Access denied when creating symlinks in docker-windows container

I am running into access denied problems when creating symbolic links with windows-docker runners. The problem seems to be only happen when creating symlinks inside the build directory, perhaps related to the way gitlab CI mounts the project directory?

Tried several Windows image versions, tried running the job as system user and administrator. Nothing seems to change the outcome.

I am using a self managed gitlab.

  • Gitlab runner versions 13.8.0, also tested with 13.3.1
  • Docker Desktop version 3.1.0
  • GitLab CE 13.4.3

Error from build:

Fetching changes with git depth set to 1...
Initialized empty Git repository in C:/builds/testproject/.git/
Created fresh repository.
Checking out .....
git-lfs/2.11.0 (GitHub; windows amd64; go 1.14.2; git 48b28d97)
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:42
$ echo $env:username
ContainerAdministrator
$ Get-ExecutionPolicy
Bypass
$ Get-Localuser | Select *
AccountExpires         : 
Description            : Built-in account for administering the computer/domain
Enabled                : False
FullName               : 
PasswordChangeableDate : 2/11/2021 1:46:25 AM
PasswordExpires        : 3/25/2021 1:46:25 AM
UserMayChangePassword  : True
PasswordRequired       : True
PasswordLastSet        : 2/11/2021 1:46:25 AM
LastLogon              : 2/11/2021 1:46:33 AM
Name                   : Administrator
SID                    : S-1-5-21-3347400284-3605491952-254122131-500
PrincipalSource        : Local
ObjectClass            : User
AccountExpires         : 
Description            : A user account managed by the system.
Enabled                : False
FullName               : 
PasswordChangeableDate : 
PasswordExpires        : 
UserMayChangePassword  : True
PasswordRequired       : False
PasswordLastSet        : 
LastLogon              : 
Name                   : DefaultAccount
SID                    : S-1-5-21-3347400284-3605491952-254122131-503
PrincipalSource        : Local
ObjectClass            : User
AccountExpires         : 
Description            : Built-in account for guest access to the 
                         computer/domain
Enabled                : False
FullName               : 
PasswordChangeableDate : 
PasswordExpires        : 
UserMayChangePassword  : False
PasswordRequired       : False
PasswordLastSet        : 
LastLogon              : 
Name                   : Guest
SID                    : S-1-5-21-3347400284-3605491952-254122131-501
PrincipalSource        : Local
ObjectClass            : User
AccountExpires         : 
Description            : A user account managed and used by the system for 
                         Windows Defender Application Guard scenarios.
Enabled                : False
FullName               : 
PasswordChangeableDate : 
PasswordExpires        : 
UserMayChangePassword  : True
PasswordRequired       : True
PasswordLastSet        : 
LastLogon              : 
Name                   : WDAGUtilityAccount
SID                    : S-1-5-21-3347400284-3605491952-254122131-504
PrincipalSource        : Local
ObjectClass            : User
$ New-Item -ItemType SymbolicLink -Path "c:\Windows-symlink" -Target "c:\Windows"
    Directory: C:\
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d----l        2/22/2021   3:39 PM                Windows-symlink               
$ pwd
Path                           
----                           
C:\builds\testproject
$ New-Item -ItemType SymbolicLink -Path "ci_scripts_link"  -Target "ci_scripts"
New-Item : Access is denied
At line:1 char:1
+ New-Item -ItemType SymbolicLink -Path "ci_scripts_link"  -Target "ci_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-Item], Win32Exception
    + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.P 
   owerShell.Commands.NewItemCommand
 
Cleaning up file based variables
00:35
ERROR: Job failed: exit code 1

What could I do to make symlinks work in windows containers? Symlinks are necessary for the build process and this is stopping our progress of moving to a common docker based build environment.

Dockerfile

# escape=`

FROM mcr.microsoft.com/windows/servercore:1909-amd64
SHELL ["powershell", "-command"]

# Setting Execution Policy for PS scripts
RUN Set-ExecutionPolicy Bypass

# Enabling Developer Mode
RUN reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"

# Disable UAC
RUN reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f

ENTRYPOINT ["powershell.exe", "-NoLogo", "-ExecutionPolicy", "Bypass"]

gitlab-ci.yml

stages:
  - test

windows_build_template:
    stage: test
    tags:
        - ci-testing
        - windows-docker
    script:
        # Print user env info
        - echo $env:username
        - Get-ExecutionPolicy
        - Get-Localuser | Select *
        # Test creating symlink
        - New-Item -ItemType SymbolicLink -Path "c:\Windows-symlink" -Target "c:\Windows"
        - pwd
        - New-Item -ItemType SymbolicLink -Path "ci_scripts_link"  -Target "ci_scripts"