Windows: create daemon root with ACL#28274
Conversation
|
SGTM |
cmd/dockerd/daemon.go
Outdated
There was a problem hiding this comment.
This code does not run on Windows, due to the early exit above. Therefore, I think this can be changed back to MkdirAll, and maybe MkdirAllWithACL can be Windows only.
There was a problem hiding this comment.
Fair. Updated in next push (imminent)
pkg/system/filesys_windows.go
Outdated
There was a problem hiding this comment.
Update the comment to reflect that it grants full access to administrators and system.
There was a problem hiding this comment.
Updated in next push (imminent)
Signed-off-by: John Howard <[email protected]>
|
@johnstep Comments addressed. Rebased following minor merge conflict after the merge of the 'plug-ins coming out of experimental' PR just now. |
| opts.common.TrustKey = filepath.Join( | ||
| getDaemonConfDir(), | ||
| cliflags.DefaultTrustKeyFile) | ||
| } |
There was a problem hiding this comment.
It's to ensure the root is created first, before anything else. The current ordering creates other files prior to the daemon root, indirectly creating the root in the process.
There was a problem hiding this comment.
I understand that. Can you point me where in configuration loading we create it so the order of initializing trust key path becomes significant.
There was a problem hiding this comment.
I'd have to debug it again, can't immediately see it. But I know it was the case when creating the commit back at the weekend.
| if err := daemon.CreateDaemonRoot(cli.Config); err != nil { | ||
| return err | ||
| } | ||
|
|
There was a problem hiding this comment.
Same question: can we keep this inside NewDaemon. From go api standpoint it doesn't make sense that this preparation is needed before calling NewDaemon.
There was a problem hiding this comment.
Is it possible to move pidfile/migrateKey instead?
There was a problem hiding this comment.
Actually, not in the current code flow. The startup path for the daemon is kind of strange and all over the place. I have to guarantee that the very first thing done is to create the root before any other file is created.
There was a problem hiding this comment.
I think we can do better but let's leave that to some other PR.
There was a problem hiding this comment.
Yes, agreed. I wanted to be as minimally invasive as possible and just fix the immediate issue.
|
@crosbymichael @tiborvass @cpuguy83 In the hope that this might get in ahead of the code freeze cutoff. Appreciate you're all busy though. Or asleep ;) |
|
LGTM |
|
ping @riyazdf PTAL |
riyazdf
left a comment
riyazdf
left a comment
There was a problem hiding this comment.
code LGTM with nits.
However, I think we should add windows-specific tests around these permissions tests to ensure there are correct and there are no future regressions. This can happen in a follow-up PR.
| } | ||
|
|
||
| // FIXME: why is this down here instead of with the other TrustKey logic above? | ||
| cli.TrustKeyPath = opts.common.TrustKey |
There was a problem hiding this comment.
leaving a breadcrumb since we touched relevant code to this FIXME: especially from the changes in this PR it seems that we can move this to the TrustKey logic above. We can do this in a followup PR.
| func getDaemonConfDir() string { | ||
| return os.Getenv("PROGRAMDATA") + `\docker\config` | ||
| func getDaemonConfDir(root string) string { | ||
| return filepath.Join(root, `\config`) |
There was a problem hiding this comment.
nit: the \ might be redundant for filepath.Join in windows
| config.Root = rootDir | ||
| // Create the root directory if it doesn't exists | ||
| if err := system.MkdirAll(config.Root, 0700); err != nil && !os.IsExist(err) { | ||
| if err := system.MkdirAllWithACL(config.Root, 0); err != nil && !os.IsExist(err) { |
There was a problem hiding this comment.
nit: it might be worth leaving a comment about why 0 is acceptable for Windows since that argument isn't used as permissions
| // and Local System. | ||
| func mkdirWithACL(name string) error { | ||
| sa := syscall.SecurityAttributes{Length: 0} | ||
| sddl := "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)" |
There was a problem hiding this comment.
nit: might be worth leaving a comment explaining what this expression semantically means
|
@jhowardmsft can you do a follow up to address those nits? I'll move this to "merge" |
|
Yes. |
9 participants
Signed-off-by: John Howard [email protected]
This PR ensures the Windows daemon creates the root with an ACL for Local System and Built-In Administrators. @NathanMcCauley @thaJeztah