Previously our application ran on .net framework and we used powershell to install our certificate into the certificate store by running the following command:
RUN powershell -NoProfile -Command \
$Secure_String_Pwd = ConvertTo-SecureString "ourverysecretpassword" -AsPlainText -Force ; \
Import-PfxCertificate -FilePath /cert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Exportable -Password $Secure_String_Pwd
but now we have transferred our code to .netcore, the above command wont work in the dockerfile anymore.
Any idea on how to install an existing .pfx certificate via the dockerfile into the docker container?
[EDIT]
Im trying to run my container on windows, here is the complete dockerfile, maybe its just that i use the wrong image:
This is the entire docker file:
FROM microsoft/dotnet
COPY ./Web /app/
COPY cert.pfx /cert.pfx
RUN powershell -NoProfile -Command \
$Secure_String_Pwd = ConvertTo-SecureString "againourverysecretpassword" -
AsPlainText -Force ; \
Import-PfxCertificate -FilePath /cert.pfx -CertStoreLocation
Cert:\LocalMachine\Root -Exportable -Password $Secure_String_Pwd
WORKDIR /app
EXPOSE 5000
ENTRYPOINT ["dotnet", "myhost.dll"]
Anyhow it fails on the run powershell command, saying:
'powershell' is not recognized as an internal or external command,
operable program or batch file.
Is your Docker container running on Linux?
I assume that it is. Then your base image should be microsoft/aspnetcore, which is based on Ubuntu.
You should add this in your DOCKERFILE:
COPY ca_bundle.crt /usr/local/share/ca-certificates/your_ca.crt
RUN update-ca-certificates
First line copies your CA bundle into the image, the second line updates the CA list.
The CA bundle (the list of authorities that signed your certificate) can be extracted from PFX, just Google for it. This is the first link I found.
If your container is running on Windows, then Powershell command should work as-is (I'm not sure about that)
Related
I am very new to Docker, so perhaps I am just missing something simple, but I have not been able to figure out a way to accomplish this task.
I have a Dockerfile that looks like this:
FROM mcr.microsoft.com/windows:10.0.17763.3046-amd64
RUN mkdir "C:\Program Files (x86)\Austin Lane Technologies"
RUN mkdir "C:\Program Files (x86)\Austin Lane Technologies\ALMobile Suite"
WORKDIR "C:/Program Files (x86)/Austin Lane Technologies/ALMobile Suite/"
COPY ./BaseInstall/ProgramFiles/ .
WORKDIR "C:/Program Files (x86)/Austin Lane Technologies/ALMobile Suite/bin"
RUN "C:/Windows/Microsoft.NET/Framework/v4.0.30319/installutil.exe" /Logfile=SystemSvc.install.log SystemSvc.exe
RUN "C:/Windows/Microsoft.NET/Framework/v4.0.30319/installutil.exe" /Logfile=DataInterfaceSvc.install.log DataInterfaceSvc.exe
RUN "C:/Windows/Microsoft.NET/Framework/v4.0.30319/installutil.exe" /Logfile=DataSyncSvc.install.log DataSyncSvc.exe
RUN "C:/Windows/Microsoft.NET/Framework/v4.0.30319/installutil.exe" /Logfile=AUServerSvc.install.log AUServerSvc.exe
RUN "C:/Windows/Microsoft.NET/Framework/v4.0.30319/installutil.exe" /Logfile=ADExplorerSvc.install.log ADExplorerSvc.exe
This scripts builds the image:
docker build -t almobile:latest .
I then launch an Admin Powershell Window and do the following:
.\runalmobile_test.ps1, which contains:
docker run --user ContainerAdministrator --name master -v "C:\ALMobileSuiteProgramFiles\Master\ProgramFiles:C:\Program Files (x86)\Austin Lane Technologies\ALMobile Suite" -p 2089:2089 -p 2090:2090 -p 2091:2091 -p 2093:2093 -it almobile cmd.exe
The registry file I want to load resides in the C:\ALMobileSuiteProgramFiles\Master\ProgramFiles directory.
I am able to load the registry of the container with the contents of this file if I manually enter the regedit command from an Admin Powershell window, but what I want to do is to have the regedit import command automatically issued when the container starts. So, once the cmd.exe shell launches, I am in the C:\Program Files (x86)\Austin Lane technologies\ALMobile Suite\bin folder. If I manually issue the following command, all works:
regedit /i /s ..\ALMobile.reg
What is the best practice/way for me to automatically import this registry file at time of container startup? Is there a way to run the regedit command from the Dockerfile, or does this need to be executed from some alternate script?
I think you need to run the Registry file during the docker build step, not the docker run step. And use reg import instead of regedit. So in your Dockerfile, you would have something like this, assuming you are using Powershell:
COPY ALMobile.reg .
RUN Invoke-Command {reg import ALMobile.reg}
Recently I've been investing some time to dive from Docker on Linux with bash (usually using "eux" options) into Windows container with Powershell to gain the same experience in Windows.
However, I have a lot of trouble getting there. Let's begin with the troubling Dockerfile (which will likely be the base for most Windows containers using PowerShell):
FROM mcr.microsoft.com/windows/servercore:20H2-amd64
SHELL ["powershell.exe", "-NoLogo", "-NoProfile"]
# Set ExecutionPolicy = Bypass permanently
RUN Invoke-Command -ErrorAction Stop -ScriptBlock { `
Get-ExecutionPolicy -List ; `
Set-ExecutionPolicy -ExecutionPolicy Bypass ; `
Get-ExecutionPolicy -List `
}
# Install chocolatey
RUN Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
# Enable global confirmation and install general build tools
RUN Invoke-Command -ErrorAction Stop -ScriptBlock { `
$ErrorActionPreference='Stop' ; `
choco feature enable -n=allowGlobalConfirmation ; `
choco install --no-progress --no-color -y cmake --installargs 'ADD_CMAKE_TO_PATH=System' ; `
choco install --no-progress --no-color -y mingw ; `
choco install --no-progress --no-color -y make `
}
What I personally miss the most is the possibility to chain multiple commands, so I can avoid the creation of superfluous image layers and container restarts.
However, if one of the commands fails, the command won't stop even that I told Invoke-Command to stop on errors and within the script block I set the ErrorActionPreference variable.
Hope the main problem here is not mainly linked to the missing knowledge in PowerShell, but how PowerShell works in Windows containers.
Thanks!
I am running on Windows 2019 server.
I am getting an error whenever I invoke powershell from a dockerfile on docker build
Error is..
---> Running in 6efa29aa8a4a
The command 'powershell -Command DIR' returned a non-zero code: 3221226505
Dockerfile..
# escape=` (backtick)
FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN DIR
RUN ["powershell", "-Command", "DIR"]
COPY ./ app/
WORKDIR app
CMD [ "someapp", "somearg" ]
I have tried replacing cmd with powershell via
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
RUN DIR
and the results are the same.
Thanks
Try running a dockerfile more like
FROM mcr.microsoft.com/windows/servercore/iis
RUN powershell -NoProfile -Command Remove-Item -Recurse
C:\inetpub\wwwroot*
WORKDIR /inetpub/wwwroot
COPY . /inetpub/wwwroot
maybe you gotta move your COPY command after the WORKDIR ?
Try different things out
Check to make sure you have update KB4532691 installed on your build machine (and host). The newest image of ltsc2019 (20/2020) has issues without it.
See https://hub.docker.com/_/microsoft-windows-servercore and https://support.microsoft.com/en-us/help/4542617/you-might-encounter-issues-when-using-windows-server-containers-with-t for more info
I'm using Docker for Windows and building the docker image with a Dockerfile like this:
FROM mydockerhublogin/win2k16-ruby:1.0
# Set the working directory to /app
WORKDIR /app
# Copy the current directory contents into the container at /app
ADD . /app
# Make port 80 available to the world outside this container
EXPOSE 80
# Define environment variable
ENV NAME World
RUN powershell -Command \
$ErrorActionPreference = 'Stop'; \
New-Item "HKLM:\Software\WOW6432Node\ExampleCom" -Force ; \
New-ItemProperty "HKLM:\Software\WOW6432Node\ExampleCom" -Name MenuLastUpdate -Value "test" -Force
RUN powershell -Command \
$ErrorActionPreference = 'Stop'; \
New-Item "HKLM:\Software\ExampleCom" -Force ; \
New-ItemProperty "HKLM:\Software\ExampleCom" -Name MenuLastUpdate -Value "test" -Force
# Run ruby script when the container launches
CMD ["C:/Ruby23-x64/bin/ruby.exe", "docker_ruby_test.rb"]
Note that I am adding some registry entries to the Windows registry which the code inside the container will access. While this method of adding registry entries is fine for a few entries, my requirement is to add dozens of entries required for my windows application. Is there a way to do this in a more concise manner?
Try creating a file for the your registry entry and copy that inside the container.
Then try running Invoke-Command -ScriptBlock {regedit /i /s C:\shared\settings.reg}
The following is the only way I could getting working using 4.8-windowsservercore-ltsc2019
COPY Registry/ChromeConfiguration.reg .
RUN reg import ChromeConfiguration.reg
I have seen examples like this for creating and running a script via ebextensions config:
files:
"C:\\scripts\\whoami.ps1":
content: |
date | out-file -append c:\scripts\whoami.log
whoami | out-file -append c:\scripts\whoami.log
hostname | out-file -append c:\scripts\whoami.log
get-module | out-file -append c:\scripts\whoami.log
commands:
whoami:
command: powershell.exe -ExecutionPolicy Bypass -Command "C:\\scripts\\whoami.ps1"
ignoreErrors: false
waitAfterCompletion: 5
That's fine, but can I just include a script in ebextensions and refer to it instead of having to define its content in a config?
for example I would have
myapp
--.ebextensions
----myconfig.config
----myscript.ps1
And then "myconfig.config" would copy "myscript.ps1" somewhere and run it.
How can I do this?
Edit:
So I put this command in a config to see what the current path is:
commands:
whereami:
command: dir > c:\whereami.log
ignoreErrors: false
waitAfterCompletion: 5
Its c:\windows\system32 which makes sense because it runs in the context of SYSTEM.
Is there no self referential method/keyword I can use to point to a script I have located in the beanstalk project I upload?
The options that worked for me (thanks to littleforest).
Create a folder structure inside of the web deployment package and refer to it with container_commands:
package/myfolder/myscript.ps1
container_commands:
relativeprogrampath:
command: "myfolder/myscript.ps1"
Create it in a parent folder and refer to it:
example folder structure:
parentfolder/myfolder/myscript.ps1
parentfolder/package/<the web deployment package>
container_commands:
relativeprogrampath:
command: "..\myscript.ps1"
If you place the myscript.ps1 file in the .ebextensions folder next to the config files, you can run it from a container command like this:
container_commands:
00-myscript:
command: powershell.exe -ExecutionPolicy Bypass -Command ".\\.ebextensions\\myscript.ps1"
waitAfterCompletion: 0