I'm working with the following:
Docker for Windows v20.10.11
Docker running in Windows container mode
mcr.microsoft.com/windows:1903 base image
Proprietary application installed on top of this base image
Each year we create a Docker image with the latest version of our company's software. However this year's version behaves differently. Host machine installation runs fine. Containerized installation fails to run in certain situations. I can start the application as a simple EXE, for example using the Docker run command. The app will start and show up in "tasklist". However I can't start the app via the COM API, which is a critical requirement. The problem appears to be COM related. Normally we can create COM objects for our software just like for any other application. For example, IE returns a COM object just fine:
Creating these objects for our application works outside containers. However inside the container, our latest installation gives this error:
Access permissions appear to be ok. I tried a couple tests to prove this. First I can install other software like MS Word into a container and create COM objects for that:
Second I tried retrieving + modifying the application's DACL in PowerShell.
Changing access masks or trustees can cause an Access Denied error:
This also appears to confirm the access permissions were Ok by default.
Next I made sure COM is aware of the application. This appears to be fine. I get the same result on host machine and container when running this PS script:
gci HKLM:\Software\Classes -ea 0| ? {$.PSChildName -match '^\w+.\w+$' -and
(gp "$($.PSPath)\CLSID" -ea 0)} | ft PSChildName
The application shows up just like any other. The details show up fine when querying by AppID. LocalServer32 points to the correct EXE:
Some other things I tried:
Querying registry keys. There are 7 keys created when installing our software. These appear identical on host machine install and container install.
Even though permissions appear fine, I still tried logging into the container as alternate users. For example "nt authority\system" is another virtual admin user. I also changed the password of the "builtin\administrator" user to enable logging in with that one. Lastly tried creating new users entirely and adding them to the Administrators user group. All these attempts had the same errors as "builtin\containeradministrator" (default user).
A minor check was ensuring CMD.exe / Powershell is running as x64:
Re-registering the DLLs associated with the installation using regsvr32.
Starting from different base images. https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-base-images. The full Win Server base image behaves exactly the same way regarding errors. The smaller Win Server Core base image is even more problematic, as I can't even start the app's EXE manually using that base. Lastly I tried other tags of the full Windows base image such as 20H2 and 2004. Same result from those. Multiarch or x64 makes no difference.
Included the "Ogawa hack" which was historically needed to make MS Office apps function correctly with COM: https://stackoverflow.com/a/1680214/7991646. It could be necessary for other COM apps too, but didn't help with my specific installation.
Is there anything else I can do to diagnose or solve this COM issue?
There are several things to consider:
The Considerations for server-side Automation of Office article states the following:
Microsoft does not currently recommend, and does not support, Automation of Microsoft Office applications from any unattended, non-interactive client application or component (including ASP, ASP.NET, DCOM, and NT Services), because Office may exhibit unstable behavior and/or deadlock when Office is run in this environment.
If you are building a solution that runs in a server-side context, you should try to use components that have been made safe for unattended execution. Or, you should try to find alternatives that allow at least part of the code to run client-side. If you use an Office application from a server-side solution, the application will lack many of the necessary capabilities to run successfully. Additionally, you will be taking risks with the stability of your overall solution.
The When CoCreateInstance returns 0x80080005 (CO_E_SERVER_EXEC_FAILURE) page describes possible reasons.
If many COM+ applications run under different user accounts that are specified in the This User property, the computer cannot allocate memory to create a new desktop heap for the new user. Therefore, the process cannot start. See Error when you start many COM+ applications: Error code 80080005 -- server execution failed for more information.
Finally, you may find a similar thread here helpful, see Server execution failed (Exception from HRESULT: 0x80080005 (CO_E_SERVER_EXEC_FAILURE)).
Related
I have an image with a GUI application, with base image of microsoft/windowsservercore. Application is installed correctly in the image, however I'm unable to display it on host machine. Have read several articles on this on Google and they suggest to install XServer for Windows and then we can display the application on host machine. I have been trying to run following command (as suggested in most of the articles), however it does nothing and I don't get the display. Please assist.
docker run --rm -it -e DISPLAY=127.0.0.1:0.0 eft
The DISPLAY would be useful for Linux container.
As mentioned here:
WindwosServerCore image does not come with binaries for UI applications so I doubt this will ever work in servercore image but Microsoft insiders can use new bigger WindwosServer image which I beleive have those libraries intact.
This thread adds:
I understand that you can run GUI apps but the rendered elements are not shown on any desktop. Lars Iwer [MSFT] writes in the discussion below the article:
In the container image as it is right now, GUI elements will be rendered in session 0. UI automation should work with that (e.g. programmatically searching for a window etc.).
Session 0 is the session in which all system services are run and is by definition non-interactive. Sessions, Stations and Desktops are means of isolation in Windows (NT) and whether an application can show a UI and receive user interaction depends on whether it has an access to a Station with a Desktop.
Processes in Session 0 do not have that by default.
However it used to be possible to “Allow services to interact with Desktop” and it is also possible to run interactive services in other sessions than Session 0 (pay attention to “as it is right now”). Therefore, it would be interesting to hear some expert insights from Microsoft/Docker team on that…
I have an "Advanced Installer" project that I am trying to use to install my "TopShelf" windows service that I have built.
I found the spot in Advanced Installer to grant permissions to the installation folder, but I don't see a way to grant permissions to the "Local System" account.
Manually, this is done by going to the security option in the properties of the folder and adding a user with the same name as the computer name but ending with a $. For Example MyNiceComputer$. (Oh, and you have to select the "Computers" option in the types area.)
But there is no way to do all this in Advanced Installer. If I do make one like MyNiceComputer$, it just makes an empty entry in the security tab. (No Permissions on it, even though I setup for full control.)
Has anyone ever needed to do this with Advanced Installer?
Additional Details:
I am installing an app that runs as a windows service. (It is a console app built with TopShelf).
Our company policy is to install all our applications into a folder that looks like this:
C:\OurCompanyApps\MyApp
When I create the installer, it runs fine, but then I when I start up the Windows Service, I get the following error:
Windows could not start the MyApp service on Local Computer
Error 5: Access is denied.
But when I grant access to Local System (by giving Full Control rights to myNiceComputer$ on the MyApp folder), then this error goes away and the app runs fine. From what I read, this is because the application is running as Local System.
It seems odd that it needs full control but it does not work without it. (But as far as I can see, the contents of the folder are un-altered).
#Bogdan Mitrache seems to indicate that granting permissions to Local System is not possible via Advanced Installer. This is good to know (so I don't waste more time looking). I will probably ask my System Admins for a dedicated system account to run my service as. Not ideal, but it will serve as a work around.
So, in one of my "less finer" moments of debugging, I mixed up two different things.
There was also a file missing, (my config file). I restored that and changed the permissions at the same time. But then I forgot to go back and verify which one was the actual fix. (I know, not good debugging.)
So, the Access is denied error was due to a missing file.
Anybody having problems with IBM Containers on US South in Bluemix?
Containers report Data currently available on the dashboard and if I try to list or start a container I get this error:
Catalog Error
×
BXNUI0513E: The attempt to retrieve containers failed because a problem occurred
contacting IBM Containers. Try again later. If the problem continues, go to
Support. For other help options, see the Bluemix Docs.
If I switch to the UK site, I can create and use containers.
I've just recently tried out a Docker container with a sshd and it was running fine for 5-6 hours. However, then it seemed like part of the Container service in Bluemix broke and I've not been able to access it for the past 24 hours.
Regards.
Mikael
For trial accounts you can create containers only in one space and this error sometimes occurs when the user tries to create a container in another region. Unfortunately since you're using 'pay as you go' in this in case you have to open a support request using one of the following methods in order to engage IBM Containers team to investigate your issue:
Use the Support Widget. It is available from the user avatar in the
upper right corner of the main Bluemix UI. After opening the support
widget panel, select Get Help > Get In Touch , select the type of
assistance you need, and then fill out the support form.
Use the Support Site 'Get Help' form. This form is available on a separate site that is made available for ticket submission when you cannot log into Bluemix and access the Support Widget. Go to http://ibm.biz/bluemixsupport and fill in the support request form.
EDIT: I saw that you opened a Support ticket and the issue was fixed. It was an issue related to your specific organization.
Just a small note. Hopefully Containers in Dallas are now working well again. In addition, I wanted to note that we strongly discourage the use of sshd in containers for security reasons. The good news is shell access is at your fingertips via the cf ic exec <contianer id> /bin/bash command. (your container may need just bash or /bin/sh YMMV)
I am building a Windows service app using Delphi , RAD Studio 10
Upon my investigation I came across with a Eset Windows service which wonderfully was protecting itself from being Stopped or terminated.
On stopping the service using (windows service manager) or (end process button)
or (end task button) following error messages occurs :
The operation couldn't be completed.
access denied.
same thing is true with its registry keys . The error message is :
Can not delete info: Error while deleting key
I tested Administrator access and system access. in both cases i was not successful.
I want to build such self-defense mechanism for my own application protecting my service and registry key.
Any idea would be helpful.
Thank you for your time.
update :
I want to know how i can do it in Delphi ... that's why it is tagged Delphi
and If someone wants to stop the service or uninstall it ....
he or she can just use my own applications UI to do it.
edit 2 :
As Remko mentioned I thnk DACL and ACL is better way to handle it , I couldn't find any good reference for it. Is there any good reference for Delphi language?
Protecting from SCM stop is very easy. Assuming you are using TService, you can handle the TService.OnStop event and set its Stopped parameter to False. And assign an error code to the TService.ErrCode or TService.Win32ErrCode property.
Unless you are writing security software, you really should not protect from TaskManager termination. Admins should be allowed to kill misbehaving processes. That being said, you can use SetSecurityInfo() to assign a DACL to your service process that grants/denies access to particular users and/or groups as needed.
You can also use ChangeServiceConfig2() to configure your service's "failure actions" to restart the service if it terminates unexpectedly.
To protect your Registry key, you can use the lpSecurityAttributes parameter of RegCreateKeyEx(), or use the RegSetKeySecurity() function, to assign a SECURITY_DESCRIPTOR to your key that contains a DACL that grants/denies access to particular users and/or groups as needed.
The situation: I have a mvc.net web page which, when called, runs a batch file on my server using System.Diagnostics.Process.Start and cmd.exe. The batch file contains a line that runs "svn.exe update myfilepath" and should therefore update the files on the server.
What's happening?
- the batch file is running, but the call to svn.exe does nothing, nor produces any error messages.
- if I run the batch file by double clicking, the svn command DOES run successfully.
I guess this is a security issue, but I'm no expert on this and I cannot make any headway.
The site is hosted on Windows Server 2008 R2 and the app pool is using the ApplicationPoolIdentity system. I have tried running the app pool as Network Service and also adding Network Service as a user that can Read/Execute to svn.exe.
Please help!
This could be proxy related. It's possible that you access the Internet via a proxy, but that the user profile for the app pool identity isn't configured like this. You may need to use a domain account that you can log on as in order to create a suitable user profile. You will also need to make sure IIS is loading the profile by ticking the appropriate option.
(Another possibility is that the working directory for the process you are starting is not set correctly to the root of your Subversion working copy. We've established this wasn't the problem in your case.)