Merge pull request #31864 from Microsoft/jjh/failfsopshyperv

Windows: Fail fs ops on running Hyper-V containers gracefully

daemon/archive.go

@@ -34,6 +34,11 @@ func (daemon *Daemon) ContainerCopy(name string, res string) (io.ReadCloser, err
 		res = res[1:]
 	}
 
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, err
+	}
+
 	return daemon.containerCopy(container, res)
 }
 
@@ -45,6 +50,11 @@ func (daemon *Daemon) ContainerStatPath(name string, path string) (stat *types.C
 		return nil, err
 	}
 
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, err
+	}
+
 	return daemon.containerStatPath(container, path)
 }
 
@@ -57,6 +67,11 @@ func (daemon *Daemon) ContainerArchivePath(name string, path string) (content io
 		return nil, nil, err
 	}
 
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, nil, err
+	}
+
 	return daemon.containerArchivePath(container, path)
 }
 
@@ -72,6 +87,11 @@ func (daemon *Daemon) ContainerExtractToDir(name, path string, noOverwriteDirNon
 		return err
 	}
 
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return err
+	}
+
 	return daemon.containerExtractToDir(container, path, noOverwriteDirNonDir, content)
 }
 

daemon/archive_unix.go

@@ -56,3 +56,9 @@ func fixPermissions(source, destination string, uid, gid int, destExisted bool)
 		return os.Lchown(fullpath, uid, gid)
 	})
 }
+
+// isOnlineFSOperationPermitted returns an error if an online filesystem operation
+// is not permitted.
+func (daemon *Daemon) isOnlineFSOperationPermitted(container *container.Container) error {
+	return nil
+}

daemon/archive_windows.go

@@ -1,6 +1,11 @@
 package daemon
 
-import "github.com/docker/docker/container"
+import (
+	"errors"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+)
 
 // checkIfPathIsInAVolume checks if the path is in a volume. If it is, it
 // cannot be in a read-only volume. If it  is not in a volume, the container
@@ -16,3 +21,24 @@ func fixPermissions(source, destination string, uid, gid int, destExisted bool)
 	// chown is not supported on Windows
 	return nil
 }
+
+// isOnlineFSOperationPermitted returns an error if an online filesystem operation
+// is not permitted (such as stat or for copying). Running Hyper-V containers
+// cannot have their file-system interrogated from the host as the filter is
+// loaded inside the utility VM, not the host.
+// IMPORTANT: The container lock must NOT be held when calling this function.
+func (daemon *Daemon) isOnlineFSOperationPermitted(container *container.Container) error {
+	if !container.IsRunning() {
+		return nil
+	}
+
+	// Determine isolation. If not specified in the hostconfig, use daemon default.
+	actualIsolation := container.HostConfig.Isolation
+	if containertypes.Isolation.IsDefault(containertypes.Isolation(actualIsolation)) {
+		actualIsolation = daemon.defaultIsolation
+	}
+	if containertypes.Isolation.IsHyperV(actualIsolation) {
+		return errors.New("filesystem operations against a running Hyper-V container are not supported")
+	}
+	return nil
+}