-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions issue when querying builder on Windows #4864
Comments
cc @profnandaa |
@colinhemmings was the Windows Engine in your case installed through Docker Desktop? Afaik, the default permissions for the Docker Engine's named pipe are (by design) restricted to admin users, as the Engine runs as a privileged service, so being able to access the API (similar to on Linux) means any user that can access the API is able to escalate to a privileged user. On Docker Desktop (again, if memory serves me well), the named pipe also gets a |
Yes, it's installed as part of DD. Yes, I see the docker-users group. I assumed the config was part of the setting up the npipe. Perhaps this is just an update to the docs then to add the group to the buildkit pipe. |
Looking at that code for the Engine, it would appear it does add the groups to the pipe based on what is passed in. We will need to add the same functionality to Buildkit to support controlling access to the pipe. |
Since currently we are yet to have a low-priv ("rootless") access to buildkitd, being able to do some things from low-priv (like querying) and then some of them only on admin will be a confusing experience for users. Though again, I don't see any harm on allowing read-like operations from a low privileged client. Can point me to the code on Docker engine that does this, would like to compare. |
Oh! Maybe I misremembered, and it's adding the group to the pipe (and Docker Desktop handled creating the group - that may be the part I remembered |
Hmm.. trying to find where a group is set though; I see that (unlike the Unix counterpart), there's no default group set on Windows; https://github.com/moby/moby/blob/faf84d7f0a1f2e6badff6f720a3e1e559c356fff/cmd/dockerd/config_windows.go#L18 Unix/Linux code has a default ( But depending on how the daemon is run may also set this through systemd; https://github.com/moby/moby/blob/faf84d7f0a1f2e6badff6f720a3e1e559c356fff/contrib/init/systemd/docker.socket#L4-L10 And I don't see a default being set here for Windows; https://github.com/moby/moby/blob/faf84d7f0a1f2e6badff6f720a3e1e559c356fff/daemon/listeners/listeners_windows.go#L25-L47 I'm not on Windows myself though, so not sure if there's possibly something else setting it. |
I have the engine running on Windows (via Docker Desktop), and the permissions on the pipe are set correctly; my user and group are added with RW access. My assumption was that these groups were passed to Moby by Docker Desktop. @profnandaa I think it already had Read access by default, but RW is needed. I'm not saying that we want to allow RW by default, but supporting it via config. |
Tentatively adding to v0.13.2 milestone, but we would need a patch for tomorrow for it to make it. |
If the solution is that user needs to pass group on starting buildkitd, then adding new option like |
Ok, let me give it a shot tomorrow. |
Happy to give it a test when it's ready! |
There was already code that was creating the npipe with the right descriptors, as it has been for other like docker[1]. This fix uses the main.getLocalListener instead of the generic one from `containerd/sys`. fixes moby#4864 Signed-off-by: Anthony Nandaa <profnandaa@gmail.com>
@colinhemmings @tonistiigi -- turns out that this path wasn't being called when creating the npipe https://github.com/moby/buildkit/blob/master/cmd/buildkitd/main_windows.go#L23-L29, see fix at #4872 |
Looks like we already have |
There was already code that was creating the npipe with the right descriptors, as it has been for other like docker[1]. This fix uses the main.getLocalListener instead of the generic one from `containerd/sys`. fixes moby#4864 Signed-off-by: Anthony Nandaa <profnandaa@gmail.com> (cherry picked from commit 08a0f01)
fixed by #4875 |
When I set up Buildkit on Windows using the approach in the docs, I was unable to query the builder in Buildx.
Steps:
docker buildx du
and the builder is classed as inactive.This worked is using an admin shell, however I believe this is based on how the npipe is configured. As I can query the engine with in the non-admin shell. When I inspect the permissions for the engine vs the buildkit pipe, they differ:
The text was updated successfully, but these errors were encountered: