-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ProjFS API does not work in Windows container #268
Comments
This also doesn't work with |
I've updated the source code repository for the console application using ProjFS so that Microsoft folks can try to reproduce this. If you clone the repository and then in the root of the repository run:
It will build the app and the container image and then try to run it. The source code is currently targeting |
Just out of curiosity, have you tried the Server image? https://mcr.microsoft.com/en-us/product/windows/server/about |
I have tried the server image (see above re: ltsc2022). It gives the same error. Unfortunately I'm on Windows 11 build 22000, so I don't believe there's any process isolation compatible images (at the very least the Windows 20H2 image doesn't work that way). Here's a Dr. Memory trace of all the syscalls: drmemorytrace.txt. I couldn't really parse out which syscall in particular is causing the failure, but maybe it will be more useful to Microsoft folks who can view the implementation of the ProjectedFSLib DLL. |
Alright, sorry I missed the note on the server image. I saw that and my mind read servercore. |
Same issue with process isolation on 2022 image:
|
I also get the 0x80070002 HRESULT (file not found) when testing the ProjFS example project that Microsoft provides: https://github.com/Microsoft/Windows-classic-samples/tree/main/Samples/ProjectedFileSystem. That is when built in Release mode inside Again, works totally fine on the host. |
Here's the syscall trace for drmemorytrace 2022 hyperv.txt |
I suspect this syscall is the one that's failing. Inside the container, trying to create Container:
Host:
This is also the last syscall the process makes in the container before the syscalls start to substantially diverge. I couldn't find much information on |
Of note, NTSTATUS 0xc0000034 is I've tried mapping it with |
This is likely the cause, though I haven't figured out how to get the driver to load yet:
|
Hmm, what's weird is that
|
Some further testing with trying to manually load If you try to manually create the service inside the container and start it, you get error
If you try to create the service in the Dockerfile:
and then check it's status after the container starts, you get error
It's just super weird that the original |
So this applies for process-isolation containers, but after further experimentation with implementing a Docker volume plugin (i.e. running ProjFS on the host, with the intention that the host runs ProjFS and then the container sees the mounted volume), I've discovered that containers seem to bypass the ProjFS layer on the host and they only see the hydrated state. They don't trigger the callbacks in ProjFS. This means that if you use ProjFS and map it to a Docker container, you can't see any subdirectories or read any files. But if you open the mapped folder on the host in e.g. explorer.exe or open the files inside the projected area in something like Notepad, then the container will be able to see the files as it will see them in their hydrated state. This is likely to be a bug in either the Windows Kernel, the filesystem filter drivers, ProjFS or all of the above. This means that we can't even bind mount directories from the host to workaround ProjFS not being available in the container. @vrapolinario ProjFS is critical to our workloads for performance reasons. Unreal Engine consists of over 250,000 individual small files, which neither NTFS nor the Docker image commit and extraction processes handle well. It can take hours to create a container image and then extract it on other machines. By using ProjFS we could significantly reduce the time expended on this, since any given container will only need to access a small subset of the 250,000 files. |
Thanks for all the details. I'll have to hand it over to someone else. @fady-azmy-msft can you please check on this? |
This issue has been open for 30 days with no updates. |
1 similar comment
This issue has been open for 30 days with no updates. |
Apologies for the late reply, I overlooked this issue. I've reached out to an internal team to look at this and created an internal ticket (#41474371) to track this. |
Hey @hach-que , I heard back from the team. ProjFS currently isn't supported in Windows containers, but this is something we'll consider for the future. |
@fady-azmy-msft Can this please be re-opened? I've been trying to use WinFsp as an alternative, but as this uses minifilters it runs into the same problem. I believe it is because the HCS CreateComputeSystem is trying to incorrectly apply a minifilter to a volume that isn't actually a block storage device. Without this being fixed, it's impossible to attach any volume in Windows that is not just backed by a block storage device (i.e. presumably VHD and cloud block storage work because they attach as disk controllers). This bug prevents a whole class of Kubernetes/CSI volume drivers that are useful for applications running in Windows containers. |
Actually, I just realised that this issue and my current issue are slightly different (I'm not trying to mount the filesystem from within the container; it is a volume on the host that CreateComputeSystem refuses to work with), so I will open a new issue. |
I'm trying to run a console application that uses the Win32 ProjFS API to project into the filesystem. However, the application is getting a 0x80070002 HRESULT (File Not Found) from the
PrjStartVirtualizing
function, which isn't a documented return code. The same console app works on the host.The Dockerfile for my container does install the required optional component with:
and it reports it as "no restart required". But nevertheless the API fails which makes me suspect something is missing in the Docker images. I've confirmed this is an issue with the following images, even though they should definitely support this API (it's been supported since 1809).
mcr.microsoft.com/windows:20H2-KB5014699-amd64
mcr.microsoft.com/windows:20H2
This is when running in Hyper-V isolation mode (which should mean the containers have their own kernel). Any ideas?
The text was updated successfully, but these errors were encountered: