After reading Working with Working with Development Sandboxes and Entitlements and New-NavContainer -assignPremiumPlan didn't produce a docker container where the entitlements were enforced (see #3174), I created a docker container and used Setup-BcContainerTestUsers instead.
I took the premium user and added SUPER-Permissions to test if the Entitlements would be enforced here, but I tested with the same report and got the same result. The Entitlements are still not being enforced.
So the question is how do we get cloud sandbox docker containers where the permissions behave like the real cloud environment, which would be really helpful for developing for AppSource and cloud customers (PTE).
Scripts used to create container and cause the issue
BcContainerHelper version 5.0.3
BC.HelperFunctions emits usage statistics telemetry to Microsoft
BcContainerHelper is version 5.0.3
BcContainerHelper is running as administrator
HyperV is Enabled
UsePsSession is True
Host is Microsoft Windows Server 2019 Standard - 10.0.17763.4737
Docker Client Version is 19.03.5
Docker Server Version is 19.03.5
Removing Desktop shortcuts
Fetching all docker images
Fetching all docker volumes
Enabling SSL as otherwise all clients will see mixed HTTP / HTTPS request, which will cause problems e.g. on the mobile
and modern windows clients
Pulling image mcr.microsoft.com/businesscentral:10.0.17763.4737
10.0.17763.4737: Pulling from businesscentral
Using image mcr.microsoft.com/businesscentral:10.0.17763.4737
PublicDnsName is dockerhub.company.org
Creating Container test
Style: sandbox
Multitenant: Yes
Version: 22.4.59114.60133
Platform: 22.0.60117.0
Generic Tag: 1.0.2.14
Container OS Version: 10.0.17763.4737 (ltsc2019)
Host OS Version: 10.0.17763.4737 (ltsc2019)
Using process isolation
Using locale de-DE
Adding special CheckHealth.ps1 to enable Traefik support
Disabling the standard eventlog dump to container log every 2 seconds (use -dumpEventLog to enable)
Using license file C:\ProgramData\company\dockerLicenseFiles\lic.bclicense
Additional Parameters:
-e webserverinstance=test
-e publicdnsname=dockerhub.company.org
-l "traefik.protocol=https"
-l "traefik.web.frontend.rule=PathPrefix:/test"
-l "traefik.web.port=443"
-l "traefik.soap.frontend.rule=PathPrefix:/testsoap;ReplacePathRegex: ^/testsoap(.*) /BC$1"
-l "traefik.soap.port=7047"
-l "traefik.rest.frontend.rule=PathPrefix:/testrest;ReplacePathRegex: ^/testrest(.*) /BC$1"
-l "traefik.rest.port=7048"
-l "traefik.dev.frontend.rule=PathPrefix:/testdev;ReplacePathRegex: ^/testdev(.*) /BC$1"
-l "traefik.dev.port=7049"
-l "traefik.snap.frontend.rule=PathPrefix:/testsnap;ReplacePathRegex: ^/testsnap(.*) /BC$1"
-l "traefik.snap.port=7083"
-l "traefik.dl.frontend.rule=PathPrefixStrip:/testdl"
-l "traefik.dl.port=8080"
-l "traefik.dl.protocol=http"
-l "traefik.enable=true"
-l "traefik.frontend.entryPoints=https"
--env customNavSettings=PublicODataBaseUrl=https://dockerhub.company.org/testrest/odata,PublicSOAPBaseUrl=ht
tps://dockerhub.company.org/testsoap/ws,PublicWebBaseUrl=https://dockerhub.company.org/test
Files in C:\ProgramData\BcContainerHelper\Extensions\test\my:
- AdditionalOutput.ps1
- CheckHealth.ps1
- license.bclicense
- MainLoop.ps1
- companySSL.PFX
- SetupCertificate.ps1
- SetupVariables.ps1
- updatehosts.ps1
Creating container test from image mcr.microsoft.com/businesscentral:10.0.17763.4737
41570b346180c2075cd15aa6881f5ec736d26019895a56e1cc703d2a470b4065
Waiting for container test to be ready
Using artifactUrl https://bcartifacts.azureedge.net/sandbox/22.4.59114.60133/de
Using installer from C:\Run\210-new
Installing Business Central
Installing from artifacts
Starting Local SQL Server
WARNING: Waiting for service 'SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS)' to
start...
Starting Internet Information Server
Copying Service Tier Files
c:\dl\sandbox\22.4.59114.60133\platform\ServiceTier\Program Files
c:\dl\sandbox\22.4.59114.60133\platform\ServiceTier\System64Folder
Copying PowerShell Scripts
c:\dl\sandbox\22.4.59114.60133\platform\WindowsPowerShellScripts\Cloud\NAVAdministration
c:\dl\sandbox\22.4.59114.60133\platform\WindowsPowerShellScripts\WebSearch
Copying Web Client Files
c:\dl\sandbox\22.4.59114.60133\platform\WebClient\Microsoft Dynamics NAV
Copying ModernDev Files
c:\dl\sandbox\22.4.59114.60133\platform
c:\dl\sandbox\22.4.59114.60133\platform\ModernDev\program files\Microsoft Dynamics NAV
Copying additional files
Copying ConfigurationPackages
C:\dl\sandbox\22.4.59114.60133\de\ConfigurationPackages
Copying Test Assemblies
C:\dl\sandbox\22.4.59114.60133\platform\Test Assemblies
Copying Extensions
C:\dl\sandbox\22.4.59114.60133\de\Extensions
Copying Applications
C:\dl\sandbox\22.4.59114.60133\platform\Applications
Copying Applications.DE
C:\dl\sandbox\22.4.59114.60133\de\Applications.DE
Copying dependencies
Copying ReportBuilder
Importing PowerShell Modules
Restoring CRONUS Demo Database
Setting CompatibilityLevel for tenant on localhost\SQLEXPRESS
Exporting Application to CRONUS
Removing Application from tenant
Modifying Business Central Service Tier Config File for Docker
Creating Business Central Service Tier
Installing SIP crypto provider: 'C:\Windows\System32\NavSip.dll'
Starting Business Central Service Tier
Importing license file
Copying Database on localhost\SQLEXPRESS from tenant to default
Taking database tenant offline
Copying database files
Attaching files as new Database default
Putting database tenant back online
Mounting tenant database
Mounting Database for default on server localhost\SQLEXPRESS with AllowAppDatabaseWrite = False
Sync'ing Tenant
Tenant is Operational
Stopping Business Central Service Tier
Installation took 330 seconds
Installation complete
Initializing...
Setting host.containerhelper.internal to 172.24.176.1 in container hosts file
Starting Container
Hostname is test
PublicDnsName is dockerhub.company.org
Using NavUserPassword Authentication
Certificate File Thumbprint 28EAC4018B94AB194E7F1E3FE451385C82C3AC1F
Import Certificate to LocalMachine\my
Modifying Service Tier Config File with Instance Specific Settings
Modifying Service Tier Config File with settings from environment variable
Setting PublicODataBaseUrl to https://dockerhub.company.org/testrest/odata
Setting PublicSOAPBaseUrl to https://dockerhub.company.org/testsoap/ws
Setting PublicWebBaseUrl to https://dockerhub.company.org/test
Starting Service Tier
CertificateThumprint 28EAC4018B94AB194E7F1E3FE451385C82C3AC1F
Registering event sources
Creating DotNetCore Web Server Instance
Using application pool name: test
Using default container name: NavWebApplicationContainer
Copy files to WWW root C:\inetpub\wwwroot\test
Create the application pool test
Create website: NavWebApplicationContainer with SSL
Update configuration: navsettings.json
Done Configuring Web Client
Enabling Financials User Experience
Using license file 'c:\run\my\license.bclicense'
Import License
Dismounting Tenant
Mounting Tenant
Mounting Database for default on server localhost\SQLEXPRESS with AllowAppDatabaseWrite = False
Sync'ing Tenant
Tenant is Operational
Creating http download site
Setting SA Password and enabling SA
Creating admin as SQL User and add to sysadmin
Creating SUPER user
Container IP Address: 172.24.176.40
Container Hostname : test
Container Dns Name : dockerhub.company.org
Web Client : https://dockerhub.company.org/test/?tenant=default
Dev. Server : https://dockerhub.company.org
Dev. ServerInstance : BC
Dev. Server Tenant : default
Setting test to 172.24.176.40 in host hosts file
Setting test-default to 172.24.176.40 in host hosts file
Setting test-default to 172.24.176.40 in container hosts file
Files:
http://dockerhub.company.org:8080/ALLanguage.vsix
Container Total Physical Memory is 511.9Gb
Container Free Physical Memory is 237.2Gb
Initialization took 50 seconds
Ready for connections!
Reading CustomSettings.config from test
Cleanup old dotnet core assemblies
Container test successfully created
Because of Traefik, the following URLs need to be used when accessing the container from outside your Docker host:
Web Client: https://dockerhub.company.org/test
SOAP WebServices: https://dockerhub.company.org/testsoap
OData WebServices: https://dockerhub.company.org/testrest
Dev Service: https://dockerhub.company.org/testdev
Snapshot Service: https://dockerhub.company.org/testsnap
File downloads: https://dockerhub.company.org/testdl
Health check returns False, restarting container
Removing Session test
test
Waiting for container test to be ready
Initializing...
Setting host.containerhelper.internal to 172.24.176.1 in container hosts file
Restarting Container
PublicDnsName unchanged
Hostname is test
PublicDnsName is dockerhub.company.org
Using NavUserPassword Authentication
Starting Local SQL Server
Starting Internet Information Server
Starting Service Tier
Container IP Address: 172.24.181.66
Container Hostname : test
Container Dns Name : dockerhub.company.org
Web Client : https://dockerhub.company.org/test?tenant=default
Dev. Server : https://dockerhub.company.org
Dev. ServerInstance : BC
Dev. Server Tenant : default
Setting test to 172.24.181.66 in host hosts file
Setting test-default to 172.24.181.66 in host hosts file
Setting test-default to 172.24.181.66 in container hosts file
Files:
http://dockerhub.company.org:8080/ALLanguage.vsix
Container Total Physical Memory is 511.9Gb
Container Free Physical Memory is 242.5Gb
Initialization took 11 seconds
Ready for connections!
Waiting for tenants to be mounted
Use:
Get-BcContainerEventLog -containerName test to retrieve a snapshot of the event log from the container
Get-BcContainerDebugInfo -containerName test to get debug information about the container
Enter-BcContainer -containerName test to open a PowerShell prompt inside the container
Remove-BcContainer -containerName test to remove the container again
docker logs test to retrieve information about URL's again
Synchronizing Permissions Mock on default
App successfully synchronized
Installing Permissions Mock on default
App successfully installed
Synchronizing Test Runner on default
App successfully synchronized
Installing Test Runner on default
App successfully installed
Synchronizing Any on default
App successfully synchronized
Installing Any on default
App successfully installed
Synchronizing Library Assert on default
App successfully synchronized
Installing Library Assert on default
App successfully installed
Skipping app 'C:\Applications.DE\Microsoft_Permissions Mock_22.4.59114.60133.app' as it is already installed
Synchronizing Library Variable Storage on default
App successfully synchronized
Installing Library Variable Storage on default
App successfully installed
TestToolkit successfully imported
Publishing C:\ProgramData\BcContainerHelper\Extensions\test\9a54c6f8-9588-4da1-9dad-3978168b4dae\Microsoft_System
Application Test Library.app
Synchronizing System Application Test Library on tenant default
Installing System Application Test Library on tenant default
App Microsoft_System Application Test Library.app successfully published
Downloading C:\Users\adm_dago\AppData\Local\Temp\ed55d054-211e-4bf4-b5a2-14868fef2739
Downloading using WebClient
Publishing C:\ProgramData\BcContainerHelper\Extensions\test\264445fa-f7bd-4f4f-b615-36ef3425d87f\ed55d054-211e-4bf
4-b5a2-14868fef2739.app
Synchronizing CreateTestUsers on tenant default
Installing CreateTestUsers on tenant default
App ed55d054-211e-4bf4-b5a2-14868fef2739.app successfully published
Invoke GET on https://172.24.181.66:7048/BC/api/v1.0/companies?$filter=name%20eq%20%27CRONUS%20DE%27&tenant=default
Invoke POST on https://172.24.181.66:7048/BC/api/Microsoft/Setup/beta/companies(c6c2cb6d-da46-ee11-be72-6045bde99bee)/t
estUsers?tenant=default
Uninstalling CreateTestUsers from tenant default
Unpublishing CreateTestUsers
App successfully unpublished
Uninstalling System Application Test Library from tenant default
Unpublishing System Application Test Library
App successfully unpublished
...
Describe the issue
After reading Working with Working with Development Sandboxes and Entitlements and New-NavContainer -assignPremiumPlan didn't produce a docker container where the entitlements were enforced (see #3174), I created a docker container and used Setup-BcContainerTestUsers instead.
I took the premium user and added SUPER-Permissions to test if the Entitlements would be enforced here, but I tested with the same report and got the same result. The Entitlements are still not being enforced.
So the question is how do we get cloud sandbox docker containers where the permissions behave like the real cloud environment, which would be really helpful for developing for AppSource and cloud customers (PTE).
Scripts used to create container and cause the issue
Full output of scripts