Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WCOW: Handling of ACL / file ownership, compatibility issues between WS2019, WS2022 and Windows 11 #4731

Open
profnandaa opened this issue Mar 4, 2024 · 2 comments
Open

WCOW: Handling of ACL / file ownership, compatibility issues between WS2019, WS2022 and Windows 11 #4731

profnandaa opened this issue Mar 4, 2024 · 2 comments
Assignees
@profnandaa
Labels
area/windows area/windows-wcow status/needs-investigation

Comments

@profnandaa
Copy link
Collaborator

profnandaa commented Mar 4, 2024
edited
Loading

First, this is not strictly a buildkit regression but something that I suspect is a coming from the platform side, it's by design.

When you follow the guide at b7d04a docs/windows.md, you get "access denied" error on only WS2022 but the build is successful both on Windows 11 and WS2019. It's the same case too with the classic docker build.

Current work-around, add USER ContainerAdministrator to the dockerfile (since the default user on nanoserver image is a low-priv ContainerUser); just to meet the purpose of the guide:

Set-Content Dockerfile @"
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
USER ContainerAdministrator
COPY hello.txt C:/
RUN echo "Goodbye!" >> hello.txt
CMD ["cmd", "/C", "type C:\\hello.txt"]
"@

This thankfully has unearthed something that we need to address.
@profnandaa profnandaa self-assigned this Mar 4, 2024
profnandaa added a commit to profnandaa/buildkit that referenced this issue Mar 4, 2024
@profnandaa
fix: windows getting started guide for uniformity
2aa80d7 
This adds `ContainerAdministrator` as the default user to
guarantee a uniform experience on all the platforms.
The previous guide would fail on WS2022 but work
on WS2019 and Windows 11. The issue is being
investigated here moby#4731 

Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
@profnandaa profnandaa mentioned this issue Mar 4, 2024
Merged
@profnandaa
Copy link
Collaborator Author

Also see discussion here - #4729

tonistiigi pushed a commit that referenced this issue Mar 4, 2024
@profnandaa @tonistiigi
fix: windows getting started guide for uniformity
b9e1581 
This adds `ContainerAdministrator` as the default user to
guarantee a uniform experience on all the platforms.
The previous guide would fail on WS2022 but work
on WS2019 and Windows 11. The issue is being
investigated here #4731

Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
(cherry picked from commit 2aa80d7)
@TBBle
Copy link
Collaborator

TBBle commented Mar 6, 2024

How does FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 build successfully on Windows Server 2019? That shouldn't work with either process isolation or HyperV isolation, AFAIK.

The fact that the USER line fixes it suggests that the default user has somehow changed in the platform code, which would be annoying and probably break existing images that assume you're ContainerAdministrator at runtime.

daghack pushed a commit to daghack/buildkit that referenced this issue Mar 8, 2024
@profnandaa @daghack
fix: windows getting started guide for uniformity
b7ef43f 
This adds `ContainerAdministrator` as the default user to
guarantee a uniform experience on all the platforms.
The previous guide would fail on WS2022 but work
on WS2019 and Windows 11. The issue is being
investigated here moby#4731 

Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@profnandaa profnandaa

Labels
area/windows area/windows-wcow status/needs-investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TBBle @profnandaa