Hi everyone,
We are dealing with incompatibilities running our applications with gMsa in Windows Server 2016 containers using docker. We are using Windows Server 2019 as the host and hyper-v isolation.
Host: Windows Server 2019 10.0.17763
Container: Windows 2016 10.0.14393 (build 1607)
dockerfile with the following base images
FROM mcr.microsoft.com/dotnet/framework/runtime:4.6.2-windowsservercore-ltsc2016
FROM mcr.microsoft.com/windows/servercore:ltsc2016
docker-compose
version: '3.9'
services:
"cfm":
image: "10.57.25.220:5000/cfm_2016:latest"
hostname: "CFMgMsa"
isolation: "hyperv"
command: ping -t localhost
networks:
dn_ipc:
ipv4_address: 10.57.25.225
dns:
- 10.57.25.194
dns_search: pj16.loc
security_opt:
- credentialspec=file://pj16_cfmgmsa.json
networks:
dn_ipc:
driver: l2bridge
driver_opts:
com.docker.network.windowsshim.interface: IPC
ipam:
config:
- subnet: 10.57.25.192/26
gateway: 10.57.25.193
According to Microsoft, it is possible to run Windows Server 2016 containers in Windows Server 2019 host as long as hyper-v isolation is used. We can verify the container Is running because it can be built and deployed with docker-compose.
But when trying to run the application, it simply does not run.
The only scenarios where the application works correctly is when hyper-v is not used, but on that scenarios the host and the container OS must match, meaning Windows Server 2019 host with Windows Server 2019 container or Windows Server 2016 host with Windows Server 2016 container.
We found on the internet this page
GitHub - plooploops/windows-containers-AD: Working with AD and Windows Containers where it looks a team is tried to do the same but with the same result.
In our scenario we are using Windows Server 2016 10.0.14393 build 1607 that is even older than 1803. We do not know as well the corresponding server for 1709 build.
The question is: Is there any build combination between Windows Server 2019 host and Windows Server 2016 container for gMsa and hyper-v run correctly, or it is really incompatible, and the only solution for this specific scenario is to match the OS and container version?
What I have tried:
We went to do the gMsa troubleshoot tests using the only official Microsoft document that we could find, that has already 2 years old (<a href="https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-troubleshooting"></a>Troubleshoot gMSAs for Windows containers | Microsoft Docs), with the following results
1. Tests in the host
a. Test-ADServiceAccount <our app>
i. True
b. Firewall rules configured for correct traffic support
2. Tests in the container (gMsa related)
a.
nltest /sc_verify:pj16.loc and klist get krbtgt always fail in this scenario (where the application has gMsa, and hyper-v is used)