From 0b7885b90a959f0552a481bcf7b27aa58d753d53 Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@pm.me>
Date: Fri, 26 Jun 2020 10:07:20 -0400
Subject: [PATCH] Ensure umask is set appropriately for 'system service'

We need a umask of 0022 to ensure containers are created
correctly, but we set a different one prior to starting the
server (to ensure the unix socket has the right permissions).
Thus, we need to set the umask after the socket has been bound,
but before the server begins accepting requests.

Fixes #6787

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
---
 pkg/api/server/server.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index d68f6893a9..8af6d31862 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -173,6 +173,10 @@ func (s *APIServer) Serve() error {
 		}()
 	}
 
+	// Before we start serving, ensure umask is properly set for container
+	// creation.
+	_ = syscall.Umask(0022)
+
 	go func() {
 		err := s.Server.Serve(s.Listener)
 		if err != nil && err != http.ErrServerClosed {