Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(maint) Use VOLUME in LCOW for Postgres
- Turns out LCOW *can* use Docker VOLUMEs with Postgres! As it turns out the problem was not one of bind mount vs VOLUME. Each LCOW VM `vmwp.exe` process (which in turn runs a single container) is assigned a randomized Windows user account in an effort to prevent VM breakout vulnerabilities. Unfortunately the volumes that a container owns (created in C:\ProgramData\Docker\volumes) are not granted full access to that user, which is necessary for symlink creation. So it turns out it *is* a permissions issue, but the problem is on the *Windows* side, not the Linux side! - For now, we can work around this problem by running the following on every LCOW host that we use for testing (will also update the Pupperware docs accordingly): > icacls C:\ProgramData\docker\volumes /grant *S-1-5-83-0:"(OI)(CI)F" /T All volumes created afterwards will inherit the `F` (FULL) permissions for the NT VIRTUAL MACHINE\Virtual Machines group (S-1-5-83-0). - This can't be done in each spec suite as the test runner agent runs a lower privilege account that can't change the permissions of files / directories within C:\ProgramData. - The reason this was never observed as a problem with bind mounts was due to ced39d7 which grants the directory created for the bind mount with FULL access to all Users. This mitigates this problem (in the original case, auto-generated directories under the users temp directory, don't grant permissions to other users - so this allows the Docker process access to the path). - An issue has been filed in Moby to have the vmwp.exe process user associated with a given container granted full access to the volume paths it requires: moby/moby#39922
- Loading branch information