9:57 a.m.
On Wed, Jun 16, 2021 at 08:40:39AM -0400, Daniel Walsh wrote:
The mode is based on the underlying storage merge directory. Which I
believe
is based on the images top level directory.
The permissions for a container's rootfs are inherited from the image
that was used to create it, and in that image's layers, we've defaulted
each one to inheriting the permissions of its parent layer.
For images like ubi8, which include the root directory itself, this
means we preserve what it intended. For images like fedora, which
don't, they get the default.
At least, that's how it's worked with overlay since storage v1.24.
Before that, I think that every layer started with a root directory with
0755 permissions, and if a layer was populated with a root directory
with some other permissions, layers based on that layer did not inherit
those permissions.
This applied to the read-write layers of containers as well, so you'd
see 0755 even if, like in the ubi8 image, you were supposed to get 0555.
Depending on which software was used to pulled the image, you might
still see the effects of the old behavior.
HTH,
Nalin