docker instruction RUN requires double quotes to be escaped when shell=powershell

[x] I have tried with the latest version of Docker Desktop
[x] I have tried disabling enabled experimental features
[x] I have uploaded Diagnostics
Diagnostics ID: BA40D1ED-7C70-4762-99A6-12AB3F8468D0/20230308224739

Actual behavior and reproduction

In my Dockerfile, I have:

# escape=`
FROM mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
SHELL ["powershell", "-Command"]
ENV PY2=C:\Python27;C:\Python27\Scripts
RUN setx /m PATH "$Env:PY2;$Env:PATH"
ENTRYPOINT [ "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Bypass" ]

I run docker build -t foo ., where the working directory is obviously my docker project. This builds successfully.

I run docker run --rm -it foo:latest, and that results in

docker: Error response from daemon: container 6ab2261218dcf60e17250f9fdb3a777944a763eecce9d813a63f6e0166b461af encountered an error during hcsshim::System::CreateProcess: failure in a Windows system call: The system cannot find the file specified. (0x2)
[Event Detail:  Provider: 00000000-0000-0000-0000-000000000000]
[Event Detail:  Provider: 00000000-0000-0000-0000-000000000000]
[Event Detail: onecore\vm\compute\management\orchestration\vmhostedcontainer\processmanagement.cpp(173)\vmcomputeagent.exe!00007FF7CEF59FAB: (caller: 00007FF7CEF0E19A) Exception(2) tid(394) 80070002 The system cannot find the file specified.
    CallContext:[\Bridge_ProcessMessage\VmHostedContainer_ExecuteProcess]
 Provider: 00000000-0000-0000-0000-000000000000].

At this point, I'm suspecting that powershell cannot be found in PATH for some reason. Looking back at the docker-build output, I notice this:

Step 4/5 : RUN setx /m PATH "$Env:PY2;$Env:PATH"
 ---> Running in d62ca49826da

SUCCESS: Specified value was saved.
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\ContainerAdministrator\AppData\Local\Microsoft\WindowsApps;C:\Users\ContainerAdministrator\.dotnet\tools;C:\Program Files\NuGet;C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow;C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin\amd64;C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools;C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool;
Removing intermediate container d62ca49826da
 ---> ab90421da899

which, I think, is essentially executing two powershell statements: setx /m PATH $Env:PY2 and $Env:PATH. In other words, the double quotes have been omitted from execution and docker-build is executing setx /m PATH $Env:PY2;$Env:PATH instead of setx /m PATH "$Env:PY2;$Env:Path".

Expected behavior

The expected behavior is to have something like this in the docker build -t foo . output:

...
Step 4/5 : RUN setx /m PATH "$Env:PY2;$Env:PATH"
 ---> Running in 9b530eaa9808

SUCCESS: Specified value was saved.
Removing intermediate container 9b530eaa9808
 ---> 679764c33fcc

and executing docker run --rm -it foo:latest should open up an interactive powershell instance from within my container, prompting me with PS C:\>.

The expected behavior can mostly be achieved by escaping the quotes in the dockerfile at the RUN setx ... instruction:

...
RUN setx /m PATH \"$Env:PY2;$Env:PATH\"
...

This seems non-intuitive b.c. there are no surrounding double quotes to begin with.

Furthermore, I could not find any official documentation that explains the need to escape the double quotes.

Information

This problem is unlikely to be new. Here are related resources that seem to have existed since 2017/2018:

https://stackoverflow.com/q/42092932/2630028

https://github.com/StefanScherer/dockerfiles-windows/tree/789fa0b54c0d0263fa9464025cfe12ec2fe0cd6c/quotes

Windows Version:
- OS Name: Microsoft Windows 10 Pro
- OS Version: 10.0.18362 N/A Build 18362
Docker Desktop Version: Docker Desktop 4.17.0 (99724)
WSL2 or Hyper-V backend? Hyper-V
Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

docker info:


PS C:\> docker info                  
Client:
Context:    default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.10.3)
compose: Docker Compose (Docker Inc., v2.15.1)
dev: Docker Dev Environments (Docker Inc., v0.1.0)
extension: Manages Docker extensions (Docker Inc., v0.2.18)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.25.0)
scout: Command line tool for Docker Scout (Docker Inc., v0.6.0)

Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 11 Server Version: 20.10.23 Storage Driver: windowsfilter Windows: Logging Driver: json-file Plugins: Volume: local Network: ics internal l2bridge l2tunnel nat null overlay private transparent Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog Swarm: inactive Default Isolation: hyperv Kernel Version: 10.0 18362 (18362.1.amd64fre.19h1_release.190318-1202) Operating System: Windows 10 Pro Version 1903 (OS Build 18362.1256) OSType: windows Architecture: x86_64 CPUs: 8 Total Memory: 15.86GiB Name: NSC-KNAVERO ID: UDSU:HFTF:BBTJ:LDGU:VT2J:SGT4:GMCY:6UCY:SVGR:J7NS:URVG:SU6Q Docker Root Dir: C:\ProgramData\Docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false Product License: Community Engine


### Output of `& "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check`

[2023-03-07T19:42:57.137716900Z][com.docker.diagnose.exe][W] Windows version might not be up-to-date: The system cannot find the file specified. [2023-03-07T19:42:57.158206700Z][com.docker.diagnose.exe][I] set path configuration to OnHost Starting diagnostics

[PASS] DD0027: is there available disk space on the host? [PASS] DD0028: is there available VM disk space? [PASS] DD0002: does the bootloader have virtualization enabled? [SKIP] DD0018: does the host support virtualization? [PASS] DD0001: is the application running? [PASS] DD0017: can a VM be started? [PASS] DD0016: is the LinuxKit VM running? [PASS] DD0011: are the LinuxKit services running? [PASS] DD0023: is the Containers Windows Feature enabled? [PASS] DD0004: is the Docker engine running? [PASS] DD0015: are the binary symlinks installed? [PASS] DD0031: does the Docker API work? [PASS] DD0013: is the $PATH ok? [PASS] DD0003: is the Docker CLI working? [PASS] DD0005: is the user in the docker-users group? [PASS] DD0038: is the connection to Docker working? [PASS] DD0014: are the backend processes running? [PASS] DD0007: is the backend responding? [PASS] DD0008: is the native API responding? [PASS] DD0009: is the vpnkit API responding? [PASS] DD0010: is the Docker API proxy responding? [PASS] DD0006: is the Docker Desktop Service responding? [SKIP] DD0030: is the image access management authorized? [PASS] DD0033: does the host have Internet access? [PASS] DD0002: does the bootloader have virtualization enabled? [PASS] DD0018: does the host support virtualization? [PASS] DD0001: is the application running? [PASS] DD0017: can a VM be started? [PASS] DD0016: is the LinuxKit VM running? [PASS] DD0011: are the LinuxKit services running? [PASS] DD0023: is the Containers Windows Feature enabled? [PASS] DD0004: is the Docker engine running? [PASS] DD0015: are the binary symlinks installed? [PASS] DD0031: does the Docker API work? [WARN] DD0032: do Docker networks overlap with host IPs? network bridge has subnet 172.17.0.0/16 which overlaps with host IP 172.17.26.33

Please note the following 1 warning:

1 : The check: do Docker networks overlap with host IPs? Produced the following warning: network bridge has subnet 172.17.0.0/16 which overlaps with host IP 172.17.26.33

If the subnet used by a Docker network overlaps with an IP used by the host, then containers won't be able to contact the overlapping IP addresses.

Try configuring the IP address range used by networks: in your docker-compose.yml. See https://docs.docker.com/compose/compose-file/compose-file-v2/#ipv4_address-ipv6_address

No fatal errors detected.

docker / for-win