3

I want some directory in my docker to have a specific umask value, say 000. I tried to set that in my dockerfile and in the ENTRYPOINT shell script, but they both failed to work,

...
RUN umask 000 /var/www/html/storage/logs //the directory
ENTRYPOINT  ["/etc/start.sh"]

#in the /etc/start.sh
#!/bin/sh
umask 000 /var/www/html/storage/logs
...

When I log into docker container and check /var/www/html/storage/logs umask, it is still the default 0022

/var/www/html # cd storage/logs/
/var/www/html/storage/logs # umask
0022

Why is that? How do I make it work ? Thanks!

Qiulang
  • 10,295
  • 11
  • 80
  • 129
  • 1
    `umask` sets the umask value for the current process and has effect on all files created after the umask command. The filename you specifiy after the command doesn't do anything. Once the current process exits, the umask value is lost. – Hans Kilian Sep 18 '21 at 10:43
  • But I did set it in ENTRYPOINT and it did not work either. – Qiulang Sep 18 '21 at 12:07

1 Answers1

5

The umask is a property of a process, not a directory. Like other process-related characteristics, it will get reset at the end of each RUN command.

If you're trying to make a directory writeable by a non-root user, the best option is to chown it to that user. (How to set umask for a specific folder on Ask Ubuntu has some further alternatives.) None of this will matter if the directory is eventually a bind mount or volume mount point; all of the characteristics of the mounted directory will replace anything that happens in the Dockerfile.

If you did need to change the umask the only place you can really do it is in an entrypoint wrapper script. The main container process can also set it itself.

#!/bin/sh
# entrypoint.sh
umask 000
# ... other first-time setup ...
exec "$@"
David Maze
  • 130,717
  • 29
  • 175
  • 215
  • I did set it in ENTRYPOINT shell script.But after reading your answer now I realize that because I run docker exec -it sh in another process to log into the container so I see the directory's umask change to 022, right ? – Qiulang Sep 18 '21 at 12:12
  • `docker exec` debugging shells aren't children of the main container process, and they won't see setup you do in an entrypoint script. But if you `docker run --rm -it your-image sh`, that new container will have an interactive shell that is launched via the entrypoint sequence. – David Maze Sep 18 '21 at 12:17
  • I just found I asked a silly question the other day :$. Thanks for answering my question. – Qiulang Sep 22 '21 at 03:56