Windows: named pipe mounts

[jstarks]

Current insider builds of Windows have support for mounting individual
named pipe servers from the host to the guest. This allows, for example,
exposing the docker engine's named pipe to a container.

This change allows the user to request such a mount via the normal bind
mount syntax in the CLI:

docker run -v \\.\pipe\docker_engine:\\.\pipe\docker_engine <args>

[jstarks]

@jhowardmsft PTAL. One thing I didn't add was a version check; if you do this on an older Windows version it will silently ignore the pipe list. If you can suggest a proper version check, I can add one.

[lowenna]

Constant?

[lowenna]

Could add a continue after this line, then can remove the else below and out-dent it.

[jstarks]

Is that good go style? I thought since this was an either-or and not a special case + skip situation, the indentation was better.

[lowenna]

That's fair

[lowenna]

For a version check, you could use system.GetOSVersion() and fail the attempt if build < ~16230. Here might be a good spot and check mps.Length > 0

[jstarks]

I picked an older build number since the platform support has been available in insider builds for a little while.

[lowenna]

@johnstep FYI

[lowenna]

LGTM

[lowenna]

If you mark this 'TODO @jhowardmsft:...', I'll have a better chance of remembering 😊

[jstarks]

I think at RTM we just need to search the code base for GetOSVersion and reevaluate all the checks, like we did at Server 2016 release.

[AkihiroSuda]

if mnt.ReadOnly { errExtraField("ReadOnly") }?

[AkihiroSuda]

• Please add integration test? (But probably Skip() on current windows CI?)
• No support for swarm-mode? (can be another PR?)

[AkihiroSuda]

ping @jstarks

[johnstep]

LGTM

[johnstep]

@jstarks, it looks good but will you address the feedback from @AkihiroSuda when you have a chance?

[jstarks]

I've pushed a new change that adds an integration test (only runs against RS3) and adds the read-only check, as requested by @AkihiroSuda. Thanks for the suggestions!

Swarm will have to be a separate PR.

[AkihiroSuda]

Is -> GreaterThan?

[jstarks]

How about AtLeast?

[AkihiroSuda]

IIUC, this requires newer CLI binary? (new test should be an API test)

[jstarks]

I don't think this requires a CLI binary change since the bind mount parsing happens on the server side. When I ran this test locally I used an existing CLI.

Regardless, I didn't realize that new tests were at the API level, but I can change+move this if necessary.

[AkihiroSuda]

Yes, please convert the test to API test?
https://forums.mobyproject.org/t/evolution-of-testing-moby/38

[jstarks]

I don't see any existing API tests that launch a container using the API. They all use the CLI... E.g. TestGetContainersAttachWebsocket. Are there any samples I'm missing?

[AkihiroSuda]

TestContainersAPICreateMountsTmpfs is one of API tests that is similar to your workload

moby/integration-cli/docker_api_containers_test.go

Line 1895 in 9d87e6e

func (s *DockerSuite) TestContainersAPICreateMountsTmpfs(c *check.C) {

[jstarks]

Ah, thanks! Updated. By going through the API directly I was able to find a bug, which is now fixed. I also added some unit tests in volume.

[simonferquel]

Hmm, should'nt we honor the skipAbsolutePathCheck option ?

[jstarks]

This option is obsolete. I removed it.

[simonferquel]

I think we should do a 2 pass regex parsing because if source is a pipe, dest should be a pipe as well
Is this case tested somewhere btw ? (making sure c:\windows:\.\pipe\docker_engine and \.\pipe\docker_engine:c:\data are invalid)

[simonferquel]

Also with LCOW, how would we do named pipe bindings ? would it be mounted as a domain socket ? (would be awesome to be able to do \.pipe\docker_engine:/var/run/docker.sock mapping)

[jstarks]

Named pipe semantics aren't quite the same as Unix socket semantics, unfortunately (e.g. for Docker's named pipe transport we simulate shutdown() by sending a zero-byte write). Given that, we're not going to support this kind of mapping at the platform level. However, we could add a relay mechanism to Docker to support this specific case with the semantics Docker expects.

I'm also thinking about whether we can add AF_UNIX support to Windows directly... then we could change Docker to bind to a Unix socket in Windows by default (as well as the named pipe, for compatibility reasons), and bind mounting this would be more natural and perhaps supportable in the platform. But that wouldn't be for LCOW v1.

[jstarks]

Regarding two-pass regex, the second pass validation I've just now added to validateMountConfig so that it occurs even if you pass pre-parsed mounts via the API instead of via the raw (-v) field.

[simonferquel]

Agreed, the validateMountConfig is a better place to validate that.

@dhiltgen looks like the named pipe / unix socket mapping we were counting on to make linux flavored ucp controller run on windows won't be so easy then... We'll still have to rely on tcp/tls to connect to the daemon

[friism]

@simonferquel well right now the UCP agent is a windows container, and that can have the daemon pipe mounted in as a pipe.

[simonferquel]

add failing cases for \.\pipe\foo:c:\data and c:\windows:\.\pipe\foo

[jstarks]

Good idea. Done.

[lowenna]

Just realized, HCSShim should probably be v0.5.28 rather than .26 (latest pre-Sirupsen), or v0.6.1 if #34272 gets merged first (which is imminent).

[lowenna]

34272 is merged and HCSShim v0.6.1 is currently in moby/moby master. You can just drop that commit now, and all should be good.

[simonferquel]

LGTM

[jstarks]

Fixed gofmt issue that was blocking janky.

[jstarks]

Re-pushed to resolve merge conflicts

[lowenna]

Moving to merge when green CI

[yongtang]

All Jenkins tests passed. Merging.