in the past, i worked with c# and the .net framework 4.6. There I could directly access the trust stores of the windows system with commands like this:
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(...);
...
Now I want to use .net core and run the application in a docker container.
I can use exactly the same code shown above, but i would see only the certificates that are somehow located inside the container.
I can add cetifidates to the store and read them back but when the container stops running the information is gone.
--> I guess this is because the store is only in memory valid as long as the container runs...
How could I use a trust store from the host system or from another container that is only responsible for managing certs and keys?
Thanks for your answers in advance!
Related
I'm working with the following:
Docker for Windows v20.10.11
Docker running in Windows container mode
mcr.microsoft.com/windows:1903 base image
Proprietary application installed on top of this base image
Each year we create a Docker image with the latest version of our company's software. However this year's version behaves differently. Host machine installation runs fine. Containerized installation fails to run in certain situations. I can start the application as a simple EXE, for example using the Docker run command. The app will start and show up in "tasklist". However I can't start the app via the COM API, which is a critical requirement. The problem appears to be COM related. Normally we can create COM objects for our software just like for any other application. For example, IE returns a COM object just fine:
Creating these objects for our application works outside containers. However inside the container, our latest installation gives this error:
Access permissions appear to be ok. I tried a couple tests to prove this. First I can install other software like MS Word into a container and create COM objects for that:
Second I tried retrieving + modifying the application's DACL in PowerShell.
Changing access masks or trustees can cause an Access Denied error:
This also appears to confirm the access permissions were Ok by default.
Next I made sure COM is aware of the application. This appears to be fine. I get the same result on host machine and container when running this PS script:
gci HKLM:\Software\Classes -ea 0| ? {$.PSChildName -match '^\w+.\w+$' -and
(gp "$($.PSPath)\CLSID" -ea 0)} | ft PSChildName
The application shows up just like any other. The details show up fine when querying by AppID. LocalServer32 points to the correct EXE:
Some other things I tried:
Querying registry keys. There are 7 keys created when installing our software. These appear identical on host machine install and container install.
Even though permissions appear fine, I still tried logging into the container as alternate users. For example "nt authority\system" is another virtual admin user. I also changed the password of the "builtin\administrator" user to enable logging in with that one. Lastly tried creating new users entirely and adding them to the Administrators user group. All these attempts had the same errors as "builtin\containeradministrator" (default user).
A minor check was ensuring CMD.exe / Powershell is running as x64:
Re-registering the DLLs associated with the installation using regsvr32.
Starting from different base images. https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-base-images. The full Win Server base image behaves exactly the same way regarding errors. The smaller Win Server Core base image is even more problematic, as I can't even start the app's EXE manually using that base. Lastly I tried other tags of the full Windows base image such as 20H2 and 2004. Same result from those. Multiarch or x64 makes no difference.
Included the "Ogawa hack" which was historically needed to make MS Office apps function correctly with COM: https://stackoverflow.com/a/1680214/7991646. It could be necessary for other COM apps too, but didn't help with my specific installation.
Is there anything else I can do to diagnose or solve this COM issue?
There are several things to consider:
The Considerations for server-side Automation of Office article states the following:
Microsoft does not currently recommend, and does not support, Automation of Microsoft Office applications from any unattended, non-interactive client application or component (including ASP, ASP.NET, DCOM, and NT Services), because Office may exhibit unstable behavior and/or deadlock when Office is run in this environment.
If you are building a solution that runs in a server-side context, you should try to use components that have been made safe for unattended execution. Or, you should try to find alternatives that allow at least part of the code to run client-side. If you use an Office application from a server-side solution, the application will lack many of the necessary capabilities to run successfully. Additionally, you will be taking risks with the stability of your overall solution.
The When CoCreateInstance returns 0x80080005 (CO_E_SERVER_EXEC_FAILURE) page describes possible reasons.
If many COM+ applications run under different user accounts that are specified in the This User property, the computer cannot allocate memory to create a new desktop heap for the new user. Therefore, the process cannot start. See Error when you start many COM+ applications: Error code 80080005 -- server execution failed for more information.
Finally, you may find a similar thread here helpful, see Server execution failed (Exception from HRESULT: 0x80080005 (CO_E_SERVER_EXEC_FAILURE)).
I have an image with a GUI application, with base image of microsoft/windowsservercore. Application is installed correctly in the image, however I'm unable to display it on host machine. Have read several articles on this on Google and they suggest to install XServer for Windows and then we can display the application on host machine. I have been trying to run following command (as suggested in most of the articles), however it does nothing and I don't get the display. Please assist.
docker run --rm -it -e DISPLAY=127.0.0.1:0.0 eft
The DISPLAY would be useful for Linux container.
As mentioned here:
WindwosServerCore image does not come with binaries for UI applications so I doubt this will ever work in servercore image but Microsoft insiders can use new bigger WindwosServer image which I beleive have those libraries intact.
This thread adds:
I understand that you can run GUI apps but the rendered elements are not shown on any desktop. Lars Iwer [MSFT] writes in the discussion below the article:
In the container image as it is right now, GUI elements will be rendered in session 0. UI automation should work with that (e.g. programmatically searching for a window etc.).
Session 0 is the session in which all system services are run and is by definition non-interactive. Sessions, Stations and Desktops are means of isolation in Windows (NT) and whether an application can show a UI and receive user interaction depends on whether it has an access to a Station with a Desktop.
Processes in Session 0 do not have that by default.
However it used to be possible to “Allow services to interact with Desktop” and it is also possible to run interactive services in other sessions than Session 0 (pay attention to “as it is right now”). Therefore, it would be interesting to hear some expert insights from Microsoft/Docker team on that…
I'm very new to containers/docker and it is absolutely changing my life so far however I have one question I'm not really finding a solid answer on. I apologize in advance if this qeustion too basic / silly :)
In my Node app I use a queue to spawn a Docker instance with a browser to screenshot some pages before terminating the docker instance and process the next item in the queue (eventually will process several items concurrently).
In my Dockerfile I added the COPY command to create a static copy of my codebase which is used in the Docker instance, including the chrome browser etc.
If I view say 100,000 pages the browsers cache would build up so my question is, does docker create a fresh version of the data used in the COPY command for every instance launched? I know I can clear the browsers cache on launch etc, but I'm more curious to know whether or not every launch is an original vanilla copy of the initial build, so nothing is shared/cached with subsequent launches.
Yes. Every run is vanilla copy of initial build. If you require data to be persistent, you can use volumes. Check this official guide for more information: Manage data in Docker
I've cf application which I pushed and working as expected,now I want to change some file content in RT to avoid re-push.the application in deployed to warden container so it "persist" (for this instance ) in the filesystem of the container,How can I access to this file (i've node application so I guess with the FS module) location. i.e. if I've paused app with the following structure
myApp
folder1
index.html
1.if I want to change index html content by override how should I do that?I know the path of myApp/folder1/index.html but how I know
where my app is located in the container file system?
2. There is a way when I push application to say where to put the application? I mean in the container filesystem in specific path
e.g. when you create application in windows you decide where to put it...
C:\\myApp\folder1\index.html
or
D:\\myApp\folder1\index.html
I know that maybe this is advanced question but your help is appreciated!
p.s. lets say that I've some proxy for the application in the app container which listen to the app port and this can do some changes on the files of the applications
Writing directly to the container file system is not the right approach, because Cloud Foundry containers are intended to be ephemeral and transient.
Let's say that I have one instance of an application running, in Container A, and I change the contents of folder1/index.html. If that instance fails, and is automatically restarted by Cloud Foundry, the new instance won't have the persisted changes. If I need to scale up to 3 instances of my application, then Containers B and C won't have the changed files.
Allowing Cloud Foundry to manage the container file system will assure that you have consistent, repeatable behavior in your application.
If you need to make file changes in your Cloud Foundry application instance, the two recommended approaches are:
Read and write your file from a file service that is managed by Cloud Foundry. This will ensure that all application instances are accessing the same file system, and that your changes will survive beyond the container lifecycle.
Make the changes in your application artifact, and re-push the application.
I'm creating services on Windows XP.
I have to use a utility that we are using . The utility is making registration in the registry.
My question is that when I'm creating the service a folder name Enum is not created, which I saw was created for all other services.
Is it important ? For what I need it ?
Thanks
You should use the service APIs (CreateService) to create your service instead of manipulating the registry manually (or via your utility).
The format of the services registry has changed over the years and if you don't use the defined APIs, you may risk malfunctions (you're also going to require a reboot after the registry changes are made because the service controller has now way of knowing about your new service).
A common windows service doesn't need anything such as "Enum" Directory. It must be something specific in your applications. So if the directory wasn't created automatically, you need to write an installer for your service which creates this directory automatically, or create it manually.
You can use the command "instsrv" if you want to register a new service running under Windows XP.
Cheers
Tomas