Creating and logging in to a Windows Containers user with a password

Windows Containers by default uses ContainerAdministator user account with blank password. Creating a new user with password can be done but cannot be used in DockerFile for example. If you want to use another user in a container you have to create a user with blank password!

To login to a container with a password, do the following:

PS C:\> $cert = New-SelfSignedCertificate -DnsName "dontcare" -CertStoreLocation Cert:\LocalMachine\My
PS C:\> winrm create winrm/config/Listener?Address=*+Transport=HTTPS ('@{Hostname="notimportant"; CertificateThumbprint="' + $cert.Thumbprint + '"}')
PS C:\> winrm set winrm/config/service/Auth '@{Basic="true"}'
PS C:\> $cred = New-Object pscredential 'timus', (ConvertTo-SecureString -String 'P@$$w0rd' -AsPlainText -Force)
PS C:\> Enter-PSSession -Credential $cred -ComputerName localhost -Authentication Basic -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)

Windows containers cannot use USER instruction to change user with a password

 I have a Dockerfile like below:

FROM mcr.microsoft.com/windows/servercore:20H2 as final
RUN net user timus P@$$w0rd123!@# /add /Passwordchg:No
RUN WMIC USERACCOUNT WHERE "Name='timus'" SET PasswordExpires=FALSE
RUN net localgroup administrators timus /add
USER timus
RUN whoami

Running this will fail with an error message like below:

C:\mydocker>docker build -t myimages:1.0.0 -f Dockerfile Sending build context to Docker daemon 678.8MB Step 1/6 : FROM mcr.microsoft.com/windows/servercore:20H2 as final ---> 4943ff812624 Step 2/6 : RUN net user timus P@$$w0rd!@# /add /Passwordchg:No ---> Running in 95d4d70138d8 The command completed successfully. Removing intermediate container 95d4d70138d8 ---> d00130167ea2 Step 3/6 : RUN WMIC USERACCOUNT WHERE "Name='timus'" SET PasswordExpires=FALSE ---> Running in 0d05945d8f70 Updating property(s) of '\\0D05945D8F70\ROOT\CIMV2:Win32_UserAccount.Domain="0D05945D8F70",Name="timus"' Property(s) update successful. Removing intermediate container 0d05945d8f70 ---> b37beaf1f201 Step 4/6 : RUN net localgroup administrators timus /add ---> Running in 82871efe73b3 The command completed successfully. Removing intermediate container 82871efe73b3 ---> 17d3a473c8e6 Step 5/6 : USER timus ---> Running in fc69793db808 Removing intermediate container fc69793db808 ---> 8e515f363d94 Step 6/6 : RUN whoami ---> Running in 1d88d8a9e089 container 1d88d8a9e0897835a2cd00082f92ef99d7896623ce7ba7c1921176569c670cfe encountered an error during hcsshim::System::CreateProcess: failure in a Windows system call: The user name or password is incorrect. (0x52e) [Event Detail: Provider: 00000000-0000-0000-0000-000000000000] [Event Detail: Provider: 00000000-0000-0000-0000-000000000000] [Event Detail: onecore\vm\compute\management\orchestration\vmhostedcontainer\processmanagement.cpp(173)\vmcomputeagent.exe!00007FF720E4A40B: (caller: 00007FF720E05C8B) Exception(2) tid(388) 8007052E The user name or password is incorrect. CallContext:[\Bridge_ProcessMessage\VmHostedContainer_ExecuteProcess] Provider: 00000000-0000-0000-0000-000000000000] extra info: {"CommandLine":"cmd /S /C whoami","User":"timus","WorkingDirectory":"C:\\","CreateStdInPipe":true,"CreateStdOutPipe":true,"CreateStdErrPipe":true,"ConsoleSize":[0,0]}

This is failing because as of this writing (4/12/2021) Windows containers does not support using USER instruction for users with password, it is expecting it to be blank!
See this GitHub issue for details - https://github.com/moby/moby/issues/28585

My docker cheat sheet

My docker cheat sheet

Installing base container image for Server Core 2019. If you are running Windows Server 2019 virtual machine, this will allow you to run the container in process isolation mode instead of Hyper-V isolation. Process isolation is more light-weight and allows you to run a Server 2019 VM with dynamic memory setting in Hyper-V.

PS C:\> docker image pull mcr.microsoft.com/windows/servercore:ltsc2019

To list downloaded images, do

PS C:\> docker images

This will show something like below

PS C:\> docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
mcr.microsoft.com/windows/servercore   ltsc2019            3eaa9ebbf51f        5 weeks ago         5.25GB

To run a Windows container based on servercore:ltsc2019, do:

PS C:\> docker run -it mcr.microsoft.com/windows/servercore:ltsc2019 cmd.exe

This will open a cmd.exe prompt. This should allow you to play inside that container.

This container should be running in process isolation mode. To verify that get the cotainers running, like:

PS C:\> docker ps -a

Sample output below

PS C:\> docker ps -a
CONTAINER ID        IMAGE                                           COMMAND             CREATED             STATUS                      PORTS               NAMES
0dcd0e1f1a01        mcr.microsoft.com/windows/servercore:ltsc2019   "cmd.exe"           7 seconds ago       Up 6 seconds                                    gracious_ride
c9e4859871c2        mcr.microsoft.com/windows/servercore:ltsc2019   "cmd.exe"           56 minutes ago      Exited (0) 50 minutes ago                       distracted_curran
540f0bd0e7fd        mcr.microsoft.com/windows/servercore:ltsc2019   "cmd.exe"           About an hour ago   Exited (0) 58 minutes ago                       reverent_bohr

Note that 0dcd0e1f1a01 shows it is running (STATUS column shows Up x seconds).

Now check Isolation mode, like

PS C:\> docker inspect 0dcd0e1f1a01 | Select-String -Pattern "Isolation"

It shoud show something like below

PS C:\> docker inspect 0dcd0e1f1a01 | Select-String -Pattern "Isolation"
            "Isolation": "process",

To re-start an exited container, e.g., 540f0bd0e7fd do:

PS C:\> docker start 540f0bd0e7fd

This will start a container in the background. To interact with it do:

PS C:\> docker attach 540f0bd0e7fd

To start another shell on a conatiner, do:

PS C:\> docker exec -it 540f0bd0e7fd cmd.exe

Can’t install Hyper-V Management Tools on Windows Server 2019 if the machine/VM does not support virtualization

Can’t install Hyper-V Management Tools on Windows Server 2019 if the machine/VM does not support virtualization
 

I tried to install PowerShell Direct to manage docker containers but can't install the feature, trying to run:

PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-PowerShell

 yields with error below:

PS C:\Users\Administrator> Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Management-PowerShell
Enable-WindowsOptionalFeature : One or several parent features are disabled so current feature can not be enabled.
At line:1 char:1
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Enable-WindowsOptionalFeature], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.EnableWindowsOptionalFeatureCommand

Apparently this happens when the OS is running on a machine that does not support virtualization or the VM does not have nested virtualization enabled.