Set default Umask for `podman kube play`

Fixes a bug where `podman kube play` fails to set a container's Umask to the default 0022, and sets it to 0000 instead. Signed-off-by: Jake Correnti <jakecorrenti+github@proton.me>
2023-08-14 14:50:13 -04:00 · 2023-08-14 14:50:13 -04:00 · 5eee8825e8
parent 53b2b0222d
commit 5eee8825e8
3 changed files with 61 additions and 0 deletions
--- a/pkg/specgen/generate/kube/kube.go
+++ b/pkg/specgen/generate/kube/kube.go
@ -178,6 +178,10 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		return nil, err
 	}

+	if s.Umask == "" {
+		s.Umask = rtc.Umask()
+	}
+
 	if s.CgroupsMode == "" {
 		s.CgroupsMode = rtc.Cgroups()
 	}
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@ -5850,4 +5850,33 @@ EXPOSE 2004-2005/tcp`, ALPINE)
 		Expect(session).Should(Exit(0))
 		Expect(session.OutputToString()).To(Equal("true"))
 	})
+
+	It("podman kube play test with valid Umask value", func() {
+		defaultUmask := "0022"
+		ctrName := "ctr"
+		ctrNameInPod := "ctr-pod-ctr"
+		outputFile := filepath.Join(podmanTest.TempDir, "pod.yaml")
+
+		create := podmanTest.Podman([]string{"create", "-t", "--restart", "never", "--name", ctrName, ALPINE})
+		create.WaitWithDefaultTimeout()
+		Expect(create).Should(Exit(0))
+
+		generate := podmanTest.Podman([]string{"kube", "generate", "-f", outputFile, ctrName})
+		generate.WaitWithDefaultTimeout()
+		Expect(generate).Should(Exit(0))
+
+		play := podmanTest.Podman([]string{"kube", "play", outputFile})
+		play.WaitWithDefaultTimeout()
+		Expect(play).Should(Exit(0))
+
+		exec := podmanTest.Podman([]string{"exec", ctrNameInPod, "/bin/sh", "-c", "umask"})
+		exec.WaitWithDefaultTimeout()
+		Expect(exec).Should(Exit(0))
+		Expect(exec.OutputToString()).To(Equal(defaultUmask))
+
+		inspect := podmanTest.Podman([]string{"inspect", ctrNameInPod, "-f", "{{ .Config.Umask }}"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+		Expect(inspect.OutputToString()).To(Equal(defaultUmask))
+	})
 })
--- a/test/system/700-play.bats
+++ b/test/system/700-play.bats
@ -733,3 +733,31 @@ spec:
    run_podman 125 kube play --authfile=$bogus - < $PODMAN_TMPDIR/test.yaml
    is "$output" "Error: checking authfile: stat $bogus: no such file or directory" "$command should fail with not such file"
 }
+
+@test "podman kube play with umask from containers.conf" {
+    skip_if_remote "remote does not support CONTAINERS_CONF*"
+    YAML=$PODMAN_TMPDIR/test.yaml
+
+    containersConf=$PODMAN_TMPDIR/containers.conf
+    touch $containersConf
+    cat >$containersConf <<EOF
+[containers]
+umask = "0472"
+EOF
+
+    ctr="ctr"
+    ctrInPod="ctr-pod-ctr"
+
+    run_podman create --restart never --name $ctr $IMAGE sh -c "touch /umask-test;stat -c '%a' /umask-test"
+    run_podman kube generate -f $YAML $ctr
+    CONTAINERS_CONF_OVERRIDE="$containersConf" run_podman kube play $YAML
+    run_podman container inspect --format '{{ .Config.Umask }}' $ctrInPod
+    is "${output}" "0472"
+    # Confirm that umask actually takes effect
+    run_podman logs $ctrInPod
+    is "$output" "204" "stat() on created file"
+
+    run_podman kube down $YAML
+    run_podman pod rm -a
+    run_podman rm -a
+}