Skip to content
This repository has been archived by the owner on Sep 26, 2021. It is now read-only.

can't create machine as a user that has "Hyper-V Administration" rights #2989

Open
jtnord opened this issue Feb 4, 2016 · 5 comments
Open

can't create machine as a user that has "Hyper-V Administration" rights #2989

jtnord opened this issue Feb 4, 2016 · 5 comments
Labels
driver/hyperv kind/enhancement

Comments

@jtnord
Copy link
Contributor

jtnord commented Feb 4, 2016

using docker-machine create --driver hyperv should not require administrator rights.

Users who are a member of "Hyper-V Administrators" groups can create/destroy Virtual machines.

C:\Users\luser>docker-machine create --driver hyperv --hyperv-virtual-switch "vEthernet (NAT)" boot2docker
Running pre-create checks...
Error creating machine: Error with pre-create check: Hyper-v commands have to be run as an Administrator

This is the offending code - the check should check the user is an administrator or a member of "Hyper-V administrators"

see this artical for the old gory details for old OSes that are no longer needed with Windows 8+ Server 2012 R2+...
@dgageot dgageot self-assigned this Feb 11, 2016
@peschkaj
Copy link
Contributor

I've managed to get this working locally (see peschkaj@3480af2) but VM creation fails after the security checks pass:

λ .\docker-machine-Windows-x86_64.exe create -d hyperv test
Running pre-create checks...
Creating machine...
(test) Copying G:\docker\cache\boot2docker.iso to G:\docker\machines\test\boot2docker.iso...
(test) Creating SSH key...
(test) Creating VM...
(test) Using switch "docker"
(test) Creating VHD
Error creating machine: Error in driver during machine creation: exit status 1

Base VHDs are successfully created, but it looks like the VM isn't correctly being registered with Hyper-V. I can't see it using Get-VM or the Hyper-V Manager.

@peschkaj
Copy link
Contributor

Spoke too soon - after some good old fashioned print debugging, Resize-VHD is failing due to a permissions issue. The error appears to be The system failed to resize 'g:\docker\machines\mytest\fixed.vhd': General access denied error (0x80070005).

@jtnord
Copy link
Contributor Author

jtnord commented Mar 2, 2016

possibly due to the permissions on the folder where you are creating your VMs?

@peschkaj
Copy link
Contributor

peschkaj commented Mar 2, 2016

I added myself to the Hyper-V Administrators local group, which should be enough permissions and that didn't work. I then gave Hyper-V Administrators full control of the base folder (G:\docker) and gave it cascading permissions. That also didn't work.

The appropriate directories and files are being created when run as my user, but only the Resize-VHD fails.

I recreated the docker folder as E:\docker and gave Hyper-V Administrators full control:

λ Get-Acl E:\docker\ | Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::E:\docker\
Owner  : REASONABLE-EXCU\jeremiah
Group  : REASONABLE-EXCU\jeremiah
Access : BUILTIN\Hyper-V Administrators Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize
         NT AUTHORITY\Authenticated Users Allow  -536805376
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
         BUILTIN\Users Allow  -1610612736
Audit  :
Sddl   : O:S-1-5-21-3365028734-4169288795-2473562284-1001G:S-1-5-21-3365028734-4169288795-2473562284-1001D:AI(
         A;OICI;FA;;;HA)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;0x1301bf;;;A
         U)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)

Even after doing this, the Resize-VHD fails. Running Get-Acl against the VHD returns:

λ Get-Acl E:\docker\machines\dockervm\disk.vhd | Format-List


Path   : Microsoft.PowerShell.Core\FileSystem::E:\docker\machines\dockervm\disk.vhd
Owner  : REASONABLE-EXCU\jeremiah
Group  : REASONABLE-EXCU\jeremiah
Access : BUILTIN\Hyper-V Administrators Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize
         BUILTIN\Users Allow  ReadAndExecute, Synchronize
Audit  :
Sddl   : O:S-1-5-21-3365028734-4169288795-2473562284-1001G:S-1-5-21-3365028734-4169288795-2473562284-1001D:AI(
         A;ID;FA;;;HA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1301bf;;;AU)(A;ID;0x1200a9;;;BU)

On a lark, I gave my user account full control and that also failed. I ran the PowerShell command that docker-machine --debug showed as the failing command and looked up the error number. There's an MSDN KB 2249906 - Hyper-V virtual machine may not start, and you receive a “‘General access denied error’ (0x80070005)” error message that indicates VM itself needs to be given permission to the parent folder of the VM (in my case the VM would need access to E:\docker\machines\dockervm).

@jtnord
Copy link
Contributor Author

jtnord commented Mar 9, 2016

using @peschkaj change as a base I was able to get this working.

It is only the resize-vhd that requires admin privileges (for some reason).
The workaround I had was to create the fixed size disk to the target size and then perform just the convert option. This has the drawback that it takes a fair while longer to create the machine - but a created machine is better than nothing. and a quicker path could be performed if the user has "Administrator" privileges.

@pmario pmario mentioned this issue Mar 12, 2016
Open
@pmario pmario mentioned this issue Apr 6, 2016
Closed
olivbour added a commit to olivbour/machine that referenced this issue Nov 19, 2019
@olivbour
Fix for docker#2989
30b5ace 
For using an SID as parameter - which is better because of potential i18n issue with role name - "isInRole()" expect a "System.Security.Principal.SecurityIdentifier" object instead of a "String". 

That's because of this error that isHypervAdministrator() always return false and and consequently  "Administrator" role is requested.
@olivbour olivbour mentioned this issue Nov 19, 2019
Open
olivbour added a commit to olivbour/machine that referenced this issue Nov 19, 2019
@olivbour
Fix for docker#2989
6eaf4fa 
For using an SID as parameter - which is better because of potential i18n issue with role name - "isInRole()" expect a "System.Security.Principal.SecurityIdentifier" object instead of a "String".

That's because of this error that isHypervAdministrator() always return false and and consequently  "Administrator" role is requested.

Signed-off-by: Olivier Bourgeat <olivier.bourgeat@laposte.net>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
driver/hyperv kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peschkaj @dgageot @jtnord