Docker named pipe socket mount does not work (Docker Wormhole) on Windows runners

[HofmeisterAn]

Description

The Windows Docker daemon.json configuration does not support Docker Wormhole. The container that mounts the named pipe socket cannot access it, it receives an Access is denied error. Please notice Set Docker security group:

By default, only members of the Administrators group can access the Docker Engine through the named pipe.

If we add the Users group to the Docker daemon configuration, the Docker Wormhole runs fine:

$daemonSettings = New-Object PSObject
$daemonSettings | Add-Member NoteProperty hosts @("npipe://")
$daemonSettings | Add-Member NoteProperty group "Users"
$daemonSettings | ConvertTo-Json | Out-File -FilePath "$($env:ProgramData)\docker\config\daemon.json" -Encoding ASCII
Get-Service -Name *docker* | Restart-Service

I noticed the daemon.json is configured by install-docker-ce.ps1 (L:608):

runner-images/images/win/scripts/Installers/Install-Docker.ps1

Line 28 in fb3b6fd

$instScriptUrl = "https://raw.githubusercontent.com/microsoft/Windows-Containers/Main/helpful_tools/Install-DockerCE/install-docker-ce.ps1"

It does not set the group property, just host to npipe://.

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 18.04
• Ubuntu 20.04
• Ubuntu 22.04
• macOS 10.15
• macOS 11
• macOS 12
• Windows Server 2019
• Windows Server 2022

Image version and build link

• windows-2022:20221127.1

Is it regression?

No

Expected behavior

Windows runner supports Docker Wormhole. The container starts successful:

2022/12/05 13:08:45 Pinging Docker...
2022/12/05 13:08:45 Docker daemon is available!
2022/12/05 13:08:45 Starting on port 8080...
2022/12/05 13:08:45 Started!

Actual behavior

Container start fails with following error:

This error may indicate that the docker daemon is not running.: Get "http:////./pipe/docker_engine/_ping": open //./pipe/docker_engine: Access is denied.

Repro steps

Run the following commands on a Windows runner:

1. docker pull mdelapenya/ryuk:temp3
2. docker run -v //./pipe/docker_engine://./pipe/docker_engine mdelapenya/ryuk:temp3

[Alexey-Ayupov]

Hello, indeed we can reproduce the issue. We will look into it.

[Alexey-Ayupov]

We would like to inform you that the issue you faced is not a common case. We cannot predict the behavior of the "docker" service regarding other users' tasks after adding the "group" parameter to the configuration. Please use the workaround by manually adding the "group" parameter for the "docker" service in your workflow. Feel free to reach us again if you have any concerns.

[HofmeisterAn]

@Alexey-Ayupov I understand the concerns — not easy to predict, but Docker Wormhole is not uncommon in Docker environments (at least not in Linux containers). moby-ryuk e.g. runs on thousands of devices and CI environments every day. The upcoming Windows container support will not work for Azure DevOps and GitHub runners / agents 😢.