Draft: Ensure that build directories on Windows are created with 'full control' (!5067) · Merge requests · GitLab.org / gitlab-runner

Arran Walker requested to merge ajwalker/fix-windows-nanoserver-build into main Oct 10, 2024

What does this MR do?

On Windows and with the powershell shell, attempts to grant "full control" to the build directories created for the current user.

This should fail gracefully if it cannot be achieved.

Why was this MR needed?

Where it runs successfully, it should prevent permission errors, like those seen with the Docker executor when using nanoserver build images.

Because nanoserver image uses ContainerUser, rather than ContainerAdministrator, certain permissions need to be granted to use some functions.

For example, in such an image:

echo "hello" > C:/builds/test # works successfully

[System.IO.File]::WriteAllText("C:/builds/test", "hello") # doesn't work, unless you run icacls C:\builds /grant "$($env:USERNAME):F" first to provide full control

Why? 🤷

What's the best way to test this MR?

Create a Windows Docker executor with the following config:

  executor = "docker"
  shell = "pwsh"
  [runners.docker]
    image = "mcr.microsoft.com/powershell:lts-nanoserver-ltsc2022"

Running with this change will work, instead of being greeted with this error:

ParentContainsErrorRecordException: Exception calling "WriteAllText" with "2" argument(s): "Access to the path 'c:\builds\<something>\projects\<something>.tmp\CI_SERVER_TLS_CA_FILE' is denied."

What are the relevant issue numbers?

Edited Oct 10, 2024 by Arran Walker

Draft: Ensure that build directories on Windows are created with 'full control'

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports