17

I have gone through all the examples I could find online for building docker container based applications. I would want to run two services running in two docker containers:

  1. A windows container running ASP.NET
  2. A windows container running SQL Server

Easy job and many examples. However, in all examples you need to use SQL authentication and to provide a hard-coded SA password as an environment variable when running the SQL server container. You also need to hard code the SA password into the connection string in the ASP.Net code (or also provide it in some other manner in a configuration file, etc.)

Bottom line in all examples the password is hard-coded somewhere.

In most applications we develop now, we actually use windows authentication instead or use a grouped managed service account instead. But as far as I know, you cannot add a windows container to a domain, thus the SQL server is not part of the windows domain so I don't see a way to use windows authentication here.

So does any one have an alternative to hard-coding passwords this way ?

IProgrammer
  • 321
  • 1
  • 2
  • 8

3 Answers3

1

I'm dealing exactly with the same problem. Here is the most complete procedure that I found. The trick is to use gMSA.

But, as JanneRantala says at the end, I'm having the same problem when trying to add a new User in the Database :

Msg 15401, Level 16, State 1, Line 3 Windows NT user or group 'YOUR_DOMAIN\gmsa$' not found. Check the name again.

G. Gomes
  • 51
  • 6
  • 1
    Thanks. I also read about the gMSA but cannot fully understand how the authentication works. A similar problem would be with Windows authentication with the IIS server. Hope more relevant documentation will evolve as this great technology evolves in the windows environment. – IProgrammer Jan 20 '17 at 08:12
0

Here is walkthrough how to make it work. Windows Containers Walkthrough

This will not work though if your SQL is also running in container since SQL server itself have to part of Active Directory to be able to utilize GMSA accounts.

Gregory Suvalian
  • 3,566
  • 7
  • 37
  • 66
  • 2
    Thanks. I have already ready this one before. But this is exactly the issue I am trying to solve. I want the entire application to run in containers - both sql and IIS. – IProgrammer Jan 23 '17 at 05:19
  • If those are running in different containers then it will never be possible. If they are running in single container then there is probably a way around it. Also you don't need to hardcode into container any data if it's your primary concern, you can pass secrets through environment variables when you start container – Gregory Suvalian Jan 23 '17 at 12:43
  • 1
    Thanks GSA. After reading your comment a did some further reading and seems like this might be a good way going forward: https://www.ctl.io/developers/blog/post/tutorial-protecting-sensitive-info-docker – IProgrammer Jan 23 '17 at 15:05
  • Well, if you look closely it's still crappy way of doing it because your environment variable while not hard coded still available to anybody withing running container to read. Better then hardcoding but still questionable. What I think I plan to try is to put certificate in the container image and use *CMS* powershell constructs to pass secrets to container which during startup will be decoded by runtime and applied. This way not only you need to have access to secret but also you need to access to the key to decrypt for this to work. Next step I will try to store this secret in DNS TXT field – Gregory Suvalian Jan 23 '17 at 18:13
  • 1
    Turns out that if you use docker swarm there is a new API now to use secrets: https://www.infoq.com/news/2017/01/docker-1.13 – IProgrammer Jan 23 '17 at 19:44
  • Only for "Linux" in details – Gregory Suvalian Jan 23 '17 at 19:50
  • Saw that, but I saw that Windows containers in swarm mode is supported: https://channel9.msdn.com/Blogs/containers/Docker-Swarm-Part-2 so I was kind of hoping they were wrong :) – IProgrammer Jan 23 '17 at 20:04
0

Windows authentication is automatically enabled in Windocks SQL Server containers. See here for more details. The SQL Server containers created in Windocks are SQL Server named instances created automatically from the default SQL Service that is already installed on the Windows Server (2012 R2 or 2016). Any Windows accounts in the default instance are automatically enabled in the container instances.

rameshpa
  • 555
  • 5
  • 5