Skip to content

Windows: Containers cannot read mounted volumes #6183

Closed as not planned
Closed as not planned
Windows: Containers cannot read mounted volumes#6183
Labels
kind/bug
@claudiubelu

Description

@claudiubelu
claudiubelu
opened on Oct 29, 2021

Description

If the ContainerUser user is used for a Windows container, then it might not be able to read its mounted volumes. This can also happen if the image has image-defined volumes, in which case containerd creates those volumes and mounts them inside the container (they are chmod-ed, but that operation is not Windows-friendly). If ContainerAdministrator is used instead, this issue doesn't occur.

This issue can also occur when running the TestVolumeCopyUp on Windows (#6182), and it is also proven here: #6169

Sample:

PS C:\Users\azureuser\containerd> echo "hello!" > 'C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890\sample_file.txt'
PS C:\Users\azureuser\containerd> ctr.exe --address //./pipe//run/containerd-test/containerd --namespace k8s.io run --mount "src=C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890\sample_file.txt
,dst=C:\sample_file.txt" mcr.microsoft.com/windows/nanoserver:1809 test-mount5 cmd /S /C "type C:\\sample_file.txt"
Access is denied.
PS C:\Users\azureuser\containerd> get-acl 'C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890\sample_file.txt' | fl *


PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890\sample_file.txt
PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890
PSChildName             : sample_file.txt
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\FileSystem::C:\Program Files\Git\var\lib\containerd-test\io.containerd.grpc.v1.cri\containers\1234567890\sample_file.txt
Owner                   : BUILTIN\Administrators
Group                   : 8916k8s001\None
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule}
Sddl                    : O:BAG:S-1-5-21-3319544443-1324418091-1543668095-513D:(A;ID;FA;;;BA)(A;ID;FA;;;SY)
AccessToString          : BUILTIN\Administrators Allow  FullControl
                          NT AUTHORITY\SYSTEM Allow  FullControl
AuditToString           :
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : False
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

Steps to reproduce the issue

  1. Run a container with the ContainerUser user and with a mount. The command should try to type out a file from the said mount.
  2. Notice the Access is denied. error.

An example has been included above.

Describe the results you received and expected

The volumes mounted in the container should readable by ContainerUser.

What version of containerd are you using?

containerd github.com/containerd/containerd v1.6.0-beta.1-21-ga9e5941ac a9e5941

Any other relevant information

No response

Show configuration if it is related to CRI plugin.

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions