I Have docker hosted in a win2K16 server (in the test scenario the host itself is a Domain Controller but in the real case scenario the host will be a machine in the domain).
In the container I have a IIS site that is required to do authentication through AD.
I have created a gMSA following the instructions in this url and tried to configure the host and the container using this steps
I start the container using the command: docker run -d --security-opt "credentialspec=file://gmsa.json" -h gmsa <image-name> (I've tried with and without the -h parameter) and loggin in with docker exec -ti <container-id> cmd.
In the host the command nltest /parentdomain returns as expected but nltest /query always return:
Flags: 0
Connection Status = 1786 0x6fa ERROR_NO_TRUST_LSA_SECRET
Can anyone point me out what I'm doing wrong?
Turns out that you cannot use host the container in the Domain Controller because you can't add the DC computer to the gMSA group.
Related
I can't log in to a self hosted docker registry from my Mac, other devices work.
Home LAN, all in 192.168.0.xxx:
raspberry pi with docker version 20.10.8
Mac with MacOS and docker version 20.10.8
PC hosting the registry at 192.168.0.12: ubuntu with docker version 19.03.13
The reverse proxy setting is:
my.sub.domain.com {
reverse_proxy /* 192.168.0.12:8082
}
The docker registry is supplied by Nexus 3. I've set up a http connector a port 8082.
My reverse proxy terminates ssl/https, internally http is used.
What I did
raspberry pi:
docker login my.sub.domain.com -u user -p pass
result: Login Succeeded
mac, option 1:
docker login my.sub.domain.com -u user -p pass
result: Error response from daemon: Get "https://my.sub.domain.com/v2/": Service Unavailable
mac, option 2:
docker login 192.168.0.12:8082 -u user -p pass
result: Login Succeeded (I've added that IP to insecure registries)
dig my.sub.domain.com returns the same result for both raspberry pi and mac.
I do not want to specify the IP to log in, I want to specify the domain name.
Logging in also works via the internet from a different location.
What is happening with the Mac docker? How can I debug this further?
I use Docker CE for Windows on latest Windows 10 and have built an image with a
script that runs a test against a web server.
(A litmus test suite for a WebDAV server to be exact, but I think the problem
is general.)
I run the web server on a Powershell console:
> wsgidav -p 8080 -H localhost
21:04:19.107 - <13348)> wsgidav INFO : Running WsgiDAV/3.0.0a3 Cheroot/6.4.0 Python/3.6.5
21:04:19.107 - <13348)> wsgidav INFO : Serving on http://localhost:8080 ...
From another Powershell console, I run my script in a Docker container (using FROM alpine).
The script starts and tries to access the endpoint, but does not succeed:
> docker pull mar10/litmus
> docker run --rm -p 8080:8080 mar10/litmus http://gateway.docker.internal:8080
-> running `basic':
0. init.................. FAIL (connection refused by `gateway.docker.internal' port 8080: Operation timed out)
I tried so far
Using the gateway.docker.internal hostname
using -p PORT:PORT
using --net=host
restarting the docker daemon (which interestingly sometimes also was neccessary to
fix timeouts in docker pull)
different IP addresses for the web server (127.0.0.1, localhost, 0.0.0.0, local IP)
Nothing worked so far (although the failure message may be different).
Maybe I just missed a working combination of the above, or any other trick?
FWIW, I was able to solve it by building the container with the --network host option and use a real IP of the client (instead of localhost or 0.0.0.0).
Details here: https://hub.docker.com/r/mar10/docker-litmus/
I am new to this docker, i have started running the container services in 2016 server. When i run iis image "Docker run -it -p 80:80 microsoft/iis its started successfully. but when try to access the iis sample page its not loading via local host. but i can access the docker host name and ip address of the host. I know it is limitation in WINNAT but when i try to access from my another machine using the ip address of the host ( ex. htt://192.168.1.5/ form another machine on the same n/w) iis sample page is not accessible. Can anybody help me to resolve the issue.
I have the following system configuration:
Docker container running on user defined network
docker-machine (with VirtualBox on OS:X forwarding port 9000 to 9000)
Local webserver running on http://localhost:9000
I do not know how to make a basic http request against this webserver, from within my docker container.
To test this I am using:
docker exec testcontainer curl --data "foobaz=foo" http://{hostname}:9000/
where I have tried, for hostnames:
'localhost'
'127.0.0.1'
'192.168.99.100' (docker-machine IP)
Each time I receive errors or timeouts. When I run the curl command locally (not in docker and on my host OS:X machine) I am able to successfully post the http request.
I cannot disconnect the docker container from my user-defined network. I also cannot add my webserver to that network, as it is not running in a container. Also, I know it is trivial to connect the other way (curl to a webserver running in a docker container) but this is not my use case.
How can I successfully route that http request from the docker container which is part of a user defined network to my localhost webserver?
You can do this with the actual IP address of your local computer.
So for example, if your en0 IP is 10.100.20.32 on your host OS, you can run:
docker exec testcontainer curl --data "foobaz=foo" http://10.100.20.32:9000/
which will successfully allow you to make the http requests.
Note that if you are doing this from a container on the host docker network, this is trivial, as you can directly access localhost or 0.0.0.0 without having to use the actual machine IP.
You might want to check what the IP address of the container is - you can find this out by running docker inspect.
However, if you want to access the server process running in your container using the docker machine IP, then you should "expose" port 9000 that your contained app is listening on (using Dockerfile) - in this way, you will still need to figure out which port the 9000 container port is mapped to (this shows when you list your containers via $ docker ps. You can also specify port binding option in command line when starting your container like this: $ docker run -p 9000:9000 <your-container>.
I run private registry on UBUNTU 14.04:
docker run -d -p 5000:5000 registry
The proces appeard on my docker proces list. I wrote command : curl my-external-ip and I got this:
"\"docker-registry server\""
THE PROBLEM IS that
when I try to push image on localhost it works fine, but after I want to push to external ip (It must be available for for more people) I got this:
The push refers to a repository [MY-EXTERNAL-IP:5000/hello] (len: 1)
unable to ping registry endpoint https://MY-EXTERNAL-IP:5000/v0/
v2 ping attempt failed with error: Get https://MY-EXTERNAL-IP:5000/v2/: EOF
v1 ping attempt failed with error: Get ht*ps://MY-EXTERNAL-IP:5000/v1/_ping: EOF
I am using proxy at my company, but I added export http_proxy, https_proxy, ftp_proxy to my docker file and --insecure-registry.
It looks that your docker daemon can't access docker registry(your-external-ip) through https protocol(usually it uses 443 port).
Maybe you can check it first.
But with insecure mode, the network occured on http protocol. So you can tell you docker daemon to trust insecure-registry.
Try to run docker daemon with --insecure-registry="YOUR_EXTERNAL_IP"
It seems like your Docker daemon still doesn't understand that registry on your $EXTERNAL_IP should be accessed over HTTP rather than HTTPS. You need to be sure that daemon runs with the --insecure-registry $EXTERNAL_IP option:
ps aux | grep docker
If you'll not be able to find it there, you probably made a mistake in your DOCKER_OPTIONS.