Description

When creating a container with a non-empty volume, files that get copied over to the host mounted volume, lose ownership information and ACLs. This means that regardless of whether or not the USER stanza was set to a user other than ContainerAdministrator, any files created will only be writable by the privileged user.

Describe the results you received and expected

• An image was created with the following (truncated) contents:

USER ContainerUser
RUN /bin/sh.exe -c "echo test_content > /test_dir/test_file"
VOLUME "C:/test_dir"

• A container was created using this image.
• The expectation was that once the container was created, the owner of the file was ContainerUser (SID: S-1-5-93-2-2)
• The result was that the file was owned by the user under which containerd.exe was running

What version of containerd are you using?

containerd github.com/containerd/containerd v1.6.0-beta.1-59-g8a85f3afa 8a85f3a

Any other relevant information

This seems to stem from the fact that the copyFileInfo function (https://github.com/containerd/continuity/blob/main/fs/copy_windows.go#L31) does not copy over Windows security info.

This is addressed by the following PRs:

containerd/continuity#188
#6274

With the above change, if the container image is created on Windows, the security information of the file is preserved when a container is created.

Note: Images generated on Linux using buildx will not have the proper security info set, if a Windows image builder helper (https://github.com/kubernetes/kubernetes/blob/master/test/images/windows/README.md) is not used

Show configuration if it is related to CRI plugin.

No response