-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(WCOW): fix file access failure for multistage builds #5289
fix(WCOW): fix file access failure for multistage builds #5289
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And fix the CI build failures.
Can add an explanation in the commit body and PR description that this failure is only observed on the Windows Client SKUs (e.g. Windows 11), but works okay on server e.g. WS2022. I however, came across some similar failure in WS2022 too but a different scenario, I'll need to check my notes and send to you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as per the comments above.
b77425f
to
3c42087
Compare
3c42087
to
f2af587
Compare
f2af587
to
d60c5c4
Compare
WIP: working on a way to avoid lots of code duplication |
7b29abb
to
518e948
Compare
I could have mistaken, not found it. Found this that I had noted as a repro, but ran it on WS2022 and runs ok. Can just count-check on Win11 with your fix: FROM mcr.microsoft.com/windows/nanoserver:ltsc2022 as base
USER ContainerAdministrator
RUN echo aa> /foo
WORKDIR /bar
FROM base as base1
COPY hello.txt .
FROM base as base2
COPY --from=base1 /bar/hello.txt .
RUN exit 0
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
COPY --from=base2 /foo /f |
f6b6486
to
8fac5d2
Compare
8fac5d2
to
790713c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just that minor nitpick, all else LGTM.
790713c
to
c2a772b
Compare
065deca
to
0e9a71f
Compare
Fixes: moby#5193 Signed-off-by: Billy Owire <[email protected]>
0e9a71f
to
6e35a7a
Compare
// elevating the admin privileges to walk special files/directory | ||
// like `System Volume Information`, etc. See similar in #4994 | ||
privileges := []string{winio.SeBackupPrivilege} | ||
return winio.RunWithPrivileges(privileges, func() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe there was a list of paths which should be excluded if I remember correctly. A number of metadata files, some of which (if not all) are listed here:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I opened an issue for that some time back #5011, I noticed that that list keeps growing and maintaining a whitelist is going to be a chase game. However, we can rethink it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabriel-samfira Can we proceed with this as is and handle the whitelisting part in the other open issue? This is currently blocking some integration tests for WCOW.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for the delay. I completely missed your replies.
@profnandaa The best source of truth for that list of files is probably the server team at MSFT (you should be able to ping them). We need to mirror what they say we should exclude. But we do need to exclude those files. In some cases we can't walk them (and we shouldn't) even with elevated privileges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well noted, will follow up. Thanks!
fix (WCOW) file access failure for multistage builds
Fixes: #5193
The failure occurs on Windows Client SKUs (e.g., Windows 11) but generally works on server SKUs like WS2022, although similar failures can also occur on WS2022 in some cases.