Cant share drive if windows account doesnt have password
kripergvg opened this issue ยท 47 comments
Expected behavior
If a local windows account does not have password then a password should not be required
Actual behavior
The password textbox required regardless windows account settings
Information
Steps to reproduce the behavior
- Create the local admin account without password
- Try to share drives
This is a wont-fix since allowing drive-sharing on accounts with no windows password would not be safe.
@friism How it is more secure to give docker the password to my account, than to not have a password in the first place?
Docker requires you to give it your password. Meaning that the password itself doesn't actually matter; it's all about the access. It doesn't matter if the password is 100 characters, or 0, so long as Docker can access the files.
It's my choice if I want a password or not. You shouldn't be trying to force security policies on me that I don't want.
So now, when using docker I have two choices:
- Add a password to my account (thus forcing a security policy that I don't agree with nor want on my personal computer)
- Create a new local user account (thus littering my personal computer with files for a user account that I don't want, along with requiring me to either give the account a very easy password which makes it very insecure anyway, OR give it a complex password, that - based on the some of the issues I've seen - I'll be required to re-enter for docker anyway on a regular basis).
I don't want to do either of these things. I know the risks of not having a password on my account - it's why I don't have one and still sleep at night.
But because I have to have one for docker, I'll be actively looking to stay as far away from docker as possible, until such time that they stop attempting to force security policies that don't affect them. (Sadly my work is looking to use them, meaning I'll likely be spending my time using the vagrant version).
I'm happy if you force me to watch a 15-minute video on password security, and click through 50 popups that chastise me for not having a password everytime I run a docker command, if it means I can use docker without having a password on my account.
@G-Rath the way that Docker for Windows volume mounting works is that your entire c-drive is exposed as a network share. The Linux VM that runs Linux containers as part of Docker for Windows then mounts (using Samba) your whole c-drive inside the Linux VM so that linux containers running there can access your c-drive.
As part of the setup, Docker for Windows will create the share network share for the drive (if it's not already there). It would be incredibly unsafe and irresponsible for Docker for Windows to do that if your local user has no password, since Docker for Windows creating that share would make your drives mountable (with no password required) by anyone on your local network.
@friism That still doesn't change the fact that it's my choice. We're not babies - Inform us of the risk (which you should do anyway, password or no), and let us make the choice.
If you're worried about inexperienced developers, then make us jump thought several checkboxes and/or display warnings at every possible chance (like what pretty much every other developer cli, package manager, and application does).
Three more points:
- As strong as a password is, on Windows it can be easily brute forced (I tried at least 20 passwords the first time, with no rejection by Windows) - it's by far one of the more insecure methods of security.
- You don't know if my c-drive isn't already exposed as a network share.
- Why do I have to share my entire c-drive? Docker doesn't let me select a section of my c-drive, instead opting to require I share the whole thing.
At the end of the day, it should come down to that if that's what I want to do, I should be able to do it, given what I'm asking is for you to just accept a blank input field.
@friism Why is it not possible for Docker to use a private local network, solely between the physical computer and Linux VM? (Correct me if I'm wrong, but I thought that VirtualBox does this, or something similar).
Secondly, since it's apparently because of requiring Linux to use containers, would Windows containers in any way provide a possible solution to this problem?
If you just want to run Docker Windows containers, you can run the Docker engine directly on Windows 10: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#manual-installation
@friism I'm wanting to use docker for development, as that's what my workplace are switching to, and quite rightly - it's a very cool and powerful bit of tech.
Currently I seem to have three options for running docker:
-
Run it using a Vagrant passthrough
- Pros: I don't have to create a new user account, or add a password to my existing account
- Cons: Has some performance issues, since it's not running 'natively'.
-
Use Docker for Windows
- Pros: Nice performance, since it's running 'natively' (or more so than 1.).
- Cons: I have to create a new user account, or add a password to my existing account
-
Use Windows Containers
- Pros: Nice performance (like with 2.), without having to create a new user account or add a password to my existing account
- Cons: None!
From what I'm gathering, it seems that 3. will give me the best of both worlds?
Forgive me if I'm asking a naive question, but could you confirm for me if the part in italics for the pros of 3. is correct?
I'm reluctant to jump down what seems like it could be a very painful and annoying rabbit hole, only to encounter the whole issue all over again where I'm required to provide a password or create a new user account.
Note that with just raw Docker Windows containers, you cannot (yet) run Linux containers (although that's being worked on).
You can also use Toolbox: https://docs.docker.com/toolbox/toolbox_install_windows/
This is similar to your option 1, but Toolbox automates setup and upgrade of the VirtualBox VM
This is completely ignorant of the current security landscape. Two factor and/or Authentication agent methods of administrative authentication for windows are now the norm.
Most admin accounts these days don't have passwords, not because it's less secure, but because they're using some sort of Authentication provider that requires credential entry for any privileged access. (Smart Card or 2FA token).
This makes it literally impossible for the docker daemon to start.
Please re-open.
Its impossible for me to use docker for windows because smarcard is not supported as authentication method when trying to share volume between host and container. We don't have password. Please fix this.
@G-Rath the way that Docker for Windows volume mounting works is that your entire c-drive is exposed as a network share. The Linux VM that runs Linux containers as part of Docker for Windows then mounts (using Samba) your whole c-drive inside the Linux VM so that linux containers running there can access your c-drive.
As part of the setup, Docker for Windows will create the share network share for the drive (if it's not already there). It would be incredibly unsafe and irresponsible for Docker for Windows to do that if your local user has no password, since Docker for Windows creating that share would make your drives mountable (with no password required) by anyone on your local network.
@friism If you have this much time, why don't you stick this problem to your roadmap. Seriously, admit it, you're lazy that you don't wanna fix it, don't you?
(This is what users got for using some popular thing.)
Please let me expose my entire C, D, F, or even E drive if I want. I won't take legal actions against the Docker team if I mess something up. Trust me.
I appreciate your concern about my C drive, but really, just let me expose it.
I also use a smartcard for authentication and have to get special permission to have a password on this account (which I likely won't be granted). Please add additional authentication types or allow this to be circumvented if running the program as admin. Many of us simply cannot use docker because of this issue.
Any news on this? My company laptop does not use password, put pin codes/face recognition/fingerprint. I could go ask the admin to get me a password, but that would take too long and be very ineficient if every single developer using docker must have one...
Please Docker guys, you just have to "disable deactivation" on this button.
+1 for smart card problem here in a corporate environment. Having to build a separate machine in order to get this working.
My team's efforts for our enterprise-level product have been completely stalled because of the inability to enable Shared Drives unless the user has a password. We use smartcards. Closing this as won't fix is a mistake. Please re-open.
And yes, another +1 here for smartcard... My admin account doesn't have a password, nor will I be able to get one from IT administrators. I must use 2FA with my smart card and PIN whenever I do anything needing admin privileges! If we manually share the network drive, does Docker recognize that it's already shared, and skip this username/password prompting?
We are in govt environment and have to use CAC cards (smart cards) to login to windows computers. I am hoping someone is listening as this issue is making docker pretty much useless to us in development environment since we can't mount and volumes.
What password is expected here?! There's no password, only a pin that is associated with the CAC card. Also yes, I am an admin on the machine.
Reopen Please!
I'm using some other authentication method with a pin. This issue is making docker is useless for me at all.
I am a bit baffled about this issue. Docker is a tool made for, you know, developers. People who should be responsible for their system security, on certain points. If their users are to be policed like little kids, we should drop support for Windows altogether, and make it available only to OpenBSD and such.
It's a bit of slippery slope. This is a small thing, but can reflect on many more decisions that points that we do not trust our users with their own security, on their own environment.
This needs action, in a number of ways. As it is, this problem renders docker unusable for generating linux containers from windows (i.e., visual studio). Here are the issues:
- Many people (myself included) don't use passwords, we use 2FA/Smart Card/PIV/CAC authentication, making it impossible to share the C drive with the existing mechanism.
- We don't run as admin, in general. Lots of people develop software on systems where they don't have admin rights (think "least privilege").
- It's extremely poor security hygiene to simply grant docker admin access to the whole C drive in the first place (again, "least privilege"). At a minimum, docker should tell us what it needs to access. As a side note, what does it want with the C drive anyway? I thought I was developing linux containers that could exist independently of my C drive.
- The docker service runs as local system (for crying out loud) so presumably it could do anything it needs to anyway, hopefully after letting us know what it's doing.
- It's a poor assumption that the C drive is useful for anything anyway. In our environment (Citrix), the C drive is immutable. Certain parts of it (e.g., %APPDATA%) are overlaid with persistent storage. We do our persistent work on another drive altogether.
This needs a re-think, by someone who know more about how software is developed on Windows.
I'm fairly certain at this point that they're not taking action because the next iteration of docker for windows is going to run on WSL2, and won't need a samba share to connect to folders, and will eliminate the password problem altogether. If that is the case, it would at least be nice to have that confirmed by a team member.
This is actually an issue for a person much like myself.
I am working from home and on my pc I want to have no password. It's the one and ONLY computer using my network and I know the wrath that I am about to feel for not having a password, yet, I think it's up to me to decide.
+1 for the CAC card obstacle.
I work in the federal government which has just switched over to Windows 10 after years of debate. In my opinion as a developer, Docker is the tool with the most potential for use that this upgrade give us access to. Unfortunately, every user account in the government is accessed via CAC card, which means no password. There is a PIN, but no OS password.
There are multiple applications which we use that are able to interface with the CAC client and use it to authenticate system requests. Is it possible for Docker to do the same?
+1 this is an issue
+1
We're working on this.
FYI, if you have insiders build of windows, you can' now use WSL docker to share your C drive without having to deal with passwords.
I wrote up a doc LongLiveCHIEF/wsl2-docker-for-win on how this works, and should suffice until the docker-for-windows WSL tech preview is accessible via the experimental flag. As a bonus, this also works on Windows 10 Home!
+1
I will have to install VM..
FYI, if you have insiders build of windows, you can' now use WSL docker to share your C drive without having to deal with passwords.
I wrote up a doc LongLiveCHIEF/wsl2-docker-for-win on how this works, and should suffice until the docker-for-windows WSL tech preview is accessible via the
experimentalflag. As a bonus, this also works on Windows 10 Home!
I did try using it but W10 Insiders is so unstable I had a 'green screen' every ~40 minutes. It's not an issue solver, of any kind. It's a risky workaround.
Nonetheless, thank you.
The current solution is to create an account, call it e.g. DockerHost, give it a password of your own choice, and make sure to add it to the group docker-users only. This way, the account won't show up on your login screen and you can keep automatically login as your default passwordless user.
Add the user manually by running netplwiz from the Run... command window.
It's important to know that albeit it seems like you're sharing a whole drive with Docker this way, in practice you're not. Any container that requests to mount a volume on a specific directory will require that the DockerHost user have permissions to that directory.
This has to be done manually for each folder by opening the Properties dialog, going to the Security tab, clicking Advanced... and then adding the user from there. Don't forget to give Full Control permissions. It's important to also add the group docker-users with Full Control on that folder as well or the mounting will fail.
While the above workaround may work for some
#616 (comment)
and @LongLiveCHIEF 's suggestion to run Docker for Ubuntu in WSL might be another alternative: https://github.com/LongLiveCHIEF/wsl2-docker-for-win , @Lukortech 's point is well taken that it's a bit risky.
In at least our enterprise(government) environment, creating a local account is not allowed. So this is a non-starter. Happy to hear @mikeparker say that the Docker team is working on this.
Plus 1 - this is an issue, we use a passphrase and this is stopping me in my tracks.
Also its causing me stress. This is ridiculous.
+1. Still requires a password
Thanks everyone for your patience on this.
We have released a new drive sharing mechanism on the latest Edge release, using GRPC FUSE instead of Samba. This allows you to mount drives without passwords.
If you are switching directly from Stable to Edge channels you'll need to ensure 'Experimental features' are enabled in the settings to get this feature. Alternatively uninstall Stable and install directly from the link -> https://download.docker.com/win/edge/40920/Docker%20Desktop%20Installer.exe
This should fix all issues in this thread, please let us know.
To add to what Mike said above, if it doesn't seem to be working properly on the new edge release, first check to see whether the new drive sharing mechanism has activated:
- open a powershell window and type
docker run -it -v C:\:/c --privileged --pid=host justincormack/nsenter1 /usr/bin/ctr -n services.linuxkit t exec -exec-id foo -t docker /bin/sh -c 'mount | grep host_mnt'
- if prompted, confirm that you would like to share the drive:
- observe the filesystem type
grpcfusementioned in the command output, for example
grpcfuse on /host_mnt/c type fuse.grpcfuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other,max_read=1048576)
(If it hasn't switched mode, the output will mention "cifs")
Assuming the new drive sharing has activated, if there are still problems then let us know (and please upload diagnostics and describe reproduction steps if possible!)
Still can't save for a regular Windows user (without admin rights but full rights to their own Documents folder) that does not have a password set on 2.1.6.1(edge).
Resetting share credentials, selecting the relevant drives, and hitting apply pops up the user/pass dialog, saving with an empty password just starts an infinite user/pass dialog loop rather than going "k, the account name you gave me has no password; if I get 'access denied' errors, you'll know why"
I can't comment on the usage with a regular user, but I can say that it works flawlessly with my admin user with the Edge version + experimental features enabled. Good work!
Right, but the issue is for a windows user without a password, which--barring setups that aren't connected to the internet, or the OS that docker is installed on is itself a meaningless VM--are definitely not password-less full-admin accounts.
The latest edge release has just been published with various fixes to the new filesharing. If you'd like to try it the direct download link is here: https://download.docker.com/win/edge/41561/Docker%20Desktop%20Installer.exe .
If you get a chance to try it and have problems with the filesharing, could you upload diagnostics and share some reproduction steps? Thanks!
awesome - does it cleanly update, or would it be better to uninstall 2.1.6.1 and then install the new one?
I'm happy to report that 2.1.7.0 works perfectly on a standard windows account without a password. Push this out as soon as possible, this is a game changer =)
You should be able to update using the built-in upgrade popup.
This is fixed with the new filesharing implementation in 2.2.0.3, so closing this ticket.
Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.
If you have found a problem that seems similar to this, please open a new issue.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked