I have a gMSA credential spec working with docker run but not with docker-compose. Details for the compose file and the docker run command are below. I'm completely lost as to what I'm missing. I did a lot of googling and I'm not sure what's going on. My primary thoughts is that something with the docker-compose file is off, but I'm not sure.
Docker-compose
version: '3.3'
services:
basic:
image: mcr.microsoft.com/windows/servercore:ltsc2019
entrypoint: ping -t localhost
hostname: server01
security_opt:
- credentialspec=file://server01.json
dns:
- "192.168.43.2"
user: "NT AUTHORITY\\NETWORK SERVICE"
networks:
default:
external:
name: "Net"
After running docker-compose up
C:\Users\administrator> docker exec -it b9e2a783ab09 powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
Autoconfiguration IPv4 Address. . : 169.254.18.42
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
PS C:\> ipconfig /renew
Windows IP Configuration
Ethernet adapter vEthernet (Ethernet) 10:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::4416:3381:8d1a:122a%43
IPv4 Address. . . . . . . . . . . : 192.168.43.198
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
docker run
docker run -it --security-opt "credentialspec=file://server01.json" --user="nt authority\system" --hostname="server01" --network="Net" --dns="192.168.43.2" mcr.microsoft.com/windows/servercore:ltsc2019 powershell
PS C:\> nslookup testdomain.local
Server: UnKnown
Address: 192.168.43.2
Name: testdomain.local
Addresses: 192.168.43.2
192.168.52.133
PS C:\> nltest /sc_verify:testdomain.local
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\dc01.testdomain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully
PS C:\>
Hey so I'm leaving this up as a mark of shame.
Notice that I used different users? Turns out I needed to use system and not the network service account. That fixed it.
Use double-quoted:
security_opt:
- "credentialspec=file://server01.json"
Related
I need to access a physical device from a container on a windows host (running Docker desktop). The device has a fixed ip-address in a separate subnet (192.168.0.5/24). How to properly setup the network for the container (via docker run or docker-compose)?
I first thought of just opening the relevant port but for one, it is chosen by random (e.h. 52714, 63575) and for second if the port is open, I cannot reach the device.
So I tried to fetch a ipvlan but in this configuration I am not reaching the container at all.
version: "3.8"
services:
python-fastapi:
container_name: fast_api
build:
context: Python
dockerfile: Vision_fastAPI.Dockerfile
ports:
- "5001:5000"
networks:
- myVLan
networks:
myVLan:
driver: ipvlan
driver_opts:
parent: host
ipvlan_mode: l2
ipam:
config:
- subnet: 192.168.0.0/24
Actually, I was trying to reproduce a tutorial (from a Ubuntu host):
docker network create -d ipvlan --subnet=192.168.0.0/24 --ip-range=192.168.0.0/24 -o ipvlan_mode=l2 -o parent=enp11s0f1 myVLan
Obviously, I struggle with the parent option. I thought, I would be the physical ethernet adapter but I have no idea of the naming in windows (docker-compose doesn't accept names like "Ethernet 8" so I guess, I am getting something wrong here). It works with a docker network ("default") but just in the way that it doesn't produce an error.
The configuration of the ethernet adapter is the following:
Ethernet adapter Ethernet 8:
Connection-specific DNS Suffix:
Description . . . . . . . . . . . : Lenovo USB Ethernet #4
Physical Address . . . . . . . . : 3C-18-A0-52-43-C1
DHCP Enabled . . . . . . . . . . : no
Autoconfiguration Enabled . . . . : Yes
IPv4 Address . . . . . . . . . . : 192.168.0.210(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip . . . . . . . : Enabled
Do absolutely nothing. Delete all of the networks: blocks in the Compose file. Connect to the external IP address as normal; Docker provides a network address translation (NAT) mechanism that will let you connect to the off-box service.
If you set up a Domain Name Service (DNS) server for your environment (highly recommended), make sure to use a fully-qualified domain name (FQDN) when you connect to the service, other-host.example.com. If you use a short name other-host then Docker will try to interpret that as a container name.
I need to connect to docker host from a linux container in my windows server machine. But docker dns is not able to resolve docker.host.internal.
I have tried to add host.docker.internal in docker compose extra_hosts tag and have also tried to map my machine ip with this. But none of this is working.
extra_hosts:
"host.docker.internal:host-gateway"
extra_hosts:
"host.docker.internal:my_ip"
I have also tried to check the /etc/hosts file in my container and its is not there. Since the hosts file is not there so docker dns cannot resolve host.docker.internal.
docker exec my_container_id cat /etc/hosts
/etc/hosts: No such file or directory
My Environment:
Host Machine: Windows Server 2019
docker version: 20.10.10
lcow version: v4.14.35-v0.3.9
docker-compose version: v2.9.0
I have also tried to update my docker version to 20.10.11 which is working fine on my windows 10 machine.
PS C:\Windows\system32> docker version
Client:
Version: 20.10.11
API version: 1.41
Go version: go1.16.10
Git commit: dea9396
Built: Thu Nov 18 00:42:51 2021
OS/Arch: windows/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.11
API version: 1.41 (minimum version 1.24)
Go version: go1.16.9
Git commit: 847da18
Built: Thu Nov 18 00:38:11 2021
OS/Arch: windows/amd64
Experimental: true
I am unable to understand why docker is unable to create /etc/hosts file.
I have made this work by adding a manual entry in /etc/hosts file. Since I was not using docker desktop so docker deamon was not able to create /etc/hosts file inside my container. And due to this missing file my container was not able to connect to host.docker.internal. I made sure few things before doing this.
I checked if bridge network was created (from my host machine):
PS C:\Windows\system32> docker network ls
NETWORK ID NAME DRIVER SCOPE
9f3ee06eaa1f nat nat local
1b17a917b877 none null local
56f23d8f2228 talflow_code-default nat local
Then I inspected the nat network which is the default bridge network created by docker deamon:
PS C:\Windows\system32> docker network inspect nat
[
{
"Name": "nat",
"Id": "9f3ee06eaa1f3ec923e734b18228d08b2cda9242293a2b71fd82c7a413109609",
"Created": "2022-08-11T12:18:01.4356971-07:00",
"Scope": "local",
"Driver": "nat",
"EnableIPv6": false,
"IPAM": {
"Driver": "windows",
"Options": null,
"Config": [
{
"Subnet": "172.31.80.0/20",
"Gateway": "172.31.80.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.windowsshim.hnsid": "9C6F07F8-D106-4CD4-B3B7-C303886D4815",
"com.docker.network.windowsshim.networkname": "nat"
},
"Labels": {}
}
]
Here the bridge IP is 172.31.80.1
Next I verified if this IP is accessible inside my container. Note that I had to use ubuntu container to verify this. As containers only have basic commands so I pulled the latest ubuntu image from dockerhub and installed ping, ip and route commands on it to verify the connectivity of container with host.
Inside my ubuntu container I typed route command to check the IP table
root#8a7d33102d90:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.31.80.1 0.0.0.0 UG 1 0 0 eth0
172.31.80.0 * 255.255.0.0 U 0 0 0 eth0
In the IP route table I can see the bridge IP as default route. This entry verifies that my container can communicate with the docker bridge network. I can either use this IP to access any service on my host machine or my host machine IP (I used the host machine IP as this was static, in case of dynamic IP prefer to use bridge network IP or dns)
Now inside my ubuntu container I can ping bridge IP and my host machine IP both:
root#8a7d33102d90:/# ping 172.31.80.1
PING 172.31.80.1 (172.31.80.1) 56(84) bytes of data.
64 bytes from 172.31.80.1: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 172.31.80.1: icmp_seq=2 ttl=64 time=0.201 ms
64 bytes from 172.31.80.1: icmp_seq=3 ttl=64 time=0.116 ms
root#8a7d33102d90:/# ping 10.25.241.37
PING 10.25.241.37 (10.25.241.37) 56(84) bytes of data.
64 bytes from 10.25.241.37: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 10.25.241.37: icmp_seq=2 ttl=64 time=0.201 ms
64 bytes from 10.25.241.37: icmp_seq=3 ttl=64 time=0.116 ms
Note that 10.25.241.37 is the IPv4 address of my Ethernet0 adapter, you can check this by typing ipconfig command in powershell:
PS C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.25.241.37
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.25.241.33
Ethernet adapter vEthernet (nat):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::81af:fd91:a6cf:6158%15
IPv4 Address. . . . . . . . . . . : 172.31.80.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter vEthernet (56f23d8f2228039):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7453:b5f6:e090:b8a4%22
IPv4 Address. . . . . . . . . . . : 172.20.0.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Once I verified that there was no issue with networking. I simply created the /etc/hosts file inside my actual container from where I wanted to access docker host.
PS C:\Windows\system32> docker exec -it a027f718c24e /bin/bash
root#a027f718c24e:/usr/local/airflow# echo '10.25.241.37 host.docker.internal' | tee -a /etc/hosts
After adding this entry I can access host.docker.internal from my container. Not that I added this entry only for testing purpose. As I had to add this inside the running container. So once the container is stopped this file will be gone and you will need to create that again which is not right. So I will instead use the staic IP (10.25.241.37) of my machine instead of host.docker.internal to make request to services hosted on host machine.
I've just started playing with docker and I'm facing a real strange issue. After installing, I've pulled an IIS nanoserver image and I've started it:
λ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
beabe561852f d4 "C:\\ServiceMonitor.e…" 3 minutes ago Up 3 minutes 0.0.0.0:81->80/tcp nano-server
After that I've tried to access the site through the http://localhost:81. Since it wasn't working, I've inspected the IP with the following command:
λ docker inspect -f "{{json .NetworkSettings.Networks}}" b
{"nat":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"11117ac2f84721d1ca93c719192dd4d2aa5f9e6d23e7b3077dfd8ffb63aaf2e2","EndpointID":"68984bc164035e4035af1878673dda69e913dde19d641943cb68f7121aa9dae6","Gateway":"172.23.160.1","IPAddress":"172.23.174.235","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"00:15:5d:33:81:0a","DriverOpts":null}}
Pinging wasn't working either:
λ ping 172.23.174.235
Pinging 172.23.174.235 with 32 bytes of data:
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Reply from 10.200.2.222: Destination net unreachable.
Ping statistics for 172.23.174.235:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
So, I've tried running powershell in the container to check the IP:
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : mshome.net
Link-local IPv6 Address . . . . . : fe80::14e3:fd95:19a:c89b%4
IPv4 Address. . . . . . . . . . . : 192.168.238.55
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 172.23.160.1
192.168.238.49
PS C:\>
As you can see, the container's "real" IP is completely different from the one that docker think it's being used by it.
I've already tried disconnecting the container from the network and reconnecting it again, but the results are always the same.
Any clues on what's going on here? Even more important, any tips on how to solve it?
Thanks
In this case, I've removed all unused networks with the docker network prune command. After deleting the Default Switch, everything started to work out correctly. I'm not sure on why this was required, but probably there was something wrong with that switch configuration...
I am trying to create an apache container in docker by following below link:
https://www.assistanz.com/installing-apache-web-server-in-windows-container-using-docker-file/
Version Details:
Host OS: Windows Server 2016 (VMWare virtualized machine)
Docker Version:
PS C:\Windows\system32> docker version
Client:
Version: 17.06.2-ee-16
API version: 1.30
Go version: go1.8.7
Git commit: 9ef4f0a
Built: Thu Jul 26 16:43:19 2018
OS/Arch: windows/amd64
Server:
Engine:
Version: 17.06.2-ee-16
API version: 1.30 (minimum version 1.24)
Go version: go1.8.7
Git commit: 9ef4f0a
Built: Thu Jul 26 16:52:17 2018
OS/Arch: windows/amd64
Experimental: false
I managed to create the container and run it with below command:
docker run -it -p 8080:80 apache powershell
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Container NIC 258c52dd):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::706a:94f1:9a6:6c49%31
IPv4 Address. . . . . . . . . . . : 172.21.60.107
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.21.48.1
Confirm if the apache is running on port 80 from inside of the container:
PS C:\> iwr http://localhost -usebasicparsing
StatusCode : 200
StatusDescription : OK
From host machine:
Access http://container-ip:80 and failed
PS C:\Windows\system32> iwr http://172.21.60.107:80 -usebasicparsing
iwr : Unable to connect to the remote server
Access http://host-ip:8080 and failed
PS C:\Windows\system32> iwr http://192.168.105.87:8080 -usebasicparsing
iwr : Unable to connect to the remote server
Tried to access from other pc using http://host-ip:8080 and also failed.
Few things that i did for troubleshooting:
Check container port forwarding by running docker ps
PS C:\Windows\system32> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8bdaf5b11ab9 apache "powershell" 14 minutes ago Up 14 minutes 0.0.0.0:8080->80/tcp inspiring_turing
Check Static Mapping by running Get-NetNatStaticMapping
PS C:\Windows\system32> Get-NetNatStaticMapping
StaticMappingID : 3
NatName : Hf41327a7-ce0a-464c-83ff-21223867c9ea
Protocol : TCP
RemoteExternalIPAddressPrefix : 0.0.0.0/0
ExternalIPAddress : 0.0.0.0
ExternalPort : 8080
InternalIPAddress : 172.21.60.107
InternalPort : 80
InternalRoutingDomainId : {00000000-0000-0000-0000-000000000000}
Active : True
Ensure again that Firewall and Antivirus are disabled
Ensure there is no proxy
PS C:\Windows\system32> Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
DisableCachingOfSSLPages : 1
IE5_UA_Backup_Flag : 5.0
PrivacyAdvanced : 1
SecureProtocols : 2688
User Agent : Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation : 1
ZonesSecurityUpgrade : {75, 36, 102, 206...}
WarnonZoneCrossing : 0
EnableNegotiate : 1
MigrateProxy : 1
ProxyEnable : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
PSParentPath : Microsoft.PowerShell.Core\Registry::HKCU\Software\Microsoft\Windows\CurrentVersion
PSChildName : Internet Settings
PSProvider : Microsoft.PowerShell.Core\Registry
Check container network
PS C:\Windows\system32> Get-ContainerNetwork
Name Id Subnets Mode SourceMac DNSServers DNSSuffix
---- -- ------- ---- --------- ---------- ---------
nat f41327a7-ce0a-464c-83ff-21223867c9ea {172.21.48.0/20} NAT
Ping container IP from host => Okay
Telnet to container IP and Port from host => Failed
PS C:\Windows\system32> telnet 172.21.60.107 80
Connecting To 172.21.60.107...Could not open connection to the host, on port 80: Connect failed
Ping host IP from container => Failed
Have googled this issue and tried a lot of troubleshooting but seems like i could not find the solution for my issue. Most of the issue reported is due to the localhost loopback issue in window.
Any pointer on how to troubleshoot this further?
I am suspecting there is something blocking the container port. But i cant find it.
Thanks
I am running a web API on the host system and it's not exposed on public IP.
I want to access from a docker windows container running on the same system.
By initial analysis, it seems windows container does not support to access host system from within a container.
Tried to access API with the following address but on none of them are working.
https://host_system_ip:port/api/controller/action
https://default_gateway_ip:port/api/controller/action
https://localhost:port/api/controller/action
https://127.0.0.1:port/api/controller/action
For security reasons I cannot make that API to be accessed on public IP, the only host system and containers running on same host machine should be allowed to access web API.
This works fine for me from within container. Make sure you are on latest OS etc and nothing is missing.
PS C:\> docker run --rm microsoft/windowsservercore powershell invoke-webrequest 192.168.1.221 -useBasicParsing
StatusCode : 200
StatusDescription : OK
Content : Application 995184 and started on 3/21/2018 8:59:09 AM
RawContent : HTTP/1.1 200 OK
Content-Length: 54
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 21 Mar 2018 14:01:22 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Pow...
Forms :
Headers : {[Content-Length, 54], [Cache-Control, private],
[Content-Type, text/html; charset=utf-8], [Date, Wed, 21
Mar 2018 14:01:22 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml :
RawContentLength : 54
PS C:\> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (nat):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::94d6:434:c0b6:8fdc%56
IPv4 Address. . . . . . . . . . . : 172.29.112.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
Ethernet adapter vEthernet (Internet):
Connection-specific DNS Suffix . : lan
Link-local IPv6 Address . . . . . : fe80::342a:be30:c7c:c1de%24
IPv4 Address. . . . . . . . . . . : 192.168.1.221
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1