Examples for getting started with Windows containers and AD. The commands below have been adopted by following basic steps in this gist to configure AD properly.
Unless otherwise noted, the majority of these scenarios have been tested using SAC 1709 and 1803, running as windows server containers (process isolation, not hyper-v containers).
Keep in mind the following points when using container versions earlier that 1809 (Windows Server 2019).
- The container host VMs must be equal to or greater than the version of the container running. If the container host VMs is running a version greater than the container itself, the container must be run in hyper-v isolation mode. (For these scenarios, we matched our containers to the container host VMs, as GMSAs do not work when using hyper-v isolation for 1709/1803 containers.)
- Prior to Server 2019, GMSA functionality required them to be matched 1:1 to each container. This limits the ability to scale a containerized application easily. All these scenarios assume only one container per GMSA will be running.
To get started:
-
Clone this repo. The commands below where written and run from the WSL.
-
Set up AD
-
Run Samples
References to concepts and additional supporting documentation.
- Windows Containers Networking
- Windows Containers Volumes
- IIS on Docker Hub
- GMSA Windows Containers
- Deploying Windows Containers
- Version Compatibility
- NSG Ports
- GMSA Set up Reference
- Remote Debugging
- SQL Server Setup Notes
Remote debugging by installing VS debugger in the container. (Blog post in reference list above.)
To build the samples (using WSL) run the commands below (be sure to use your images in commands for each example). Alternatively you can use the provided docker images on my docker hub repo.
WSL
./auth-examples/build.sh <your-docker-repo>
Powershell
./auth-examples/build.ps1 <your-docker-repo>
To publish to a docker repository:
WSL
docker login
./auth-examples/push.sh <your-docker-repo>
Powershell
docker login
./auth-examples/push.ps1 <your-docker-repo>
- QUEUE_NAME - This will be the path for the queue. E.g. for private queue .\private$\TestQueue for public queue worker\TestQueue
- DIRECT_FORMAT_PROTOCOL - This will be the direct format protocol. It can be something like OS, TCP, etc. See the direct format naming for appropriate protocols.
- USER - This will search for a UPN to try to impersonate.