问题
Currently I am working on a project where I have to dockerize an application that is supposed to be running on Windows. It is an application that can be installed and configured via command line. The question is applicable to any application in the end.
The platform of my choice is obviously Windows. Therefore I have chosen a base image mcr.microsoft.com/windows/servercore:1803 to begin with.
After installation my application will need a rule added to Firewall. So I decided to test whether I am able to manipulate the firewall inside a container. It turned out a very problematic experience.
What I've done so far.
FROM mcr.microsoft.com/windows/servercore:1803
# Add user
RUN net user /add MyUser
RUN net user MyUser ABCdef123!
RUN net localgroup "Administrators" MyUser /add
After that I have tested whether I can see the FW rules by calling Get-NetFirewallRule. Tis resulted in an error :
Get-NetFirewallRule : There are no more endpoints available from the endpoint mapper.
At line:1 char:1
+ Get-NetFirewallRule
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_NetFirewallRule:root/standardcimv2/MSFT_NetFirewallRule) [Get-NetFirewallRule], CimException
+ FullyQualifiedErrorId : Windows System Error 1753,Get-NetFirewallRule
I checked the services that run currently by calling Get-Service which resulted in the list of services containing this line: Stopped mpssvc Windows Defender Firewall. Looks like the FW is not even started.
I decided to dig deeper and check registry for some clues. Calling this cmd REG QUERY HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start gave me a value of 4 which is Disabled. So i tried to enable it, setting it to 2 but no luck starting the service after:
REG ADD HKLM\SYSTEM\CurrentControlSet\services\MpsSvc /v Start /t REG_DWORD /d 2 /f
net start MpsSvc
Result:
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
The dependent to FW services are running fine (BFE, RDC etc) It just wont start.
Any clues from bright minds? Thanks in advance!
回答1:
Assuming you use Windows Server Container, not Hyper-V Container, you have a shared Kernel hence use the Host's firewall.
From Network Isolation and Security:
Depending on which container and network driver is used, port ACLs are enforced by a combination of the Windows Firewall and VFP.
Windows Server containers
These use the Windows hosts' firewall (enlightened with network namespaces) as well as VFP
Default Outbound: ALLOW ALL
Default Inbound: ALLOW ALL (TCP, UDP, ICMP, IGMP) unsolicited network traffic
DENY ALL other network traffic not from these protocols
来源:https://stackoverflow.com/questions/53484200/windows-server-core-in-docker-firewall