docker build fails when dockerd data-root is on NVMe Direct Disk #609
Description
Describe the bug
On Windows Server Kubernetes nodes:
- When Docker’s
data-rootis on SSD (ATA bus) →docker buildworks correctly. - When Docker’s
data-rootis on NVMe Direct Disk →docker buildconsistently fails with:
hcsshim::System::Start: failure in a Windows system call:
The process cannot access the file because it is being used by another process.
At the same time, Kubernetes workloads using containerd run fine with NVMe storage (pods pull images and start normally).
The issue is isolated to the dockerd HostProcess build workflow (image builds).
To Reproduce
Steps to reproduce the behavior:
- Configure Docker HostProcess
daemon.json:{ "data-root": "G:\\docker", "exec-opts": ["isolation=process"], "debug": true } - Restart
vmcompute,hns, anddockerservices. - Run:
docker build -t test . - Observed result:
hcsshim::System::Start: failure in a Windows system call: The process cannot access the file because it is being used by another process. - Reconfigure Docker with
data-rooton SSD (C:\docker-data). - Restart services.
- Re-run build.
- Expected result: build succeeds.
Expected behavior
docker build should succeed with data-root on NVMe Direct Disks, just as it does on SSD.
Configuration:
- Edition: Windows Server 2022 Datacenter Core (Azure AKS Windows nodepool)
- Base Image:
mcr.microsoft.com/windows/servercore:ltsc2022 - Container engine: Docker (
dockerdHostProcess), containerd (for Kubernetes runtime) - Container engine version: Docker 20.10.x / 24.x (reproducible across versions)
Disk info (NVMe drive G:):
File System : NTFS
Bytes Per Cluster : 4096
Compression/Dedup/Encryption : disabled
HealthStatus : Healthy
OperationalStatus : OK
Additional context
- Kubernetes pods (containerd) run fine with NVMe Direct Disk storage.
- dockerd HostProcess fails only during builds when
data-rootis on NVMe. - Issue occurs at the moment dockerd/HCS tries to create or mount
scratch.vhdxinwindowsfilter.
Tests attempted (all failed on NVMe data-root):
- Disabled Windows Defender completely (Tamper Protection off, GPO/registry, exclusions applied)
- Disabled Windows Search/Indexing
- Full node reboots after each change
- Fresh empty
G:\\dockerdirectory (renamed previous one to.bak) - BuildKit disabled (
features.buildkit=false) DOCKER_TMPDIRset to SSD and NVMe (both worked fine → NVMe usable outside windowsfilter)- Checked open handles with Sysinternals
handle.exe→ only dockerd DB files, no external locks - Checked
Containers-WcifsandBindFltlogs → no SHARING VIOLATION entries - Verified NTFS 4K cluster size (
Bytes Per Cluster = 4096)
Workarounds:
- Place
data-rooton SSD → builds succeed. - Use NVMe only for:
DOCKER_TMPDIR(build temporary files)- Bind mounts / cache directories
- Optionally:
mklink /J G:\\docker C:\\docker-data
⚠️ Offloading builds to Linux BuildKit does not work for Windows-native images (e.g.,servercore,nanoserver).
Impact:
- Blocks Windows container builds on nodes with NVMe-only storage.
- CI/CD pipelines cannot run
docker buildlocally with dockerd HostProcess ifdata-rootis NVMe. - Forces SSD allocation for data-root, which reduces performance and complicates infrastructure design.