search

microsoft / IIS.ServiceMonitor

An entrypoint process for running IIS in Windows containers
MIT License
127 stars 39 forks source link

Make AppPool name configurable #31

Closed michha closed 6 years ago

michha commented 6 years ago

Requirement: Security hardened IIS with just the necessary features - including removed default web site and default app pool Problem: ServerMonitor expects a pool DefaulAppPool, fails when it is missing and doesn't provide a override-able option Within this PR: added an extra argument if the pool name needs to be changed

Dockerfile:

FROM microsoft/aspnet:4.7.1-windowsservercore-ltsc2016

RUN Get-ChildItem IIS:\Sites | Remove-Website; \
    Get-ChildItem IIS:\AppPools | Remove-WebAppPool;

RUN New-WebAppPool SomePool;

#uncomment for new behavior
#COPY x64/Debug/ServiceMonitor.exe /ServiceMonitor2.exe
#ENTRYPOINT ["C:\\ServiceMonitor2.exe", "w3svc", "SomePool"]

when starting the container the ServiceMonitor cannot find the DefaultAppPool pool and fails with:

 Service 'w3svc' has been stopped

APPCMD failed with error code 4312

Failed to update IIS configuration

using my code changes (and uncomment the Dockerfile lines) the result is :

 Service 'w3svc' has been stopped

 Service 'w3svc' started
michha commented 6 years ago

Disclaimer: I am a manged-code guy, so I don't know if the memory of the new variable needs to be freed. And I am also not used to naming conventions in C++. If something needs to be changed, give me a hint.

mcy94w commented 6 years ago

What's the purpose of not using default app pool?

michha commented 6 years ago

Having more control about what is configured (through creating custom app pools) and preventing unknown "out-of-the-box" actions (like ServiceMonitor accessing the DefaultAppPool while our application is running on a different pool)

christianacca commented 6 years ago

Another reason to not just support default app pool....

So as to be able to reuse existing deployment scripts that install IIS sites and create their own app pool using specific naming conventions.

Even new scripts might require this. New scripts can be written in a host agnostic fashion - they can be used to deploy the site to docker container or to "bare metal" / VM

michha commented 6 years ago

Is something blocking this from getting merged?

michha commented 6 years ago

@mcy94w What is the roadmap for this change to go live? 4.7.2-windowsservercore-ltsc2016 and 4.7.2-windowsservercore-1803 still install version 2.0.1.3, which doesn't contain this commit.