Allow non admin containers to write to mounted volumes on Windows containers
Overview
When I have the following config.toml, that mounts a new volume under c:\\test
config.toml
[[runners]]
name = "windows-docker"
url = "http://192.168.190.160:3000"
token = "LnGUusC8WHWzsxdchh_J"
executor = "docker-windows"
[runners.docker]
tls_verify = false
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["c:\\cache", "c:\\test"]
pull_policy = "if-not-present"
shm_size = 0
helper_image = "gitlab/gitlab-runner-helper:x86_64-4c96e5ad-servercore1809"
I try to list the directory of the mount volume for example c:\\test
when using an image that is not running as admin:
.gitlab-ci.yml
job:
image: steveazz/nonadmin-win
script:
- dir C:\\test
after_script:
- echo "test"
I get permissions denied
job trace
Running with gitlab-runner 12.9.0 (4c96e5ad)
on windows-docker LnGUusC8
Preparing the "docker-windows" executor
Using Docker executor with image steveazz/nonadmin-win ...
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Using locally found image version due to if-not-present pull policy
Using docker image sha256:bdc4ebbad3c1c642bdeaaa516c4e0d9690df6494f71ee61951e2546fc7f313a6 for gitlab/gitlab-runner-helper:x86_64-4c96e5ad-servercore1809 ...
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Using locally found image version due to if-not-present pull policy
Using docker image sha256:52925dc1b265efac26bf6788d50d6369f8cfc4441737458c874ee027226592dd for steveazz/nonadmin-win ...
Preparing environment
00:10
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Running on RUNNER-LNGUUSC8 via
vagrant-2019...
Getting source from Git repository
00:10
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in c:/builds/root/playground/.git/
From http://192.168.190.160:3000/root/playground
* [new ref] refs/pipelines/420 -> refs/pipelines/420
a985f5d..3b4fb64 nonroot-windows -> origin/nonroot-windows
Checking out 3b4fb646 as nonroot-windows...
git-lfs/2.7.1 (GitHub; windows amd64; go 1.11.5; git 6b7fb6e3)
Skipping Git submodules setup
Restoring cache
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Downloading artifacts
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Running before_script and script
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
$ dir C:\\test
dir : Access to the path 'C:\test' is denied.
At line:1 char:1
+ dir C:\\test
+ ~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\test:String) [Get-ChildIte
m], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.
Commands.GetChildItemCommand
Running after_script
Running after script...
$ echo "test"
test
Uploading artifacts for failed job
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
Authenticating with credentials from C:\Users\Administrator/.docker/config.json
ERROR: Job failed: exit code 1
Edited by Darren Eastman