Include CommandLine in CreateProcess errors

[jterry75]

Hey team,

It can be horribly annoying without verbose logs for a user to figure out what exactly was being executed when running a command in a container. How do we feel about including the CommandLine in the main error?

Without:

ctr run --rm mcr.microsoft.com/windows/nanoserver:ltsc2022 test powershell -Command { Write-Host Here }
ctr: hcs::System::CreateProcess test: The system cannot find the file specified.: unknown

With:

ctr run --rm mcr.microsoft.com/windows/nanoserver:ltsc2022 test powershell -Command { Write-Host Here }
ctr: hcs::System::CreateProcess: powershell -Command { Write-Host Here } test: The system cannot find the file specified.: unknown

The second example more clearly illustrates to the caller that "powershell" was the file that was not found.

Signed-off-by: Justin Terry jlterry@amazon.com

[dcantah]

lgtm, you'll need to run go mod vendor in /test

[kevpar]

@helsaawy I think you looked at some cases where confidential info like creds might be included in the container command line by the user. Do you expect that to be a problem here?

[helsaawy]

we decided not to scrub the command line, so even if we dont accept this, they will be leaked by containerd, HCS, and elsewhere in the shim

[jterry75]

I was worried about the same @kevpar. Based on @helsaawy's comment it seems safe to take?

[helsaawy]

I was worried about the same @kevpar. Based on @helsaawy's comment it seems safe to take?

Yup, we log the process parameters here:

hcsshim/internal/vmcompute/vmcompute.go

Lines 397 to 399 in 113a929

	if s, err := log.ScrubProcessParameters(processParameters); err == nil {
	span.AddAttributes(trace.StringAttribute("processParameters", s))
	}

But its just the environment we remove

[jterry75]

Ok sweeeeeeet. I guess there is a go mod issue. I will fix that today.

[ghost]

All CLA requirements met.

[jterry75]

@dcantah - OH. The in /test part matters a lot to the context :)