[TW] Adjust Windows 2019 Dockerfiles to infrastructure changes (#165)

* * Add permissions adjustment for Windows 2019 server Dockerfile. & Add permissions adjustment for Windows 2019 minimal agent Dockerfile. * Re-generate Dockerfiles. * Re-generate the rest of the files.
JetBrains · Jul 16, 2024 · 9ba5175 · 9ba5175
1 parent 3f12cfc
commit 9ba5175
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 5 deletions.
diff --git a/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile b/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile
@@ -21,11 +21,17 @@
 # Based on ${powershellImage} 3
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -80,6 +86,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp

diff --git a/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile b/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile
@@ -26,6 +26,10 @@
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -58,6 +62,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -108,7 +114,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
-USER ContainerUser
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
+USER ContainerUser
diff --git a/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile
@@ -15,11 +15,17 @@ ARG powershellImage='mcr.microsoft.com/powershell:nanoserver-1809'
 
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -73,6 +79,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp

diff --git a/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile
@@ -15,11 +15,17 @@ ARG powershellImage='mcr.microsoft.com/powershell:nanoserver-1909'
 
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -73,6 +79,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp

diff --git a/context/generated/windows/Server/nanoserver/1809/Dockerfile b/context/generated/windows/Server/nanoserver/1809/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1809'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser
diff --git a/context/generated/windows/Server/nanoserver/1903/Dockerfile b/context/generated/windows/Server/nanoserver/1903/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1903'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser
diff --git a/context/generated/windows/Server/nanoserver/1909/Dockerfile b/context/generated/windows/Server/nanoserver/1909/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1909'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser