LCOW: Add SIDs to layer.vhd at creation
Signed-off-by: John Howard <jhoward@microsoft.com>
Some permissions corrections here. Also needs re-vendor of go-winio.
- Create the layer folder directory as standard, not with SDDL. It will inherit permissions from the data-root correctly.
- Apply the VM Group SID access to layer.vhd
Permissions after this changes
Data root:
```
PS C:\> icacls test
test BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
```
lcow subdirectory under dataroot
```
PS C:\> icacls test\lcow
test\lcow BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
```
layer.vhd in a layer folder for LCOW
```
.\test\lcow\c33923d21c9621fea2f990a8778f469ecdbdc57fd9ca682565d1fa86fadd5d95\layer.vhd NT VIRTUAL MACHINE\Virtual Machines:(R)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
```
And showing working
```
PS C:\> docker-ci-zap -folder=c:\test
INFO: Zapped successfully
PS C:\> docker run --rm alpine echo hello
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
8e402f1a9c57: Pull complete
Digest: sha256:644fcb1a676b5165371437feaa922943aaf7afcfa8bfee4472f6860aad1ef2a0
Status: Downloaded newer image for alpine:latest
hello
```
This commit is contained in:
John Howard
parent
36d8e29140
commit
b4db78be5a
2 changed files with 22 additions and 7 deletions
|
|
@ -58,6 +58,7 @@ import (
|
|||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/Microsoft/go-winio/pkg/security"
|
||||
"github.com/Microsoft/hcsshim"
|
||||
"github.com/Microsoft/hcsshim/ext4/tar2ext4"
|
||||
"github.com/Microsoft/opengcs/client"
|
||||
|
|
@ -67,7 +68,6 @@ import (
|
|||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/ioutils"
|
||||
"github.com/docker/docker/pkg/reexec"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
|
|
@ -608,10 +608,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
|
|||
}
|
||||
layerChain = append(layerChain, parentChain...)
|
||||
|
||||
// Make sure layers are created with the correct ACL so that VMs can access them.
|
||||
layerPath := d.dir(id)
|
||||
logrus.Debugf("lcowdriver: create: id %s: creating %s", id, layerPath)
|
||||
if err := system.MkdirAllWithACL(layerPath, 755, system.SddlNtvmAdministratorsLocalSystem); err != nil {
|
||||
// Standard mkdir here, not with SDDL as the dataroot was created with
|
||||
// inheritance to just local system and administrators.
|
||||
if err := os.MkdirAll(layerPath, 0700); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
@ -868,14 +869,30 @@ func (d *Driver) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
|
|||
logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
|
||||
return 0, fmt.Errorf("re-exec error: %v: stderr: %s", err, stderr)
|
||||
}
|
||||
return strconv.ParseInt(stdout.String(), 10, 64)
|
||||
|
||||
size, err := strconv.ParseInt(stdout.String(), 10, 64)
|
||||
if err != nil {
|
||||
logrus.Warnf("lcowdriver: applydiff: id %s failed to parse output %s", id, err)
|
||||
return 0, fmt.Errorf("re-exec error: %v: stdout: %s", err, stdout)
|
||||
}
|
||||
return applySID(id, size, dest)
|
||||
|
||||
}
|
||||
// The inline case
|
||||
size, err := tar2ext4Actual(dest, diff)
|
||||
if err != nil {
|
||||
logrus.Warnf("lcowdriver: applydiff: id %s failed %s", id, err)
|
||||
}
|
||||
return size, err
|
||||
return applySID(id, size, dest)
|
||||
}
|
||||
|
||||
// applySID adds the VM Group SID read-only access.
|
||||
func applySID(id string, size int64, dest string) (int64, error) {
|
||||
if err := security.GrantVmGroupAccess(dest); err != nil {
|
||||
logrus.Warnf("lcowdriver: applySIDs: id %s failed %s", id, err)
|
||||
return 0, err
|
||||
}
|
||||
return size, nil
|
||||
}
|
||||
|
||||
// tar2ext4Reexec is the re-exec entry point for writing a layer from a tar file
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@ import (
|
|||
const (
|
||||
// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
|
||||
SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
|
||||
// SddlNtvmAdministratorsLocalSystem is NT VIRTUAL MACHINE\Virtual Machines plus local administrators plus NT AUTHORITY\System
|
||||
SddlNtvmAdministratorsLocalSystem = "D:P(A;OICI;GA;;;S-1-5-83-0)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
|
||||
)
|
||||
|
||||
// MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
|
||||
|
|
|
|||
Loading…
Reference in a new issue