github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8254 from gabriel-samfira/fix-access-denied-on-vhdx-mount

Browse Source 
Fix access denied on mounted vhdx root
This commit is contained in:
Derek McGowan
2023-05-10 08:39:36 -07:00
committed by GitHub
parent dc60137467 6f0714efcb
commit 14d22efccc
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
snapshots/windows/windows.go
View File

@@ -478,7 +478,13 @@ func (s *snapshotter) convertScratchToReadOnlyLayer(ctx context.Context, snapsho
writer.CloseWithError(err)
}()
if _, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths); err != nil {
// It seems that in certain situations, like having the containerd root and state on a file system hosted on a
// mounted VHDX, we need SeSecurityPrivilege when opening a file with winio.ACCESS_SYSTEM_SECURITY. This happens
// in the base layer writer in hcsshim when adding a new file.
if err := winio.RunWithPrivileges([]string{winio.SeSecurityPrivilege}, func() error {
_, err := ociwclayer.ImportLayerFromTar(ctx, reader, path, parentLayerPaths)
return err
}); err != nil {
return fmt.Errorf("failed to reimport snapshot: %w", err)
}