1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Add security privilege needed to write layers when windows VHDX used as docker data root

Signed-off-by: Adam Williams <awilliams@mirantis.com>
This commit is contained in:
Adam Williams 2021-04-29 10:41:19 -07:00
parent bd61fdc65d
commit 489f57b877

View file

@ -832,13 +832,13 @@ func writeLayerReexec() {
// writeLayer writes a layer from a tar file. // writeLayer writes a layer from a tar file.
func writeLayer(layerData io.Reader, home string, id string, parentLayerPaths ...string) (size int64, retErr error) { func writeLayer(layerData io.Reader, home string, id string, parentLayerPaths ...string) (size int64, retErr error) {
err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}) err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege, winio.SeBackupPrivilege, winio.SeRestorePrivilege})
if err != nil { if err != nil {
return 0, err return 0, err
} }
if noreexec { if noreexec {
defer func() { defer func() {
if err := winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil { if err := winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege, winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
// This should never happen, but just in case when in debugging mode. // This should never happen, but just in case when in debugging mode.
// See https://github.com/docker/docker/pull/28002#discussion_r86259241 for rationale. // See https://github.com/docker/docker/pull/28002#discussion_r86259241 for rationale.
panic("Failed to disabled process privileges while in non re-exec mode") panic("Failed to disabled process privileges while in non re-exec mode")