Windows: Cannot run container with a mount containing a symlinked path

[claudiubelu]

Description

If a containerd container has been created on Windows with a mount that contains a symlink in its path, then that container cannot start due to an error:

ctr run --rm --mount src=C:\Users\azureuser\temp\projected\somefile,dst=C:\test-volume docker.io/claudiubelu/agnhost:2.21 test-symlink2 cat C:\test-volume
ctr: hcsshim::CreateComputeSystem test-symlink2: The filename, directory name, or volume label syntax is incorrect.

(extra info: {"Owner":"containerd-shim-runhcs-v1.exe","SchemaVersion":{"Major":2,"Minor":1},"Container":{"Storage":{"Layers":[{"Id":"64d88e05-ebd7-517d-a3b9-07d517e1db15","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\345"},{"Id":"6f93fac9-570a-5d39-8308-12b83dcf3b3c","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\344"},{"Id":"7ee21948-dee6-5f55-b257-e8c706fc7ab7","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\343"},{"Id":"54b69d32-ad13-538d-b7a8-8a757011249a","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\342"},{"Id":"0d547392-ef7c-5dab-a837-7949ac84eb7e","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\341"},{"Id":"d7a18638-5069-59d7-ba9b-95c5844fe8ab","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\340"},{"Id":"c56b3727-eba9-5622-8d91-9d3f8dfa753a","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\339"},{"Id":"3a70916c-53f4-5a28-a9db-1d38c70a18bb","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\338"},{"Id":"a22b4e49-4d52-54a9-841a-4d907d4ac082","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\337"},{"Id":"eea565d2-9dcc-5b11-8d6d-9be7556eec55","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\336"},{"Id":"8249eb58-a9b6-518c-a753-86b65e2f07f8","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\335"},{"Id":"ef78bbd9-5162-5a36-a6d8-30c0e4ad853a","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\334"},{"Id":"60412b1e-691a-57b5-ae5d-fccdb4066e46","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\332"},{"Id":"c85f9586-77e5-597a-bb56-e3547c9e5ef3","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\331"},{"Id":"2b0ba5d7-f026-54a9-9793-2a794c27884c","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\330"},{"Id":"9e735baf-d4cd-5ff8-a841-f33f43ba07e3","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\329"},{"Id":"5d6bdce7-50ac-5154-8191-2ecaa0640e2b","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\328"},{"Id":"e6093524-0bc3-5022-80c9-a55cfbbbad2a","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\327"},{"Id":"83f93597-89de-522f-843b-05fc7c8f115e","Path":"C:\\ProgramData\\containerd\\root\\io.containerd.snapshotter.v1.windows\\snapshots\\326"}],"Path":"\\\\?\\Volume{6cf8bbf1-b806-4b11-84fa-deece42c8a1f}\\"},"MappedDirectories":[{"HostPath":"C:\\Users\\azureuser\\temp\\projected\\somefile","ContainerPath":"C:\\test-volume"}],"Networking":{"AllowUnqualifiedDnsQuery":true,"Namespace":"FDCB259D-37F8-4324-A5E4-9DE4F0A16DD3"}},"ShouldTerminateOnLastHandleClosed":true}): unknown

This is a common usecase for Kubernetes for projected volumes, where it will create symlinks for files that are to be mounted into the containers.

Steps to reproduce the issue:

The issue can be replicated with the following script. Note that if the symlinked path is at the end, it works, but it does not if it's before:

mkdir C:/tmp
cd C:/tmp

# replicate a Kubernetes projected volume.
mkdir ..2021
mkdir ..2021\projected
echo "something" > ..2021\projected\somefile

mklink /D ..data ..2021
mklink /D projected ..data\projected

# works.
ctr run --rm --mount src=C:\tmp\projected,dst=C:\test-volume docker.io/claudiubelu/agnhost:2.21 test-symlink1 cat C:\test-volume\somefile

# doesn't work.
ctr run --rm --mount src=C:\tmp\projected\somefile,dst=C:\test-volume docker.io/claudiubelu/agnhost:2.21 test-symlink2 cat C:\test-volume

Describe the results you received:

The error:

ctr: hcsshim::CreateComputeSystem test-symlink2: The filename, directory name, or volume label syntax is incorrect.

The complete error can be seen above.

Describe the results you expected:

The container should have started and printed something, which was contained in the file.

Output of containerd --version:

containerd -v
containerd github.com/containerd/containerd v1.4.3 269548fa27e0089a8b8278fc4fc781d7f65a939b

Any other relevant information:

[kevpar]

I spent some time last night looking into this. There is an issue with how HCS is resolving the path that causes this to break when mapping a file that has a symlink in the path. We should be able to fix this by resolving the path before we pass it to HCS.

[kevpar]

Didn't mean for this to close. It is fixed in the shim now, but containerd needs to update vendoring.