|
@@ -30,7 +30,6 @@ import (
|
|
|
"github.com/docker/docker/pkg/ioutils"
|
|
"github.com/docker/docker/pkg/ioutils"
|
|
|
"github.com/docker/docker/pkg/longpath"
|
|
"github.com/docker/docker/pkg/longpath"
|
|
|
"github.com/docker/docker/pkg/reexec"
|
|
"github.com/docker/docker/pkg/reexec"
|
|
|
- "github.com/docker/docker/pkg/system"
|
|
|
|
|
"github.com/docker/go-units"
|
|
"github.com/docker/go-units"
|
|
|
"github.com/vbatts/tar-split/tar/storage"
|
|
"github.com/vbatts/tar-split/tar/storage"
|
|
|
)
|
|
)
|
|
@@ -68,10 +67,6 @@ type Driver struct {
|
|
|
cache map[string]string
|
|
cache map[string]string
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
-func isTP5OrOlder() bool {
|
|
|
|
|
- return system.GetOSVersion().Build <= 14300
|
|
|
|
|
-}
|
|
|
|
|
-
|
|
|
|
|
// InitFilter returns a new Windows storage filter driver.
|
|
// InitFilter returns a new Windows storage filter driver.
|
|
|
func InitFilter(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
|
|
func InitFilter(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
|
|
|
logrus.Debugf("WindowsGraphDriver InitFilter at %s", home)
|
|
logrus.Debugf("WindowsGraphDriver InitFilter at %s", home)
|
|
@@ -200,29 +195,6 @@ func (d *Driver) create(id, parent, mountLabel string, readOnly bool, storageOpt
|
|
|
parentPath = layerChain[0]
|
|
parentPath = layerChain[0]
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if isTP5OrOlder() {
|
|
|
|
|
- // Pre-create the layer directory, providing an ACL to give the Hyper-V Virtual Machines
|
|
|
|
|
- // group access. This is necessary to ensure that Hyper-V containers can access the
|
|
|
|
|
- // virtual machine data. This is not necessary post-TP5.
|
|
|
|
|
- path, err := syscall.UTF16FromString(filepath.Join(d.info.HomeDir, id))
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return err
|
|
|
|
|
- }
|
|
|
|
|
- // Give system and administrators full control, and VMs read, write, and execute.
|
|
|
|
|
- // Mark these ACEs as inherited.
|
|
|
|
|
- sd, err := winio.SddlToSecurityDescriptor("D:(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FRFWFX;;;S-1-5-83-0)")
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return err
|
|
|
|
|
- }
|
|
|
|
|
- err = syscall.CreateDirectory(&path[0], &syscall.SecurityAttributes{
|
|
|
|
|
- Length: uint32(unsafe.Sizeof(syscall.SecurityAttributes{})),
|
|
|
|
|
- SecurityDescriptor: uintptr(unsafe.Pointer(&sd[0])),
|
|
|
|
|
- })
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return err
|
|
|
|
|
- }
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
if err := hcsshim.CreateSandboxLayer(d.info, id, parentPath, layerChain); err != nil {
|
|
if err := hcsshim.CreateSandboxLayer(d.info, id, parentPath, layerChain); err != nil {
|
|
|
return err
|
|
return err
|
|
|
}
|
|
}
|
|
@@ -596,23 +568,6 @@ func writeLayerFromTar(r archive.Reader, w hcsshim.LayerWriter) (int64, error) {
|
|
|
}
|
|
}
|
|
|
buf.Reset(w)
|
|
buf.Reset(w)
|
|
|
|
|
|
|
|
- // Add the Hyper-V Virtual Machine group ACE to the security descriptor
|
|
|
|
|
- // for TP5 so that Xenons can access all files. This is not necessary
|
|
|
|
|
- // for post-TP5 builds.
|
|
|
|
|
- if isTP5OrOlder() {
|
|
|
|
|
- if sddl, ok := hdr.Winheaders["sd"]; ok {
|
|
|
|
|
- var ace string
|
|
|
|
|
- if hdr.Typeflag == tar.TypeDir {
|
|
|
|
|
- ace = "(A;OICI;0x1200a9;;;S-1-5-83-0)"
|
|
|
|
|
- } else {
|
|
|
|
|
- ace = "(A;;0x1200a9;;;S-1-5-83-0)"
|
|
|
|
|
- }
|
|
|
|
|
- if hdr.Winheaders["sd"], ok = addAceToSddlDacl(sddl, ace); !ok {
|
|
|
|
|
- logrus.Debugf("failed to add VM ACE to %s", sddl)
|
|
|
|
|
- }
|
|
|
|
|
- }
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
hdr, err = backuptar.WriteBackupStreamFromTarFile(buf, t, hdr)
|
|
hdr, err = backuptar.WriteBackupStreamFromTarFile(buf, t, hdr)
|
|
|
ferr := buf.Flush()
|
|
ferr := buf.Flush()
|
|
|
if ferr != nil {
|
|
if ferr != nil {
|
Alexander Morozov