Using Credentials Fetcher for Linux Hyper-V VM running docker containers #129

marceliwac · 2024-07-03T17:57:47Z

marceliwac
Jul 3, 2024

Hello!

I'm having some issues setting up the infrastructure for one of my current projects and I'm hoping credentials fetcher could be the solution I need. Apologies for how lengthy this description may be, I'm writing it pre-emptively to give you some background surrounding my issue in case it helps.

Question

Can I use the credentials fetcher in a setup where my domain-joined windows host with gMSA configured runs a HyperV linux VM with docker container that connects to another server on the AD network running MSSQL via Windows Authentication?

My setup

Here are the requirements and constraints I am working within:
I'm developing an application that's composed of several microservices, each dockerised into a linux-based container. The whole application stack is structured into a docker compose and is meant to run on a single Windows machine within an on-prem network. One of the services is responsible for communication with a MSSQL database that already exists on the network, and which only allows for authentication using Windows Authentication (that is to say, using an AD account / service account). I was able to successfully connect to the server from the docker Windows containers running on the Windows machine via gMSA and credential-spec file provided via docker-compose.yml, but running the entire application stack as Windows containers was extremely unreliable (containers would only start about 10% of the time, some of them would get stuck in a created state, some of them would hang and the only thing that would allow to get them to work again would be killing the docker service, removing all running containers, networks, volumes etc. and starting from scratch, one service at a time). Because of that, I pivoted back to using linux containers, but since support for docker containers running linux on windows server isn't great (WSL is not supported on the host machine), I turned to HyperV.

The new setup consists of a windows machine running a single linux HyperV VM with a docker installed. The application stack runs in linux docker images on that VM, which all works flawlessly with the exception of connection to the MSSQL server that I am now trying to establish. I'm not sure however, how and whether it's possible, to pass the cred-spec file to the HyperV VM, whether it can/needs to be domain-joined as well, or whether I can use the host machine's gMSA membership to faciltiate this. Furthermore, I'm curious as to whether the communication between the credentials fetcher should happen between the HyperV VM and the container, or whether I should install it directly on the container.

I appreciate that there may be a lot for me to learn when it comes to networking within the windows world, and on its crossection with the linux VMs, but any help or direction would be greatly appreciated! Finally, this seems somewhat relevant to @robsoncloud 's recent post, so I'm mentioning it here in the hope they might be able to shed some light on my issue. Thank you in advance for taking the time to help with this!

smhmhmd · 2024-07-03T19:11:48Z

smhmhmd
Jul 3, 2024
Maintainer

Hi @marceliwac,

Can I use the credentials fetcher in a setup where my domain-joined windows host with gMSA configured runs a HyperV linux VM with docker container that connects to another server on the AD network running MSSQL via Windows Authentication?

Credentials-fetcher could run as another container in domainless mode and then share the kerberos tickets to other containers via a file-mount. What options do you have for file-mount ?