Closed Peco602 closed 2 years ago
Seems to me that is an unconventional way to work interactively with a running container. You would typically use docker exec -it command for an interactive session. That said, I gave it a try with the mcr.microsoft.com/windows/servercore/iis:latest
image and from the container host I was able to verify connectivity from host-to-container over the default WinRM port:
PS C:\Users\Administrator> (docker container inspect cbe0be0147d1 | ConvertFrom-Json).NetworkSettings.Networks.nat.IPAddress
172.31.124.73
PS C:\Users\Administrator> Test-NetConnection -ComputerName 172.31.124.73 -Port 5985
ComputerName : 172.31.124.73
RemoteAddress : 172.31.124.73
RemotePort : 5985
InterfaceAlias : vEthernet (nat)
SourceAddress : 172.31.112.1
TcpTestSucceeded : True
But when I try to enter a session:
PS C:\Users\Administrator> Enter-PSSession -ComputerName 172.31.124.73
Enter-PSSession : Connecting to remote server 172.31.124.73 failed with the following error message : The WinRM client cannot process
the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS
transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure
TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by
running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ Enter-PSSession -ComputerName 172.31.124.73
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (172.31.124.73:String) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
And this error makes sense because the container is not domain-joined (nor is my test VM in this case). So the auth scheme is definitely not Kerberos and as far as using HTTPS as the transport - perhaps it could work, but WinRM inside the container has not been configured to allow it. Again, I'd recommend using docker exec
if you need to interact with a running container.
You should try other authentication methods, such as Basic and NTLM, which are for not-domain joined machines.
I need to interact via Enter-PSSession
and not via docker exec
because I need to simulate a WinRM connection.
I tried to interact with the
winrm
container available in this repository. The error I get is ACCESS DENIED.
Doesn't work (using any of the available authentication schemes) out-of-the-box. This post looks promising - maybe it can help you: https://tobiasfenster.io/container-to-container-winrm
It is the same link I found. I will give a look.
I was able to use the -ContainerId
parameter (from the container host) to enter into a session. Probably not what you are after, but that did in fact work:
PS C:\Users\Administrator\Documents> hostname
EC2AMAZ-9I75KV2
PS C:\Users\Administrator\Documents> Enter-PSSession -ContainerId cbe0be0147d191136339d86b537189292b8eadb96915114473340ace213fca30
[cbe0be0147d1...]: PS C:\Users\ContainerUser\Documents> hostname
cbe0be0147d1
[cbe0be0147d1...]: PS C:\Users\ContainerUser\Documents> whoami
user manager\containeruser
Please checkout my new repository where I have published a WinRM Windows Docker image accessible via the PowerShell command Enter-PSSession
.
I am trying without success to access the container via this command:
and then inserting the password
Passw0rd
in the prompt windows.