我是 Windows 容器的初级用户,也是 Windows 管理的新手,因此,我已经研究了这个问题几天,但并没有取得太大的成功。
我的dockerfile;
FROM mcr.microsoft.com/windows/servercore:10.0.14393.3866
# expose WinRM port
EXPOSE 5985
# create a local user
RUN net user user1 Pa55w0rd! /ADD
RUN net localgroup "Administrators" user1 /ADD
RUN net localgroup "Remote Management Users" user1 /ADD
RUN winrm set winrm/config/client @{TrustedHosts="*"}
运行时docker build,我看到 winrm 客户端配置回显为;
Step 6/6 : RUN winrm set winrm/config/client @{TrustedHosts="*"}
---> Running in a38ce9015919
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts = *
当我以交互模式启动容器时,我可以在容器上本地使用 winrs;
C:\>winrs -u:172.18.106.64\user1 -p:Pa55w0rd! dir c:\
winrs -u:172.18.106.64\user1 -p:Pa55w0rd! dir c:\
Volume in drive C has no label.
Volume Serial Number is D4B7-E02B
Directory of c:\
11/22/2016 06:45 PM 1,894 License.txt
08/08/2020 03:24 PM <DIR> PerfLogs
08/08/2020 03:35 PM <DIR> Program Files
07/16/2016 09:18 AM <DIR> Program Files (x86)
08/26/2020 10:27 AM <DIR> Users
08/24/2020 03:20 PM <DIR> Windows
1 File(s) 1,894 bytes
从主机我可以telnet访问容器上的 WinRm 端口,当我输入“HELP”时得到;
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 26 Aug 2020 14:43:23 GMT
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
但是,当我从主机使用 winrs 时,出现此错误;
PS C:\Users\xxxxx> winrs -r:http://172.18.106.64 -u:172.18.106.64\user1 -p:Pa55w0rd! dir c:\
Winrs error:The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.
键入“如果身份验证方案与 Kerberos 不同...”我想我需要禁用所有其他身份验证机制除了容器的 WinRM 客户端配置中的 Kerberos,我接下来将尝试。
请注意,我没有主机的管理员权限,因此无法将目标计算机添加到主机上的 TrustedHosts 配置设置中。此外,容器的 IP 每次启动时都会发生变化。要求管理员将信任设置为“<local>”可能不会被接受,除非我能提供白皮书解释这不会给我的主机带来安全风险。
是否存在我忽略的简单方法?
编辑:我尝试禁用除 Kerberos 之外的所有功能——但没有成功;
Auth
Basic = false
Digest = false
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
答案1
经过一番努力,我意识到 WinRM 必须同时在客户端(容器主机)和服务器(容器)上运行。我还发现 WinRM 没有在我的主机上运行。经过一番挖掘,我发现 WinRM 没有在我的主机上运行的原因是我的主网络连接设置为“公共”模式。解决方案是打开网络和 Internet 设置,将适配器更改为“私有”模式,然后重新启动。
然后我遇到了这个问题;
The WinRM client cannot process the request. If the authentication scheme is
different from Kerberos, or if the client computer is not joined to a domain,
then HTTPS transport must be used or the destination machine must be added to
the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts.
Note that computers in the TrustedHosts list might not be authenticated. You can
get more information about that by running the following command: winrm help
config.
这是客户端(容器主机)端的问题,可以通过此命令轻松修复;
winrm set winrm/config/client @{TrustedHosts="*"}
现在我可以使用以下命令验证从容器主机到容器的连接
PS> winrm id -r:172.19.6.97 -u:172.19.6.97\user1 -p:Pa55w0rd!
IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 10.0.14393 SP: 0.0 Stack: 3.0
SecurityProfiles
SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos