From 9ba51753d74c235f2a520d6a2e839518b79207ea Mon Sep 17 00:00:00 2001
From: Andrey Koltsov <a99920641@gmail.com>
Date: Tue, 16 Jul 2024 11:00:18 +0200
Subject: [PATCH] [TW] Adjust Windows 2019 Dockerfiles to infrastructure
 changes (#165)

* * Add permissions adjustment for Windows 2019 server Dockerfile.
& Add permissions adjustment for Windows 2019 minimal agent Dockerfile.

* Re-generate Dockerfiles.

* Re-generate the rest of the files.
---
 .../nanoserver/NanoServer1809.Dockerfile         | 16 ++++++++++++++++
 .../Server/nanoserver/NanoServer1809.Dockerfile  | 16 ++++++++++++++--
 .../MinimalAgent/nanoserver/1809/Dockerfile      | 16 ++++++++++++++++
 .../MinimalAgent/nanoserver/1909/Dockerfile      | 16 ++++++++++++++++
 .../windows/Server/nanoserver/1809/Dockerfile    | 14 +++++++++++++-
 .../windows/Server/nanoserver/1903/Dockerfile    | 14 +++++++++++++-
 .../windows/Server/nanoserver/1909/Dockerfile    | 14 +++++++++++++-
 7 files changed, 101 insertions(+), 5 deletions(-)

diff --git a/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile b/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile
index ee02cedad..4aa90757c 100644
--- a/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile
+++ b/configs/windows/MinimalAgent/nanoserver/NanoServer1809.Dockerfile
@@ -21,11 +21,17 @@
 # Based on ${powershellImage} 3
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -80,6 +86,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp
diff --git a/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile b/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile
index 8e894acbf..f85c7ce18 100644
--- a/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile
+++ b/configs/windows/Server/nanoserver/NanoServer1809.Dockerfile
@@ -26,6 +26,10 @@
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -58,6 +62,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -108,7 +114,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
-USER ContainerUser
\ No newline at end of file
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
+USER ContainerUser
diff --git a/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile
index 00d8f5caf..cfa0a4a0d 100644
--- a/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile
+++ b/context/generated/windows/MinimalAgent/nanoserver/1809/Dockerfile
@@ -15,11 +15,17 @@ ARG powershellImage='mcr.microsoft.com/powershell:nanoserver-1809'
 
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -73,6 +79,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp
diff --git a/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile
index ac3caa45e..1726cba82 100644
--- a/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile
+++ b/context/generated/windows/MinimalAgent/nanoserver/1909/Dockerfile
@@ -15,11 +15,17 @@ ARG powershellImage='mcr.microsoft.com/powershell:nanoserver-1909'
 
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Prepare build agent distribution
+RUN mkdir C:\\BuildAgent
 COPY TeamCity/buildAgent C:/BuildAgent
+
 COPY run-agent.ps1 /BuildAgent/run-agent.ps1
 
 # JDK
@@ -73,6 +79,16 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+# Use ContainerAdministrator to update permissions
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\BuildAgent\\*
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp
diff --git a/context/generated/windows/Server/nanoserver/1809/Dockerfile b/context/generated/windows/Server/nanoserver/1809/Dockerfile
index 61673ba16..d7228d6c5 100644
--- a/context/generated/windows/Server/nanoserver/1809/Dockerfile
+++ b/context/generated/windows/Server/nanoserver/1809/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1809'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser
diff --git a/context/generated/windows/Server/nanoserver/1903/Dockerfile b/context/generated/windows/Server/nanoserver/1903/Dockerfile
index 3faa4ea42..5c21d99fa 100644
--- a/context/generated/windows/Server/nanoserver/1903/Dockerfile
+++ b/context/generated/windows/Server/nanoserver/1903/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1903'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser
diff --git a/context/generated/windows/Server/nanoserver/1909/Dockerfile b/context/generated/windows/Server/nanoserver/1909/Dockerfile
index 55c18cc97..ec54c435e 100644
--- a/context/generated/windows/Server/nanoserver/1909/Dockerfile
+++ b/context/generated/windows/Server/nanoserver/1909/Dockerfile
@@ -22,6 +22,10 @@ ARG windowsBuild='1909'
 # PowerShell
 FROM ${powershellImage} AS base
 
+# On some agents, Windows 2019 requires administrator permissions to modify "C:/" folder within ...
+# ... PowerShell container.
+USER ContainerAdministrator
+
 COPY scripts/*.cs /scripts/
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -54,6 +58,8 @@ COPY TeamCity /TeamCity
 RUN New-Item C:/TeamCity/webapps/ROOT/WEB-INF/DistributionType.txt -type file -force -value "docker-windows-$Env:windowsBuild" | Out-Null
 COPY run-server.ps1 /TeamCity/run-server.ps1
 
+USER ContainerUser
+
 # Workaround for https://github.com/PowerShell/PowerShell-Docker/issues/164
 ARG nanoserverImage
 
@@ -104,7 +110,13 @@ VOLUME $TEAMCITY_DATA_PATH \
 
 CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 
-# In order to set system PATH, ContainerAdministrator must be used
+# Use ContainerAdministrator to update permissions and PATH
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ...
+# ... F - full control, D - delete, /T - apply to subfolders & files
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T
+RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T
+# Applied permission check for logging purposes
+RUN cmd /c icacls.exe C:\\TeamCity\\*
 USER ContainerUser