Problematic use of EvalSymlinks on Windows
#2648
Assignees
Comments
ericwj
added a commit
to ericwj/cli
that referenced
this issue
Jul 23, 2020
ericwj
added a commit
to ericwj/cli
that referenced
this issue
Jul 23, 2020
Signed-off-by: Eric Jonker <ericnl@live.com>
Open
ericwj
added a commit
to ericwj/cli
that referenced
this issue
Jul 23, 2020
Signed-off-by: Eric <ericwj@users.noreply.github.com>
Open
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Docker is using go's
path/filepath.EvalSymlinksby default and remembers resolved symlink paths instead of the original path provided through the CLI by the user.On Windows, this is a severe problem which can lead to data loss, bypassing security and simply fails on current versions of go in all but the most trivial system configurations. See /golang/go/issues/40180 and the list of errors created by testing this API.
The most important use of
EvalSymlinksis through the use of the API's listed below - I have only searched through /docker/cli, there may be other uses of eitherEvalSymlinksdirectory or indirectly in this repo or others:The comment in
ResolveAndValidateContextPathreads:There is not one good reason for this on Windows. The whole code section can simply be deleted and nothing will start failing - on the contrary, a long list of issues and potential issues will be fixed.
The more difficult issue to fix is that, also on Linux, the configured path is replaced by the path returned by
EvalSymlinks, which is a bad practice. Docker should not preempt operational administrative actions from having effects by remembering only the resolved path, forgetting where it was configured to run from, or by caching the result ofEvalSymlinksfor any length of time.For Users: How to use
Dockertoday, avoiding problems withEvalSymlinksThe very best thing to do is to give Docker only paths on volumes that are rooted at a drive letter, such as
C:\orQ:\. Obviously this severely drastically limits where Docker can run and gives no options to (re)configure the storage system if the need arises.isUNCis linked above, not quite for being correct at all, but it checks that paths do not start with\\- wrongfully conluding it must be a UNC path of the form\\server\share.But any (absolute) path on Windows can be written to start with
\\, hence it is possible to at least have Docker avoid the use ofEvalSymlinksby changing the path given to the docker cli to include\\:\\?\C:\ContextDir\\?\Volume{00000000-0000-0000-0000-000000000000}\ContextDir\\?\UNC\server\share\ContextDirNote that this might or might not introduce other issues with go's very poorly ported
path/filepathon Windows which is full of problems very much like the ones hinted at byisUnc.Also, this does not fix issues with Docker when Docker is invoked by other tools such as Visual Studio that aren't so easy to configure to use any
\\prefix consistently - and shouldn't have to be.For more information see File path formats on Windows systems | Microsoft Docs, amongst others. The prefix
\\.\is also described. More technical information will also reveal\??\is sometimes valid.Issues with Docker on Windows suspected to be caused by this issue
These are some of the existing issues with the use of this API - some are at least suspected to be caused by the use of
EvalSymlinksin Docker:There are no issues that indicate any of the additional problems with the use of
EvalSymlinkson Windows. Docker simply does not work unless the path it is given is to a volume that is mounted with a drive letter, unless the path starts with\\:C:\FileServer\Share\BigFolders\Dockerin addition to\\?\Volume{00000000-0000-0000-0000-000000000000}\\\?\UNC\....\\?\UNC\...These situations may be desired by administrators using Docker on storage spaces
VirtualDiskor Hyper-VVHDvirtual disks as well as on systems with more than one physical partition if they use GPT partitioning such as all 64-bit Windows editions.The text was updated successfully, but these errors were encountered: