feat: wcow: add support for bind and cache mounts

Currently, mounts are not supported for WCOW builds,
see #5678. This commit introduces support for
bind and cache mounts. The remaining two require
a little more work and consultation with the platform
teams for enlightment.

WIP Checklist:

- [x] Support for bind mounts
- [x] Support for cache mounts
- [x] add frontend/dockerfile integration tests
- [x] add client integration tests (not all, `llb.AddMount` not
  complete)

Fixes #5603

Signed-off-by: Anthony Nandaa <[email protected]>

Author: profnandaa

cache/contenthash/checksum.go

@@ -862,6 +862,10 @@ func (cc *cacheContext) scanChecksum(ctx context.Context, m *mount, p string, fo
 }
 
 func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node[*CacheRecord], txn *iradix.Txn[*CacheRecord], m *mount, k []byte, followTrailing bool) (*CacheRecord, bool, error) {
+	// only applies for Windows, it's a no-op on non-Windows.
+	enableProcessPrivileges()
+	defer disableProcessPrivileges()
+
 	origk := k
 	k, cr, err := getFollowLinks(root, k, followTrailing)
 	if err != nil {

cache/contenthash/checksum_unix.go

@@ -7,3 +7,9 @@ import "path/filepath"
 func (cc *cacheContext) walk(scanPath string, walkFunc filepath.WalkFunc) error {
 	return filepath.Walk(scanPath, walkFunc)
 }
+
+// This is a no-op on non-Windows
+func enableProcessPrivileges() {}
+
+// This is a no-op on non-Windows
+func disableProcessPrivileges() {}

cache/contenthash/checksum_windows.go

@@ -6,11 +6,24 @@ import (
 	"github.com/Microsoft/go-winio"
 )
 
+var privileges = []string{winio.SeBackupPrivilege}
+
 func (cc *cacheContext) walk(scanPath string, walkFunc filepath.WalkFunc) error {
 	// elevating the admin privileges to walk special files/directory
 	// like `System Volume Information`, etc. See similar in #4994
-	privileges := []string{winio.SeBackupPrivilege}
 	return winio.RunWithPrivileges(privileges, func() error {
 		return filepath.Walk(scanPath, walkFunc)
 	})
 }
+
+// Adds the SeBackupPrivilege to the process
+// to be able to access some special files and directories.
+func enableProcessPrivileges() {
+	_ = winio.EnableProcessPrivileges(privileges)
+}
+
+// Disables the SeBackupPrivilege on the process
+// once the group of functions that needed it is complete.
+func disableProcessPrivileges() {
+	_ = winio.DisableProcessPrivileges(privileges)
+}

client/client_test.go

@@ -1570,15 +1570,22 @@ func testLocalSymlinkEscape(t *testing.T, sb integration.Sandbox) {
 }
 
 func testRelativeWorkDir(t *testing.T, sb integration.Sandbox) {
-	requiresLinux(t)
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
-	pwd := llb.Image("docker.io/library/busybox:latest").
+	imgName := integration.UnixOrWindows(
+		"docker.io/library/busybox:latest",
+		"mcr.microsoft.com/windows/nanoserver:ltsc2022",
+	)
+	cmdStr := integration.UnixOrWindows(
+		`sh -c "pwd > /out/pwd"`,
+		`cmd /C "cd > /out/pwd"`,
+	)
+	pwd := llb.Image(imgName).
 		Dir("test1").
 		Dir("test2").
-		Run(llb.Shlex(`sh -c "pwd > /out/pwd"`)).
+		Run(llb.Shlex(cmdStr)).
 		AddMount("/out", llb.Scratch())
 
 	def, err := pwd.Marshal(sb.Context())
@@ -1598,22 +1605,32 @@ func testRelativeWorkDir(t *testing.T, sb integration.Sandbox) {
 
 	dt, err := os.ReadFile(filepath.Join(destDir, "pwd"))
 	require.NoError(t, err)
-	require.Equal(t, []byte("/test1/test2\n"), dt)
+	pathStr := integration.UnixOrWindows(
+		"/test1/test2\n",
+		"C:\\test1\\test2\r\n",
+	)
+	require.Equal(t, []byte(pathStr), dt)
 }
 
 // TODO: remove this test once `client.SolveOpt.LocalDirs`, now marked as deprecated, is removed.
 // For more context on this test, please check:
 // https://github.com/moby/buildkit/pull/4583#pullrequestreview-1847043452
 func testSolverOptLocalDirsStillWorks(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
-
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
-	out := llb.Image("docker.io/library/busybox:latest").
+	imgName := integration.UnixOrWindows(
+		"docker.io/library/busybox:latest",
+		"mcr.microsoft.com/windows/nanoserver:ltsc2022",
+	)
+	cmdStr := integration.UnixOrWindows(
+		`sh -c "/bin/rev < input.txt > /out/output.txt"`,
+		`cmd /C "type input.txt > /out/output.txt"`,
+	)
+	out := llb.Image(imgName).
 		File(llb.Copy(llb.Local("mylocal"), "input.txt", "input.txt")).
-		Run(llb.Shlex(`sh -c "/bin/rev < input.txt > /out/output.txt"`)).
+		Run(llb.Shlex(cmdStr)).
 		AddMount(`/out`, llb.Scratch())
 
 	def, err := out.Marshal(sb.Context())
@@ -1641,7 +1658,12 @@ func testSolverOptLocalDirsStillWorks(t *testing.T, sb integration.Sandbox) {
 
 	dt, err := os.ReadFile(filepath.Join(destDir.Name, "output.txt"))
 	require.NoError(t, err)
-	require.Equal(t, []byte("dlroW olleH"), dt)
+	// not reversed on Windows since there's no handy rev utility
+	revStr := integration.UnixOrWindows(
+		"dlroW olleH",
+		"Hello World",
+	)
+	require.Equal(t, []byte(revStr), dt)
 }
 
 func testFileOpMkdirMkfile(t *testing.T, sb integration.Sandbox) {
@@ -6838,12 +6860,19 @@ func testCacheMountNoCache(t *testing.T, sb integration.Sandbox) {
 }
 
 func testCopyFromEmptyImage(t *testing.T, sb integration.Sandbox) {
-	requiresLinux(t)
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
-	for _, image := range []llb.State{llb.Scratch(), llb.Image("tonistiigi/test:nolayers")} {
+	// On Windows, the error messages are different for the Scratch image
+	// (which is coming from the OS). While the one for the no-layers image
+	// is being returned by Buildkit (in unix style).
+	winErrMsgs := []string{
+		"foo: The system cannot find the file specified", // for llb.Scratch()
+		"/foo: no such file or directory",                // for tonistiigi/test:nolayers
+	}
+
+	for i, image := range []llb.State{llb.Scratch(), llb.Image("tonistiigi/test:nolayers")} {
 		st := llb.Scratch().File(llb.Copy(image, "/", "/"))
 		def, err := st.Marshal(sb.Context())
 		require.NoError(t, err)
@@ -6857,11 +6886,23 @@ func testCopyFromEmptyImage(t *testing.T, sb integration.Sandbox) {
 
 		_, err = c.Solve(sb.Context(), def, SolveOpt{}, nil)
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "/foo: no such file or directory")
+		errMsg := integration.UnixOrWindows(
+			"/foo: no such file or directory",
+			winErrMsgs[i],
+		)
+		require.Contains(t, err.Error(), errMsg)
 
-		busybox := llb.Image("busybox:latest")
+		imgName := integration.UnixOrWindows(
+			"busybox:latest",
+			"mcr.microsoft.com/windows/nanoserver:ltsc2022",
+		)
+		busybox := llb.Image(imgName)
 
-		out := busybox.Run(llb.Shlex(`sh -e -c '[ $(ls /scratch | wc -l) = '0' ]'`))
+		cmdStr := integration.UnixOrWindows(
+			`sh -e -c '[ $(ls /scratch | wc -l) = '0' ]'`,
+			`cmd /C dir \scratch`,
+		)
+		out := busybox.Run(llb.Shlex(cmdStr))
 		out.AddMount("/scratch", image, llb.Readonly)
 
 		def, err = out.Marshal(sb.Context())

executor/oci/spec.go

@@ -20,6 +20,7 @@ import (
 	"github.com/moby/buildkit/solver/llbsolver/cdidevices"
 	"github.com/moby/buildkit/util/network"
 	rootlessmountopts "github.com/moby/buildkit/util/rootless/mountopts"
+	"github.com/moby/buildkit/util/system"
 	traceexec "github.com/moby/buildkit/util/tracing/exec"
 	"github.com/moby/sys/userns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
@@ -210,8 +211,8 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 				return nil, nil, err
 			}
 			s.Mounts = append(s.Mounts, specs.Mount{
-				Destination: m.Dest,
-				Type:        mount.Type,
+				Destination: system.GetAbsolutePath(m.Dest),
+				Type:        getMountType(mount.Type),
 				Source:      mount.Source,
 				Options:     mount.Options,
 			})
@@ -251,7 +252,8 @@ type submounts struct {
 }
 
 func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) {
-	if path.Join("/", subPath) == "/" {
+	// for Windows, always go through the sub-mounting process
+	if path.Join("/", subPath) == "/" && runtime.GOOS != "windows" {
 		return m, nil
 	}
 	if s.m == nil {

executor/oci/spec_unix.go

@@ -0,0 +1,8 @@
+//go:build !windows
+
+package oci
+
+// no effect for non-Windows
+func getMountType(mType string) string {
+	return mType
+}

executor/oci/spec_windows.go

@@ -119,3 +119,9 @@ func generateCDIOpts(_ *cdidevices.Manager, devices []*pb.CDIDevice) ([]oci.Spec
 	// https://github.com/cncf-tags/container-device-interface/issues/28
 	return nil, errors.New("no support for CDI on Windows")
 }
+
+func getMountType(_ string) string {
+	// HCS shim doesn't expect a named type
+	// for the mount.
+	return ""
+}

frontend/dockerfile/dockerfile2llb/convert_runmount.go

@@ -9,6 +9,7 @@ import (
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/system"
 	"github.com/pkg/errors"
 )
 
@@ -113,12 +114,12 @@ func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*
 				sharing = llb.CacheMountLocked
 			}
 			if mount.CacheID == "" {
-				mount.CacheID = path.Clean(mount.Target)
+				mount.CacheID = filepath.Clean(mount.Target)
 			}
 			mountOpts = append(mountOpts, llb.AsPersistentCacheDir(opt.cacheIDNamespace+"/"+mount.CacheID, sharing))
 		}
 		target := mount.Target
-		if !filepath.IsAbs(filepath.Clean(mount.Target)) {
+		if !system.IsAbsolutePath(filepath.Clean(mount.Target)) {
 			dir, err := d.state.GetDir(context.TODO())
 			if err != nil {
 				return nil, err