Update Windows lcow differ to set NT VIRTUAL MACHINE\Virtual Machines SID

jterry75 · jterry75 · commit 7361b198751c · 2019-03-21T14:53:43.000-07:00
For LCOW using the Virtual Machines SID for the shared read-only layers
improves overall performance avoiding the need to set per VM access at runtime.

Signed-off-by: Justin Terry (VM) &lt;juterry@microsoft.com&gt;
diff --git a/diff/lcow/lcow.go b/diff/lcow/lcow.go
@@ -25,6 +25,7 @@ import (
 	"path"
 	"time"
 
+	"github.com/Microsoft/go-winio/pkg/security"
 	"github.com/Microsoft/hcsshim/ext4/tar2ext4"
 	"github.com/containerd/containerd/archive/compression"
 	"github.com/containerd/containerd/content"
@@ -142,7 +143,6 @@ func (s windowsLcowDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mou
 	if err != nil {
 		return emptyDesc, err
 	}
-	defer outFile.Close()
 	defer func() {
 		if err != nil {
 			outFile.Close()
@@ -154,6 +154,12 @@ func (s windowsLcowDiff) Apply(ctx context.Context, desc ocispec.Descriptor, mou
 	if err != nil {
 		return emptyDesc, errors.Wrapf(err, "failed to convert tar to ext4 vhd")
 	}
+	outFile.Close()
+
+	err = security.GrantVmGroupAccess(layerPath)
+	if err != nil {
+		return emptyDesc, errors.Wrapf(err, "failed GrantVmGroupAccess on layer vhd: %v", layerPath)
+	}
 
 	return ocispec.Descriptor{
 		MediaType: ocispec.MediaTypeImageLayer,
