containerd trips over Dockerfile instruction VOLUME for Windows container image

[mloskot]

Description

This bug report is an extract with my findings during the discussion with @TBBle in #6589 (comment) which I'm copying/describing below:

I build a Windows container image based on mcr.microsoft.com/windows/servercore:ltsc2022 using Dockerfile which contains the following directive:

# Document volume mount points typically mounted from Azure file shares.
VOLUME ["D:", "Z:"]

which causes trouble to containerd failing it with error like this:

Error: failed to create containerd container: rootpath on
  mountPath C:\Windows\TEMP\ctd-volume3950197485\377,
  volume Z:: CreateFile C:\Windows\TEMP\ctd-volume3950197485\377\Z::
The filename, directory name, or volume label syntax is incorrect.

As far as I am (and @TBBle too) reading the docs correctly, my usage there looks valid. It also does not cause any trouble to Docker Desktop.

Steps to reproduce the issue

1. Create Dockerfile for a custom image based on mcr.microsoft.com/windows/servercore:ltsc2022

2. To Dockerfile add VOLUME ["D:", "Z:"] or perhaps even VOLUME ["D:"] is enough, I haven't tested that one.

3. Build the image e.g. myimage and push to remote registry

4. Deploy pod based on myimage to Azure Kubernetes Service (AKS) with. For example:

   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     labels:
       app: test-bug6589-pv-on-d
     name: test-bug6589-pv-on-d
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: test-bug6589-pv-on-d
     template:
       metadata:
         labels:
           app: test-bug6589-pv-on-d
         name: test-bug6589-pv-on-d
       spec:
         nodeSelector:
           kubernetes.io/os: windows
         containers:
           - name: ctr-bug6589-pv-on-d
             image: mycr.azurecr.io/myimage:latest
             command:
             - "powershell.exe"
             - "-Command"
             - "while (1) { Write-Host $(Get-Date -Format u); Add-Content -Encoding Ascii D:\\data.txt $(Get-Date -Format u); sleep 5 }"
             volumeMounts:
               - name: pv-on-d
                 mountPath: "D:"
         volumes:
           - name: pv-on-d
             persistentVolumeClaim:
               claimName: test-bug6589-pv-on-d-pvc
   ---
   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: test-bug6589-pv-on-d-pvc
   spec:
     accessModes:
       - ReadWriteMany
     resources:
       requests:
         storage: 2Gi
     storageClassName: azurefile-csi

Describe the results you received and expected

The results I received were errors in the detailed AKS events for (failed) deployment of my pod:

Error: failed to create containerd container: rootpath on mountPath C:\Windows\TEMP\ctd-volume3950197485\377, volume Z:: CreateFile C:\Windows\TEMP\ctd-volume3950197485\377\Z:: The filename, directory name, or volume label syntax is incorrect.
Error: failed to create containerd container: rootpath on mountPath C:\Windows\TEMP\ctd-volume427796215\376, volume D:: CreateFile C:\Windows\TEMP\ctd-volume427796215\376\D:: The filename, directory name, or volume label syntax is incorrect.
Error: failed to create containerd container: rootpath on mountPath C:\Windows\TEMP\ctd-volume2161075262\375, volume Z:: CreateFile C:\Windows\TEMP\ctd-volume2161075262\375\Z:: The filename, directory name, or volume label syntax is incorrect.
Error: failed to create containerd container: rootpath on mountPath C:\Windows\TEMP\ctd-volume554088254\374, volume Z:: CreateFile C:\Windows\TEMP\ctd-volume554088254\374\Z:: The filename, directory name, or volume label syntax is incorrect.

The expected result was to get the pod up and running.

For example, if I replace my custom image with vanilla like below, then my pod is deployed and volume successfully mounted as D: drive:

---
# File pod-mount-pv-on-d.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: test-bug6589-pv-on-d
  name: test-bug6589-pv-on-d
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-bug6589-pv-on-d
  template:
    metadata:
      labels:
        app: test-bug6589-pv-on-d
      name: test-bug6589-pv-on-d
    spec:
      nodeSelector:
        kubernetes.io/os: windows
      containers:
        - name: ctr-bug6589-pv-on-d
          image: mcr.microsoft.com/windows/servercore:ltsc2022
          command:
          - "powershell.exe"
          - "-Command"
          - "while (1) { Write-Host $(Get-Date -Format u); Add-Content -Encoding Ascii D:\\data.txt $(Get-Date -Format u); sleep 5 }"
          volumeMounts:
            - name: pv-on-d
              mountPath: "D:"
      volumes:
        - name: pv-on-d
          persistentVolumeClaim:
            claimName: test-bug6589-pv-on-d-pvc
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: test-bug6589-pv-on-d-pvc
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  storageClassName: azurefile-csi

What version of containerd are you using?

1.6.14

Any other relevant information

AKS with Kubernetes 1.25.5 with containerd and Windows Server 2022 node

There is very relevant comment posted by @TBBle here #6589 (comment) as follow-up to mine linked earlier.

Show configuration if it is related to CRI plugin.

No response

[dcantah]

Yea somethings screwy here.. I can take a look unless someone gets to it sooner. cc @kevpar

[TBBle]

Copying over my comment from #6589:

---

Interesting. That might be a separate containerd bug to file then, as by my reading of the docs your usage there looks valid.

Tracking down the error message, rootpath on mountPath C:\Windows\TEMP\ctd-volume3950197485\377, volume Z: is coming from thie code block, and I'm pretty sure that the bug lives here. fs.rootPath is going to try to return C:\Windows\TEMP\ctd-volume3950197485\377 + \ + Z:, but that's not a valid path on Windows. The error we're seeing is part of fs.rootPath's symlink-protection checks trying to open that file, but otherwise it would have failed with stat volume in rootfs when that code block tried to check if the target existed in order to copy stuff from the relevant path in the rootfs into the new volume mount, in case no mount request for this path was provided in the container-launch data.

I suspect this code block should simply skip drive-letter volumes other than C:, since I don't believe (but could be wrong) that you can store non-C: volumes in a WCOW container image; the image filesystem (rootfs here) is assumed to be mounted at C:, other drive letters are runtime-only. (I also suspect that VOLUME ["D:", "Z:"] also won't guarantee those drive letters exist, as they would for non-drive-letter paths, but I haven't checked that, don't know if Docker does the same thing, and that would be a different bug (or feature request...) either way. #5671 went more into this area.)

I suspect the repro commands from #5671 or similar, but with a trivial Dockerfile with a VOLUME ["D:", "Z:"] line (which doesn't apply to Linux) would reproduce this issue with only containerd and crictl, if it helps, since that avoids the need for k8s in the repro.

To be clear, that was mostly guess-work based on looking at just this block of code, and it's possible I'm misreading it. We'll see what happens in the relevant bug-report discussion.

[TBBle]

Thinking about that block of code, it occurs to me that it's probably sub-optimal to be doing the "copy from an image" work if something is going to be mounted over the top anyway. However, I don't think at this point in the code we can know whether or not that's going to happen. Late Edit: On looking higher, the list passed in has already had CRI-mounts used to filter it, so it's only called for VOLUME-named points that aren't being mounted to. (End edit)

I also just realised my suggested "simply skip" fix is possibly wrong, in that I now read the expectation of VOLUME ["D:"] as that it ensures D: exists, and it is a host-mounted volume, if nothing is mounted to that mount-point, e.g., it's read-write scratch space even if the rootfs is mounted read-only. See also #5671 (comment). So merely skipping the drive letter volumes would be a silent issue for users using it that way (until they try to store something there), where right now they get a noisy failure during container startup. Late Edit: Again, looking higher, this code is not responsible for creating the host-side mount backing directory, just for populating it. Which of course we can't do for D:..Z:.

So I think we should still create an appropriate directory (which means fixing the generated path to include the drive letter in some form) and just skip the copyExistingContents call for non-C: volumes. Late Edit: The above points were wrong, so this conclusion is wrong too.

[TBBle]

I just realised #8043 touches the exact block of code relevant to this issue. It won't materially affect the problem (it's removing a no-longer-needed Windows code-path as the Windows snapshotter becomes compatible with mount.All) but just in case someone does decide to poke at this before that lands, consider waiting for that to land to avoid a conflict.

[gabriel-samfira]

Having a stab at this. Hopefully I understood the issue correctly 😄.

There are two things to discuss here:

• How Dockerfile defined VOLUME is treated
• How to accomplish what you need

The VOLUME stanza

To my knowledge, volumes outside of C:\ are not supported on Windows. Docker even has a function which checks if the drive letter is anything other than C:\, erring out if not.

On Windows, when creating a container from an image with the VOLUME stanza, the spec gets inspected and a new volume is created. The new volume is actually a path on the host to a folder. The contents of the folder inside the image which is declared as a VOLUME (if it exists) is copied over to the newly created volume. That volume then gets mounted inside the running container.

When creating containers from such images via the CRI API (which is what k8s does), the root for the created volumes is typically in: C:\ProgramData\containerd\root\io.containerd.grpc.v1.cri\containers\CONTAINER_ID\volumes\VOLUME_ID\_data. When creating containers via nerdctl, the volumes get created in C:\ProgramData\nerdctl\052055e3\volumes\default\VOLUME_ID\_data.

The error you're seeing is due to the fact that containerd doesn't expect a volume outside of C:\, and doesn't think that it contains a drive letter. The check is too simplistic and will have to be fixed.

Making arbitrary paths available in containers

What you're probably trying to do is to make those drive letters available in the running container. In containerd terms, that is normally done using a mount.

You will most likely need to mount a folder from those drive letters, not the drive letter itself. The destination in the container will have to be a folder under C:\. Something like mounting D:\ on C:\drives\d.

To achieve what you need, you can probably use hostPath in your yaml. Something like:

apiVersion: v1
kind: Pod
metadata:
  name: hostpath-volume-pod
spec:
  containers:
  - name: my-hostpath-volume-pod
    image: mycr.azurecr.io/myimage:latest
    volumeMounts:
    - name: foo
      mountPath: "C:\\drives\\D"
  nodeSelector:
    kubernetes.io/os: windows
  volumes:
  - name: foo
    hostPath:
     path: "D:\\myFolder"

Which should mount D:\myFolder from the host on C:\drives\D in the containers. I haven't tested this, but in theory, it should work.

[TBBle]

I think you've got an underlying mistake here. Volumes other than C: are supported in Windows containers as volume mount-points (and hence the VOLUME statement), there's just no (current) way to have any contents for them in an image, so they're only ever volume mount points. (I'm also not sure which code in Docker you're referring to, I guess it's code related to image extraction or creation, not runtime volume mounts)

So VOLUME ["D:"] is valid, and should have all the effects of VOLUME ["C:\somemount"] or VOLUME ["/some/mount"] on Linux (per the docs and skimming relevant moby and containerd-cri code... I didn't check ctr though):

• Creates a mount-point (a directory) at that path at execution time.
  • The docs don't specific execution time for this Implementations seem to be that way though, and neither BuildKit nor legacy Dockerfile builder do anything with VOLUME except update image metadata.
  • In practical terms, neither implementation I looked at does this on Windows or Linux, because it's implicitly done by mounting something there in the next effect.
• At execution time, if nothing is mounted there:
  • Create a temporary volume
  • Prepopulate the volume with what was in the image at that path, if anything.
  • Mount the temporary volume at the named mount-point (in read-write mode).

Because the image cannot container anything outside C:, that last point can never happen with VOLUME ["D:"].

Also, Docker's implementation skips this step for all Windows volume mounts due to what I assume is a HCS v1 limitation, since containerd-cri does implement this on Windows, so the container image described in that last link would probably execute differently in Docker and containerd-cri: Both will create the temporary volume and mount it there, but on Docker it'll be empty.

Okay, I looked, and ctr doesn't appear to handle VOLUME at all, i.e. there's no equivalent I can immediately see for the containerd-cri implementation, so it won't even create the temporary volumes on Windows or Linux.

[gabriel-samfira]

There is confusion in regards to what the VOLUME stanza in a Dockerfile is supposed to do and what a volume means for containerd/Docker.

The VOLUME stanza is a way of saying: "I want this folder(s) inside the container to be a folder/volume from the host, mounted at this location(s)". So when we say:

VOLUME ["C:/test", "C:/test2"]

We are actually saying: "please mount a volume at these locations in the container". That stanza does not say "make C:/test from the host, available inside the container". This bit of docs: https://docs.docker.com/engine/reference/commandline/run/#volume is what the hostPath example I gave is supposed to do. It says: "please mount this path from the host, to this destination in the container". It basically creates a mount.Mount{} object with source and destination. The VOLUME stanza does this too, but after it creates a volume in the form of a folder in C:\ProgramData\containerd\root\io.containerd.grpc.v1.cri\containers\CONTAINER_ID\volumes\VOLUME_ID\_data. It then mounts that in C:/test (or whatever is defined in the VOLUME stanza).

I'm also not sure which code in Docker you're referring to, I guess it's code related to image extraction or creation, not runtime volume mounts

The code in moby I'm referring to is this: https://github.com/moby/moby/blob/master/pkg/archive/path_windows.go#L11.

Here is the relevant test for containerd that ensures the contents of a VOLUME is made available in the newly created volume after a container is created: https://github.com/containerd/containerd/blob/main/integration/volume_copy_up_test.go#L39. It uses ghcr.io/containerd/volume-copy-up:2.1 which is defined here: https://github.com/containerd/containerd/blob/main/integration/images/volume-copy-up/Dockerfile_windows#L37.

The VOLUME stanza will never make a D:\ available inside a container. At least not that I am aware of. HCS would need to know how to map a folder from the host, inside a potential D: dos drive inside the container, something I am not sure is possible,

You can mount D:\ from the host inside a container, but not via the VOLUME stanza in a Dockerfile. You can do this via the command line or API by crafting a mount.Mount{}.

[TBBle]

The VOLUME stanza will never make a D:\ available inside a container. At least not that I am aware of. HCS would need to know how to map a folder from the host, inside a potential D: dos drive inside the container, something I am not sure is possible,

This is your underlying oversight. HCS does support this and always has. Your docs-link has an example of it:

Also note that in this bug, the repro case works if you remove the VOLUME command from the Dockerfile, with D: appearing as expected in the container mounted from the requested PVC.

Edit: I just realised, that VOLUME ["D:"] would probably work in this repro-case, because the code that calls this has already had any VOLUME-declared mount-points filtered out if they have a mount requested by CRI.

So the repro case requires that VOLUME refer to a drive-letter that does not have a volume mounted there in the CRI request. So the repro is actually VOLUME ["Z:"] here. ^_^

---

The moby code you linked is used in the archiver, for creating and extracting container images, not at runtime. That's related to what I was saying about it not being possible to populate D: in the image, but you can definitely VOLUME ["D:"] to tell the runtime to populate it (with an empty volume) even if you don't mount a volume there.

(It's very possible that the genesis of VOLUME was that they intended to only allow mounting things at declared mount-points, but I've never seen a claim to that effect, nor any environment that would have made that necessary)

[gabriel-samfira]

This is your underlying oversight. HCS does support this and always has. Your docs-link has an example of it:

My brain is fried. I saw this bit:

Document volume mount points typically mounted from Azure file shares.

VOLUME ["D:", "Z:"]

And (wrongfully) thought that the goal was to mount D: from the host inside containers. Hence the suggestion about the hostPath. My apologies for the noise.

This is indeed a bug in containerd when attempting to populate the volume.

Edit: Ohh my. Quoting code blocks with comments in github is interesting 😄

[gabriel-samfira]

I think this could be fixed without impacting #8043. The code you linked to here: https://github.com/containerd/containerd/blob/main/pkg/cri/opts/container.go#L120-L135 is where populating the volume happens. We need to check for drive letters and strip them. If we're left with nothing afterwords, we just skip trying to populate. It should be a relatively simple fix in this case. At least to address this specific error. Not sure if there are any other issues after that. Lemme give it a shot and see what happens.