Add Hyper-V access check on data directory

This commit is contained in:
Chris Roberts 2018-06-18 15:33:25 -07:00
parent d12c280005
commit 101fc447ec
6 changed files with 84 additions and 3 deletions

View File

@ -158,6 +158,7 @@ module VagrantPlugins
def self.action_up def self.action_up
Vagrant::Action::Builder.new.tap do |b| Vagrant::Action::Builder.new.tap do |b|
b.use CheckEnabled b.use CheckEnabled
b.use CheckAccess
b.use HandleBox b.use HandleBox
b.use ConfigValidate b.use ConfigValidate
b.use Call, IsState, :not_created do |env1, b1| b.use Call, IsState, :not_created do |env1, b1|
@ -290,6 +291,7 @@ module VagrantPlugins
autoload :Export, action_root.join("export") autoload :Export, action_root.join("export")
autoload :CheckEnabled, action_root.join("check_enabled") autoload :CheckEnabled, action_root.join("check_enabled")
autoload :CheckAccess, action_root.join("check_access")
autoload :Configure, action_root.join("configure") autoload :Configure, action_root.join("configure")
autoload :DeleteVM, action_root.join("delete_vm") autoload :DeleteVM, action_root.join("delete_vm")
autoload :Import, action_root.join("import") autoload :Import, action_root.join("import")

View File

@ -0,0 +1,24 @@
module VagrantPlugins
module HyperV
module Action
class CheckAccess
def initialize(app, env)
@app = app
end
def call(env)
env[:ui].output("Verifying Hyper-V is accessible...")
result = env[:machine].provider.driver.execute(:check_hyperv_access,
"Path" => Vagrant::Util::Platform.wsl_to_windows_path(env[:machine].data_dir).gsub("/", "\\")
)
if !result["result"]
raise Errors::SystemAccessRequired,
root_dir: result["root_dir"]
end
@app.call(env)
end
end
end
end
end

View File

@ -37,6 +37,10 @@ module VagrantPlugins
class WindowsRequired < HyperVError class WindowsRequired < HyperVError
error_key(:windows_required) error_key(:windows_required)
end end
class SystemAccessRequired < HyperVError
error_key(:system_access_required)
end
end end
end end
end end

View File

@ -0,0 +1,14 @@
#Requires -Modules VagrantMessages, VagrantVM
param(
[parameter (Mandatory=$true)]
[string] $Path
)
$check = Check-VagrantHyperVAccess -Path $Path
$result = @{
root_dir = ($Path -split '\\')[0,2] -join '\';
result = $check
}
Write-OutputMessage $(ConvertTo-Json $result)

View File

@ -90,7 +90,7 @@ function New-VagrantVMVMCX {
# If the config is empty it means the import failed. Attempt to provide # If the config is empty it means the import failed. Attempt to provide
# context for failure # context for failure
if($VMConfig -eq $null) { if($VMConfig -eq $null) {
Error-VagrantVMImport -VMConfigFile $VMConfigFile Report-ErrorVagrantVMImport -VMConfigFile $VMConfigFile
} }
$VM = $VMConfig.VM $VM = $VMConfig.VM
@ -125,7 +125,7 @@ function New-VagrantVMVMCX {
if([System.IO.Path]::GetFileName($Drive.Path) -eq [System.IO.Path]::GetFileName($SourcePath)) { if([System.IO.Path]::GetFileName($Drive.Path) -eq [System.IO.Path]::GetFileName($SourcePath)) {
$Path = $Drive.Path $Path = $Drive.Path
Hyper-V\Remove-VMHardDiskDrive $Drive Hyper-V\Remove-VMHardDiskDrive $Drive
Hyper-V\New-VHD -Path $DestinationPath -ParentPath $SourcePath Hyper-V\New-VHD -Path $DestinationPath -ParentPath $SourcePath -Differencing
Hyper-V\Add-VMHardDiskDrive -VM $VM -Path $DestinationPath Hyper-V\Add-VMHardDiskDrive -VM $VM -Path $DestinationPath
break break
} }
@ -348,7 +348,7 @@ VirtualMachine. The cloned Hyper-V VM.
#> #>
} }
function Error-VagrantVMImport { function Report-ErrorVagrantVMImport {
param ( param (
[parameter(Mandatory=$true)] [parameter(Mandatory=$true)]
[string] $VMConfigFile [string] $VMConfigFile
@ -702,3 +702,33 @@ Name of the VMSwitch.
VirtualMachine. VirtualMachine.
#> #>
} }
function Check-VagrantHyperVAccess {
param (
[parameter (Mandatory=$true)]
[string] $Path
)
$acl = Get-ACL -Path $Path
$systemACL = $acl.Access | where {$_.IdentityReference -eq "NT AUTHORITY\System" -and $_.FileSystemRights -eq "FullControl" -and $_.AccessControlType -eq "Allow" -and $_.IsInherited -eq $true}
if($systemACL) {
return $true
}
return $false
<#
.SYNOPSIS
Check Hyper-V access at given path.
.DESCRIPTION
Checks that the given path has the correct access rules for Hyper-V
.PARAMETER PATH
Path to check
.OUTPUT
Boolean
#>
}

View File

@ -99,3 +99,10 @@ en:
windows_required: |- windows_required: |-
The Hyper-V provider only works on Windows. Please try to The Hyper-V provider only works on Windows. Please try to
use another provider. use another provider.
system_access_required: |-
Hyper-V access check has failed for the configured destination. This
is usually caused by running on a non-system drive which is missing
required permissions. Running the following command may resolve the
problem:
icacls.exe %{root_dir} /T /Q /grant "NT AUTHORITY\SYSTEM:(IO)(CI)(F)"