Appsody does not appear to support enterprise Windows users

[jgwest]

Windows enterprise users will tend to be using Windows' Azure Active Directory (AAD) enterprise login. For example, this mechanism is utilized by the standard IBM Windows image, used by all IBMers with Thinkpads. (Despite the name, it is not related to MS' Azure cloud infrastructure.)

Unfortunately, Docker for Windows doesn't support bind mounts using Active-Directory-managed accounts (eg sharing local directories into Docker containers with any AAD accounts):

• https://tomssl.com/2018/01/11/sharing-your-c-drive-with-docker-for-windows-when-using-azure-active-directory-azuread-aad/
• Sharing drives does not work for Azure AD user accounts docker/for-win#132
• Volume Mounting - Auth issue with Azure AD logins? docker/for-win#1352
• etc

The workaround, described above, is to create a second Local account on the machine, and to use those credentials when sharing your drive for a Docker bind mount. However, and this is the issue: that second Local account will not have access to the c:\Users\(your AAD account name) directory.

Since Appsody uses c:\Users\(your AAD account name)\.appsody as the settings directory, Windows enterprise users will be DOA with Appsody.

We encountered this same issue on the Eclipse Codewind project, and have instead opted to use a directory outside of c:\Users to store our settings data (in our case, c:\codewind-workspace)

To Reproduce:

1. Find a Windows system with Active Directory-managed accounts (for IBMers, this would be anyone with a Thinkpad)
2. Install Appsody and Docker for Windows
3. Initialize an Appsody project, and then appsody run.
4. The Docker Desktop - Share drive, Docker want to access drive C:\. Do you want to share it? dialog message will appear.
5. Attempt to share the drive using the user's existing login/password, and discover that this don't work. :)
6. Follow the workaround described above (tomssl.com), to create a new user account with a known login/password.
7. Run appsody run again, and this time specify the new user credentials to the Share dialog.

Appsody will now progress further, BUT when attempting to bind mount the .appsody directory, it will fail:

C:\appsody>appsody run
Running development environment...
Running command: docker[pull appsody/java-microprofile:0.2]
Running command: docker[run --rm -p 7777:7777 -p 9080:9080 -p 9443:9443 --name appsody-dev -v C:/appsody/src:/project/user-app/src -v C:/appsody/pom.xml:/project/user-app/pom.xml -v appsody-deps:/mvn/repository -v C:\Users\JONATHANWest\.appsody\appsody-controller:/appsody/appsody-controller -t --entrypoint /appsody/appsody-controller appsody/java-microprofile:0.2 --mode=run]
[Container] docker: Error response from daemon: error while creating mount source path '/host_mnt/c/Users/JONATHANWest/.appsody/appsody-controller': mkdir /host_mnt/c/Users/JONATHANWest/.appsody: permission denied.
[Error] Error waiting in 'appsody run' exit status 126

This error message is correct: The user account that is used to provide file access to Docker does not have access to this directory.

[chilanti]

Couple of questions:

1. We allow forcing the location of the .appsody.yaml file to a directory other than the home directory. This would have to happen at the time you do appsody init <stack>. Example: appsody init nodejs-express --config C:\my-appsody-config-dir. Can you give it a try? We suspect - however - that Appsody may run into other issues down the path if the user creates a project under their home dir, because the stacks will try to mount (and sometimes write to) those project dirs.
2. I assume that changing the permissions of the AzureAD home dir to allow the non-AzureAD user to access is a no starter? For what reason?

[jgwest]

Hi @chilanti,

Re: 1, seems not to make a difference (made a couple assumptions on command format, let me know if I got anything wrong):

C:\delme\aa11>appsody init nodejs-express --config C:\my-appsody-config-dir3\.appsody-config.yaml
Running appsody init...
Downloading nodejs-express template project from https://github.com/appsody/stacks/releases/download/0.2.0/incubator.nodejs-express.templates.simple.tar.gz
Download complete. Extracting files from nodejs-express.tar.gz
Setting up the development environment
Running command: docker[pull appsody/nodejs-express:0.2]
Running command: docker[run --rm --entrypoint /bin/bash appsody/nodejs-express:0.2 -c find /project -type f -name .appsody-init.bat]
Successfully initialized Appsody project

C:\delme\aa11>appsody run --config C:\my-appsody-config-dir3\.appsody-config.yaml
Running development environment...
Running command: docker[pull appsody/nodejs-express:0.2]
Running command: docker[run --rm -p 3000:3000 -p 9229:9229 --name aa11-dev -v C:/delme/aa11/:/project/user-app -v aa11-deps:/project/user-app/node_modules -v C:\Users\JONATHANWest\.appsody\appsody-controller:/appsody/appsody-controller -t --entrypoint /appsody/appsody-controller appsody/nodejs-express:0.2 --mode=run]
[Container] docker: Error response from daemon: error while creating mount source path '/host_mnt/c/Users/JONATHANWest/.appsody/appsody-controller': mkdir /host_mnt/c/Users/JONATHANWest/.appsody: permission denied.
[Error] Error waiting in 'appsody run' exit status 126

# Proof that Docker can at least see the root c:\users dir
C:\delme\aa11>docker run --rm -v c:/users:/data alpine ls /data
All Users
Default
Default User
JONATHANWest
Public
defaultuser0
defaultuser100000
desktop.ini

Re 2: We had considered this, and I believe it would work. But IMHO, asking the user to grant permissions to their home directory to another local user account feels like a big ask... it would be equivalent to (or at least within an order of magnitude of) asking a Linux/Mac user to chmod a+rwx * their home dir, or to chgrp it to a shared group... it is a hurdle that (again IMHO) users will likely balk at. (It doesn't help that the Windows ACL permission system is an overengineered mess 😄 )

[chilanti]

Hi - thanks for trying this out. Let's try another thing if you have time and patience. I see from the logs that appsody now fails to mount "the controller" - and that's because the config file is in a different spot, but the controller has been put under the home directory (or it's still expected to be there). So - to try and circumvent that - please try this:

1. Create a new project
2. Run `appsody init --config C:\my-appsody-config-dir.appsody-config.yaml
3. notepad C:\my-appsody-config-dir\.appsody-config.yaml
4. Change the entry home: to C:\my-appsody-config-dir
5. Try appsody run --config C:\my-appsody-config-dir\.appsody.yaml now
   We get the home from that config file after it has been created. But - again - if your project is under the "real home" - I think we'd have more issues. However, I'd be curious to know what happens if one followed the steps above.
   PS.
   Re: point 2 - understood - I thought that being on a corporate-controlled laptop assigning permissions wildly isn't palatable.

[chilanti]

Notice the updates above - the --config flag has to be repeated on every appsody command.
If this worked, it would be - clearly - a temporary workaround, until we design a more appropriate solution. @jgwest

[jgwest]

No problem, and I can report that those steps do successfully work as a workaround:

C:\delme\test4>appsody init nodejs-express --config C:\my-appsody-config-dir4\appsody-config.yaml
Running appsody init...
Downloading nodejs-express template project from https://github.com/appsody/stacks/releases/download/0.2.0/incubator.nodejs-express.templates.simple.tar.gz
Download complete. Extracting files from nodejs-express.tar.gz
Setting up the development environment
Running command: docker[pull appsody/nodejs-express:0.2]
Running command: docker[run --rm --entrypoint /bin/bash appsody/nodejs-express:0.2 -c find /project -type f -name .appsody-init.bat]
Successfully initialized Appsody project

# Editted appsody-config.yaml, contents below:
C:\delme\test4>type C:\my-appsody-config-dir4\appsody-config.yaml
home: C:\my-appsody-config-dir4
images: index.docker.io
tektonserver: ""

C:\delme\test4>appsody run --config C:\my-appsody-config-dir4\appsody-config.yaml
Running development environment...
Running command: docker[pull appsody/nodejs-express:0.2]
Running command: docker[run --rm -p 3000:3000 -p 9229:9229 --name test4-dev -v C:/delme/test4/:/project/user-app -v test4-deps:/project/user-app/node_modules -v C:\my-appsody-config-dir4\appsody-controller:/appsody/appsody-controller -t --entrypoint /appsody/appsody-controller appsody/nodejs-express:0.2 --mode=run]
[Container] Running Install: npm install --prefix user-app

(... NPM starts and does its thing, and I am able to see 'Hello World' at port 3000 ...)

( @chilanti )

[chilanti]

Thanks - we'll put this issue on the radar screen for future work - and document these steps.

[neeraj-laad]

@chilanti @jgwest Thanks for your patience and for confirming that the workaround works. Let us update the install / Using Appsody sections to cover this for now, and then think of a cleaner way to solve this problem.

[timroster]

Even after applying the workaround from https://appsody.dev/docs/faq there are still problems with the Java/Maven based stacks as these also specify APPSODY_MOUNTS that map to the users home directory e.g. ~/.m2/repository