adding Umask key to Quadlet.

Committer: Gerben Damave <gerben@hephaestus.s8n.nl> Signed-off-by: Gerben Damave <gerben@hephaestus.s8n.nl>
containers · Feb 19, 2025 · 4e32355 · 4e32355
1 parent 080a239
commit 4e32355
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/docs/source/markdown/podman-systemd.unit.5.md b/docs/source/markdown/podman-systemd.unit.5.md
@@ -352,6 +352,7 @@ Valid options for `[Container]` are listed below:
 | Tmpfs=/work                          | --tmpfs /work                                        |
 | UIDMap=0:10000:10                    | --uidmap=0:10000:10                                  |
 | Ulimit=nofile=1000:10000             | --ulimit nofile=1000:10000                           |
+| Umask=0002                           | --umask=0002                                         |
 | Unmask=ALL                           | --security-opt unmask=ALL                            |
 | User=bin                             | --user bin                                           |
 | UserNS=keep-id:uid=200,gid=210       | --userns keep-id:uid=200,gid=210                     |
@@ -899,6 +900,15 @@ Ulimit options. Sets the ulimits values inside of the container.
 
 This key can be listed multiple times.
 
+### `Umask=`
+
+Set the umask of the process. This is equivalent to the Podman `--umask`.
+
+Example:
+```
+Umask=0002
+```
+
 ### `Unmask=`
 
 Specify the paths to unmask separated by a colon. unmask=ALL or /path/1:/path/2, or shell expanded paths (/proc/*):

diff --git a/pkg/systemd/quadlet/quadlet.go b/pkg/systemd/quadlet/quadlet.go
@@ -169,6 +169,7 @@ const (
 	KeyType                  = "Type"
 	KeyUIDMap                = "UIDMap"
 	KeyUlimit                = "Ulimit"
+	KeyUmask                 = "Umask"
 	KeyUnmask                = "Unmask"
 	KeyUser                  = "User"
 	KeyUserNS                = "UserNS"
@@ -279,6 +280,7 @@ var (
 		KeyTmpfs:                 true,
 		KeyUIDMap:                true,
 		KeyUlimit:                true,
+		KeyUmask:                 true,
 		KeyUnmask:                true,
 		KeyUser:                  true,
 		KeyUserNS:                true,
@@ -638,6 +640,7 @@ func ConvertContainer(container *parser.UnitFile, isUser bool, unitsInfoMap map[
 		KeyStopTimeout: "--stop-timeout",
 		KeyPull:        "--pull",
 		KeyMemory:      "--memory",
+		KeyUmask:       "--umask",
 	}
 	lookupAndAddString(container, ContainerGroup, stringKeys, podman)
 

diff --git a/test/e2e/quadlet/umask.container b/test/e2e/quadlet/umask.container
@@ -0,0 +1,5 @@
+## assert-podman-args "--umask" "0002"
+
+[Container]
+Image=localhost/imagename
+Umask=0002
diff --git a/test/e2e/quadlet_test.go b/test/e2e/quadlet_test.go
@@ -911,6 +911,7 @@ BOGUS=foo
 		Entry("sysctl.container", "sysctl.container"),
 		Entry("timezone.container", "timezone.container"),
 		Entry("ulimit.container", "ulimit.container"),
+		Entry("umask.container", "umask.container"),
 		Entry("unmask.container", "unmask.container"),
 		Entry("user.container", "user.container"),
 		Entry("userns.container", "userns.container"),