• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Liutauras Vilda
Sheriffs:
  • Rob Spoor
  • Bear Bibeault
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh

gMsa and hyper-v isolation using Windows Server 2016 containers and Windows Server 2019 host

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


Hi everyone,

We are dealing with incompatibilities running our applications with gMsa in Windows Server 2016 containers using docker. We are using Windows Server 2019 as the host and hyper-v isolation.

Host: Windows Server 2019 10.0.17763
Container: Windows 2016 10.0.14393 (build 1607)

dockerfile with the following base images

FROM mcr.microsoft.com/dotnet/framework/runtime:4.6.2-windowsservercore-ltsc2016
FROM mcr.microsoft.com/windows/servercore:ltsc2016

docker-compose

version: '3.9'
services:
"cfm":
image: "10.57.25.220:5000/cfm_2016:latest"
hostname: "CFMgMsa"
isolation: "hyperv"
command: ping -t localhost
networks:
dn_ipc:
ipv4_address: 10.57.25.225
dns:
- 10.57.25.194
dns_search: pj16.loc
security_opt:
- credentialspec=file://pj16_cfmgmsa.json

networks:
dn_ipc:
driver: l2bridge
driver_opts:
com.docker.network.windowsshim.interface: IPC
ipam:
config:
- subnet: 10.57.25.192/26
gateway: 10.57.25.193


According to Microsoft, it is possible to run Windows Server 2016 containers in Windows Server 2019 host as long as hyper-v isolation is used. We can verify the container Is running because it can be built and deployed with docker-compose.

But when trying to run the application, it simply does not run.

We went to do the gMsa troubleshoot tests using the only official Microsoft document that we could find, that has already 2 years old (https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-troubleshooting Troubleshoot gMSAs for Windows containers | Microsoft Docs), with the following results

1. Tests in the host
a. Test-ADServiceAccount <our app>
i. True
b. Firewall rules configured for correct traffic support
2. Tests in the container (gMsa related)

nltest /sc_verify:pj16.loc and klist get krbtgt always fail in this scenario (where the application has gMsa, and hyper-v is used)

The only scenarios where the application works correctly is when hyper-v is not used, but on that scenarios the host and the container OS must match, meaning Windows Server 2019 host with Windows Server 2019 container or Windows Server 2016 host with Windows Server 2016 container.

We found on the internet this page GitHub - plooploops/windows-containers-AD: Working with AD and Windows Containers where it looks a team is tried to do the same but with the same result.

In our scenario we are using Windows Server 2016 10.0.14393 build 1607 that is even older than 1803. We do not know as well the corresponding server for 1709 build.

The question is: Is there any build combination between Windows Server 2019 host and Windows Server 2016 container for gMsa and hyper-v run correctly, or it is really incompatible, and the only solution for this specific scenario is to match the OS and container version?

containerRunning.jpg
[Thumbnail for containerRunning.jpg]
hostcontainercompatibility.jpg
[Thumbnail for hostcontainercompatibility.jpg]
nltest.jpg
[Thumbnail for nltest.jpg]
 
Marshal
Posts: 72909
330
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch

Rather than writing <a href=...> tags, please use the URL button above the edit window. That will make your link come out as:- Troubleshoot gMSAs for Windows containers | Microsoft Docs)
Afraid the only clouds I know anything about are cumulus, numbus, cirrus and stratus.
 
You may have just won ten million dollars! Or, maybe a tiny ad.
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic