568 Jan 1 1970 hw-display-virtio-vga-gl.so
-rwxr-xr-x 1 root root 17368 Jan 1 1970 hw-display-virtio-vga.so
-rwxr-xr-x 1 root root 47688 Jan 1 1970 hw-usb-host.so
-rwxr-xr-x 1 root root 67584 Jan 1 1970 hw-usb-redirect.so
docker version
Client:
Version: 20.10.17-ce
API version: 1.41
Go version: go1.17.11
Git commit: a89b84221c85
Built: Wed Jun 29 00:00:00 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.17-ce
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b84221c85
Built: Wed Jun 29 00:00:00 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.6
GitCommit: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc:
Version: 1.1.3
GitCommit: v1.1.3-0-ga916309fff0f
docker-init:
Version: 0.1.7_catatonit
GitCommit:
docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 4
Running: 3
Paused: 0
Stopped: 1
Images: 38
Server Version: 20.10.17-ce
Storage Driver: btrfs
Build Version: Btrfs v5.18.1
Library Version: 102
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux oci runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc version: v1.1.3-0-ga916309fff0f
init version:
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.19.2-1-default
Operating System: openSUSE Tumbleweed
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 13.53GiB
Name: <...>
ID: <...>
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
192.168.122.1:5000
127.0.0.0/8
Live Restore Enabled: false
Additional Info
This was discovered while debugging kubevirt/kubevirt#8195
Description
Hello. We currently see an issue with one of our images. When we run a container, some directories end up to have
0600permissions. This happens only when docker is configured with eitherbtrfsordevicemapperstorage drivers. Whenoverlay2is used, the directories are created with0755as expected.The image itself does not define explicitly the permissions for the affected directories. But I guess when unpacking the files, they should be created with defaults
0755(or at least be consistent no matter what storage driver is in use). Might it be some bug in the unpack code?Reproduce
Run the commands below using docker configured with either
btrfsordevicemapperstorage drivers, and observe that/usr/lib64/qemu-kvm/has0600permissions:Expected behavior
/usr/lib64/qemu-kvm/should have0755permissions like when docker is configured to useoverlay2storage:docker version
docker info
Additional Info
This was discovered while debugging kubevirt/kubevirt#8195