Running Containerd Without Administrator: "Could not enable privileges"

Question

I have set up containerd on my Windows 11 (Pro, if that matters) machine, and I am attempting to run some Windows formatted containers without administrator privileges. However, I am encountering the following error when trying to load (from a tarball) or run images with nerdctl:

time="2022-09-08T10:29:57-05:00" level=info msg="apply failure, attempting cleanup" error="failed to extract layer sha256:ec3e6a046fddc46b8fd9c814b01539e6798caec7d33f3c43c2eedd476af287e1: Could not enable privileges \"Back up files and directories\", \"Restore files and directories\": unknown" key="extract-27958500-ByGC sha256:ec3e6a046fddc46b8fd9c814b01539e6798caec7d33f3c43c2eedd476af287e1"
time="2022-09-08T10:29:57-05:00" level=fatal msg="failed to extract layer sha256:ec3e6a046fddc46b8fd9c814b01539e6798caec7d33f3c43c2eedd476af287e1: Could not enable privileges \"Back up files and directories\", \"Restore files and directories\": unknown"

I have found that when running containerd with elevated privileges, the image loads and runs perfectly fine. However, running containerd as administrator is not suitable for my purposes.

I have ensured that containerd is running with a root and state that are available to the user (tried on another disk, in a folder on the root of the C: drive, and inside of the user's folder). As previously mentioned, I have also verified that the image does work as expected when containerd is run as administrator, and works in Docker Desktop (where it was built) in Windows Containers mode.

I did notice that the state and root folders created by containerd were marked as read-only, and that the user did not have access to the state folder (which I was alerted to by a warning in the containerd console). However, while the warning from containerd was resolved after fixing the permissions of the root folder and setting both folders to read-write, the issue with loading and running images still persisted.

I am running Windows 11 version 21H2 (build 22000.856), containerd version v1.6.8 (9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6), and nerdctl 0.22.2.

Has anyone encountered this issue? Any pointers would be very much appreciated. Thanks!

Answer 1

When applying root filesystem images from a tarball, containerd needs to be able to set file access and ownership correctly – which requires higher-than-normal privileges on both Windows as well as Linux (where only root can chown something).

Specifically, "Restore files and directories" (SeRestorePrivilege) is the rough Windows equivalent to CAP_CHOWN plus CAP_DAC_OVERRIDE capabilities on Linux – it allows the process to set arbitrary file owners, as well as define ACL entries referencing nonexistent SIDs. The same SeRestorePrivilege also allows the process to create/write/delete files disregarding access rights.

Although technically this doesn't require you to be an administrator exactly (the aforementioned privileges can be granted to any user individually via secpol.msc), having them inherently makes the account almost as privileged as an administrator would be – a user with SeBackupPrivilege can read literally any file on the system regardless of file permissions (in order to make backups, of course), and a user with SeRestorePrivilege can modify any file. (And probably any registry key or other securable object.)

There does not seem to be any option in containerd to disable this.

Answer 2

Docker provides standalone Windows binaries for the Docker Daemon and the Docker CLI.

You can just download them, put them in your PATH, register the Docker Daemon as a service, start it and run the Windows containers normally.

Use the following PowerShell commands when running as Administrator:

# Optionally enable required Windows features if needed
Enable-WindowsOptionalFeature -Online -FeatureName containers –All
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All

curl.exe -o docker.zip -LO https://download.docker.com/win/static/stable/x86_64/docker-20.10.13.zip 
Expand-Archive docker.zip -DestinationPath C:\
[Environment]::SetEnvironmentVariable("Path", "$($env:path);C:\docker", [System.EnvironmentVariableTarget]::Machine)
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
dockerd --register-service
Start-Service docker
docker run hello-world

Docker answer with "Hello from Docker!".

I found this method in the article Running Windows and Linux containers without Docker Desktop, but the article doesn't mention whether with this type of installation Administrator permission is needed to run containers.