Document Center

Configuring Container umask Values in Docker

Context

Container umask configuration directly impacts file/directory permissions of newly created resources, affecting container security posture.

Symptom

Standard openEuler containers initialize with default umask 0027. After modification, the others group loses access permissions to newly created files/directories.

image

Possible Causes

The default umask was intentionally set to 0027 in runc implementation to enhance container security and mitigate potential attacks. This modification intentionally restricts others group access to new resources.

Solution

Option 1:

Modify Docker service configuration file /etc/sysconfig/docker:

Add --exec-opt native.umask=normal parameter to OPTIONS line, then restart dockerd:

bash
systemctl restart docker

image

Option 2:

Include --annotation native.umask=normal parameter when executing docker run|exec commands:

bash
docker run --annotation native.umask=normal XXX
docker exec --annotation native.umask=normal XXX

image

Licensed under the MulanPSL2

Copyright © 2026 openEuler. All rights reserved.J. ICP B. No. 2020036654-1J.G.W.A.B. No. 11030102011597
品牌隐私声明法律声明关于cookies
品牌隐私声明法律声明关于cookies
Licensed underthe MulanPSL2
Copyright © 2026 openEuler. All rights reserved.
J. ICP B. No. 2020036654-1J.G.W.A.B. No. 11030102011597