CreateComputeSystem fails with "Do not attach the filter to the volume at this time." when a WinFsp volume is used as the host path for a mount

[hach-que]

Bug Report

I'm not actually sure if this is actionable on the WinFsp side of things, but since bugs in Windows Containers probably don't have a quick turnaround, I'm hoping there's something that can be done in WinFsp to make this work.

Basically, when you use WinFsp and make a normal mount on the host (just with ntptfs or w/e) with something like this:

ntptfs-x64 -p C:\SomePathOnTheHost -m \\.\C:\SomeTargetPathOnTheHost

And then you try to use C:\SomeTargetPathOnTheHost as the host path for a mount in a container, CreateComputeSystem then fails with "Do not attach the filter to the volume at this time.". I'm pretty sure this is because HCS internally is trying to attach a minifilter or something to the volume, but because it's not a normal block device backed by a VHD/WinSpd/disk controller, it doesn't actually work.

(For context, using a non mount manager mount also fails, but because containerd fails to resolve the junction to a volume name)

How to Reproduce

The steps to reproduce this are unfortunately not trivial, only because you need a way of creating Windows Containers.

First up, get ntptfs running with a simple mapping as shown above.

If you're running Kubernetes on the Windows node, you could create a host mapping like so:

apiVersion: v1
kind: Pod
metadata:
  name: uefs-test-attach
  namespace: default
spec:
  nodeSelector:
    kubernetes.io/hostname: computer-name
  containers:
    - name: uefs-test-attach
      image: mcr.microsoft.com/powershell:lts-7.2-nanoserver-ltsc2022
      stdin: true
      tty: true
      resources: {}
      volumeMounts:
      - name: pkg-vol
        mountPath: "C:\\DoesNotMatter"
  terminationGracePeriodSeconds: 0
  volumes:
    - name: pkg-vol
      hostPath:
        path: "C:\\SomeTargetPathOnTheHost"

An example of the spec sent to CreateComputeSystem is shown in the issue I filed in the Windows Containers repo, in case you want to create the container manually: microsoft/Windows-Containers#335

Behaviors

The container should be created successfully, and ideally HCS's CreateComputeSystem wouldn't try to apply a filter on top of a WinFsp volume. I'm hoping there's some kernel magic WinFsp can do to recognise the attempt at attaching a filter onto a volume it controls, and either pretend like the attachment was successful, or use the attempted attachment to make the volume visible to silos on the system, just so the container can be created.

Environment

• OS version and build: 10.0.22000
• WinFsp version and build: 2023 RC1

[hach-que]

Oh and if it helps, here's all the info from fltmc:

>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
bindflt                                 4       409800         0
FsDepends                              14       407000         0
WdFilter                               14       328010         0
storqosflt                              0       244000         0
wcifs                                  10       189900         0
CldFlt                                  0       180451         0
FileCrypt                               0       141100         0
luafv                                   1       135000         0
npsvctrig                               4        46000         0
Wof                                    10        40700         0
FileInfo                               14        40500         0

>fltmc instances
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo              C:                                         40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo              \Device\Mup                                40500     FileInfo                  0     0000000f
FileInfo              C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2      40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo              C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a      40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo              C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8      40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo              C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb      40500     FileInfo                  0     0000000f
FileInfo              C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516      40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FileInfo                                                         40500     FileInfo                  0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends             C:                                        407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends             \Device\Mup                               407000     FsDepends                 0     0000000f
FsDepends             C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2     407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends             C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a     407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends             C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8     407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends             C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb     407000     FsDepends                 0     0000000f
FsDepends             C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516     407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
FsDepends                                                       407000     FsDepends                 0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter              C:                                        328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter              \Device\Mup                               328010     WdFilter Instance         0     0000000f
WdFilter              C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2     328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter              C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a     328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter              C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8     328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter              C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb     328010     WdFilter Instance         0     0000000f
WdFilter              C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516     328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
WdFilter                                                        328010     WdFilter Instance         0     0000000f
Wof                   C:                                         40700     Wof Instance              0     0000000f
Wof                                                              40700     Wof Instance              0     0000000f
Wof                   C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2      40700     Wof Instance              0     0000000f
Wof                                                              40700     Wof Instance              0     0000000f
Wof                   C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a      40700     Wof Instance              0     0000000f
Wof                                                              40700     Wof Instance              0     0000000f
Wof                   C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8      40700     Wof Instance              0     0000000f
Wof                                                              40700     Wof Instance              0     0000000f
Wof                   C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb      40700     Wof Instance              0     0000000f
Wof                   C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516      40700     Wof Instance              0     0000000f
bindflt               C:                                        409800     bindflt Instance          0     0000000f
bindflt                                                         409800     bindflt Instance          0     0000000f
bindflt                                                         409800     bindflt Instance          0     0000000f
bindflt                                                         409800     bindflt Instance          0     0000000f
luafv                 C:                                        135000     luafv                     0     0000000f
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000008
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000008
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000008
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000008
wcifs                 C:                                        189900     wcifs Instance            0     0000000f
wcifs                 C:                                        189899     wcifs Outer Instance      0     0000000f
wcifs                 C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2     189900     wcifs Instance            0     0000000f
wcifs                                                           189900     wcifs Instance            0     0000000f
wcifs                 C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a     189900     wcifs Instance            0     0000000f
wcifs                                                           189900     wcifs Instance            0     0000000f
wcifs                 C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8     189900     wcifs Instance            0     0000000f
wcifs                                                           189900     wcifs Instance            0     0000000f
wcifs                 C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb     189900     wcifs Instance            0     0000000f
wcifs                 C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516     189900     wcifs Instance            0     0000000f

>fltmc volumes
Dos Name                        Volume Name                              FileSystem   Status
------------------------------  ---------------------------------------  ----------  --------
                                \Device\Mup                              Remote
C:                              \Device\HarddiskVolume3                  NTFS
                                \Device\NamedPipe                        NamedPipe
                                \Device\Mailslot                         Mailslot
                                \Device\HarddiskVolume1                  FAT
                                \Device\HarddiskVolume4                  NTFS
C:\C\30fd2decb8894f802e001a265f799a0a64acbd49b3dbdf487590256f224d13c2  \Device\VhdHardDisk{00b16ab9-201f-4df9-a39c-d4128e3b4c86}  NTFS
C:\C\6a22815ddf3482536029b90639caadcc0b7640f113a8609f6f41061a5569f0f8  \Device\VhdHardDisk{71a525cb-2492-431a-97af-b2a9af134ef1}  NTFS
C:\C\9f7b3c83c750d8c5d833895c5dc1a4de524a896537c8bdbd8d94778403f3c52a  \Device\VhdHardDisk{34aff154-70e7-42de-8b19-a3949098d91e}  NTFS
C:\C\27a0a73646ae731c727f83b885786c69df7a18628e7a85fa0e0783f09de60516  \Device\VhdHardDisk{ba2fa6bb-d678-4e9c-a026-848ddb4974bf}  NTFS
C:\C\736119e9a405072af41c8acdad493b0576d1eeee2dab127cc0b98f300a8d3ccb  \Device\VhdHardDisk{8fd4f577-d6d5-44c6-bac4-b014613aa1f6}  NTFS
                                \Device\Volume{0939ccca-c421-11ed-95fe-bdbd612441df}  <Unknown>
                                \Device\VhdHardDisk{2cf06716-5f05-49e4-9ab4-e82f88b3f7e6}  NTFS
                                \Device\NamedPipe                        NamedPipe
                                \Device\Mailslot                         Mailslot
                                \Device\VhdHardDisk{70f509d0-ab1e-4a79-9710-8cc7a820c08c}  NTFS
                                \Device\NamedPipe                        NamedPipe
                                \Device\Mailslot                         Mailslot
                                \Device\VhdHardDisk{76a53f7d-b3d1-4660-834b-17cd2277f59a}  NTFS
                                \Device\NamedPipe                        NamedPipe
                                \Device\Mailslot                         Mailslot
                                \Device\Volume{0939ce37-c421-11ed-95fe-e94a44135ca8}  <Unknown>

The NTPTFS mount is definitely that last entry there, with a status of <Unknown>:

>dir C:\Users\Build\Documents\ntptfs
 Volume in drive C has no label.
 Volume Serial Number is E46A-415F

 Directory of C:\Users\Build\Documents\ntptfs

16/03/2023  12:05 PM    <DIR>          .
16/03/2023  11:52 AM    <DIR>          ..
16/03/2023  12:05 PM    <JUNCTION>     mount [\Device\Volume{0939ce37-c421-11ed-95fe-e94a44135ca8}\]
16/03/2023  11:54 AM           716,800 ntptfs-x64.exe
16/03/2023  11:54 AM         7,491,584 ntptfs-x64.pdb
16/03/2023  11:52 AM    <DIR>          test
               2 File(s)      8,208,384 bytes
               4 Dir(s)  1,527,413,960,704 bytes free

[hach-que]

Interestingly enough, using a UNC path kind of works more in the sense that the container can be created, but accessing the mounted path fails with Access Denied:

.\ntptfs-x64.exe -u \foo\bar -p C:\Users\Build\Documents\ntptfs\test -m Y:

apiVersion: v1
kind: Pod
metadata:
  name: uefs-test-attach
  namespace: default
spec:
  nodeSelector:
    kubernetes.io/hostname: computer-name
  containers:
    - name: uefs-test-attach
      image: mcr.microsoft.com/powershell:lts-7.2-nanoserver-ltsc2022
      stdin: true
      tty: true
      resources: {}
      volumeMounts:
      - name: pkg-vol
        mountPath: "C:\\DoesNotMatter"
  terminationGracePeriodSeconds: 0
  volumes:
    - name: pkg-vol
      hostPath:
        path: "\\\\foo\\bar"

PS C:\> dir C:\DoesNotMatter
Get-ChildItem: Access to the path 'C:\DoesNotMatter' is denied.

UNC paths are also less than ideal due to the requirement that they be associated with a drive letter (and we might want more than 24-ish mounts if there's a non-trivial number of containers running on the host).

[hach-que]

Thinking about this more, I think a viable solution might look something like this:

• WinFsp DLL provides a function to get the current silo ID for the current process. Internally it would probably call PeGetCurrentSilo and return ContainerId from _EJOB. A process running inside the container could call this function to get the current container ID and then e.g. send it over a named pipe to a program running on the host.
• The program running on the host could then provide this ContainerId to the mount operation, and this would have the effect of mounting into a container from the host. It looks like what would need to change is FspSiloGetGlobals so that if such a container ID is passed to FspVolumeCreate it gets the globals based on the container ID instead of the current silo.

While this wouldn't directly fix the issue of not being able to mount at container creation time, it would provide a viable pathway to using WinFsp inside containers where the filesystem needs to be served from a process on the host (without incurring the performance penalty of sending all file I/O operations over loopback or a named pipe).

[hach-que]

Oh hmm, perhaps there's a better way of getting the behaviour closer to what is expected of the volume mounting API:

• The WinFSP DLL provides some sort of "delay mount" flag. Kubernetes or w/e volume provider is in play will be sending a request to the daemon like "please mount at path X".
• Instead of doing a normal mount of the WinFsp filesystem into the path X on the host, the daemon does the mount with the delay mount flag and some extra info which tells WinFsp that it should expect a silo to be created with a bind mount mapping of X -> Y.
• When WinFsp sees the silo created, it then creates the mount targeting the silo (replacing or hiding the empty bind mount that was necessary due to HCS semantics), and applications inside the container can use the mount as expected.

[billziss-gh]

Apologies, but I have not had time to look into this as I am very busy with my new hypervisor project VirtualMetal. I am now coming close to an initial release on that other project, and I will be able to catch up here soon.

[hach-que]

@billziss-gh Just wanted to check in and see how far off your VirtualMetal work is to being finished so this can be looked at, since that will guide me on whether or not it's worth attempting to implement a patch for this myself.

[billziss-gh]

@hach-que I am not sure. The VirtualMetal hypervisor is now able to boot and debug minimal Linux+Busybox, which is probably good enough for an initial release. However this is just a small part of the capabilities I want it to have so I keep hacking at it.

I have not even had the time to understand the problem you are having. Have you found a sensible patch or work around?

[hach-que]

I haven't even started looking at what a patch would look like other than the general design I came up with in #498 (comment). I'd have to learn how all the WinFsp kernel bits fit together and get a debugging VM set up.

I figured if this was something you were going to get a chance to look at within a few weeks you'd probably be able to solve it much much faster than I could learn the kernel code and write a patch, but if the ETA is still unknown it's probably worth it for me to start figure out what a patch would look like.