Skip to content

Instantly share code, notes, and snippets.

@jason-bivins

jason-bivins/200 containers

Last active June 3, 2025 18:10
Show Gist options
  • Save jason-bivins/f6e40f3b778a6476de4267c9efc7191f to your computer and use it in GitHub Desktop.
Save jason-bivins/f6e40f3b778a6476de4267c9efc7191f to your computer and use it in GitHub Desktop.
Download ZIP
Jbiv-quicknotes
Raw
200 containers
docker pull georgyturevich/tomcat:choco_install; `
docker version; `
docker info; `
mkdir C:\test_volume; `
$CountContainers = 200; `
docker stop $(docker ps -af name=gturevich-test --format "{{.Names}}"); `
docker rm $(docker ps -af name=gturevich-test --format "{{.Names}}");`
$MaintStartTime = Get-Date; `
for ($I=1; $I -le $CountContainers; $I++) { `
$Start = Get-Date; echo "$Start`: Runing #$I (of $CountContainers) ..."; `
$Ports = "$(11000+$I)`:80"; `
docker run --name "gturevich-test-$I" -p $Ports --restart=always -e "JAVA_OPTS=-Xms512M -Xmx512M" -v C:\test_volume:C:\volume -d georgyturevich/tomcat:choco_install; `
$Stop = Get-Date; echo "$stop`: #$I (of $CountContainers) started in $(($Stop - $Start).TotalSeconds) s. Full time is: $(($Stop - $MaintStartTime).TotalMinutes) m."; `
}`
echo "$(date): Containers count before restart: $((docker ps -q).count). Stopping Docker service ...";`
Stop-Service docker; `
echo "$(date): Docker stopped. Dismounting ...";`
date; Get-Disk | ? {$_.Location -like "*docker*"} | foreach { Write-Host "Dismounting" $_.Location; Dismount-VHD -DiskNumber $_.Number}; date; `
Sleep 3; `
echo "$(date): Starting docker ...";`
Start-Service docker;`
echo "$(date): Started.";
$K=0; while($K -lt 20) { `
$K++;`
echo "$(date): Requesting containers list ..."; `
$Start = Get-Date; echo " Containers count after restart: $((docker ps -q).count); Current date: $(date)";`
$Stop = Get-Date; echo "$(date): Result was received in $(($Stop - $Start).TotalSeconds) s. Full time is: $(($Stop - $MaintStartTime).TotalMinutes) m."; Sleep 5; `
}
Raw
azurenotes
## open up permissions and install Azure powershell modules to your local machine
Set-ExecutionPolicy Unrestricted
Install-Module -Name Az -AllowClobber -Scope AllUsers
Import-Module Az.Network
## login to azure portal
## need to look into using a service principal instead
## https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2.6.0
Connect-AzAccount
## you only need these next two if you have multiple azure subsriptions - skip if you only have one default sub
#Get-AzSubscription
#Select-AzSubscription -Subscription "subscriptionid"
#enter location and resource group
$locationName = "azure location"
$ResourceGroupName = "resource group name"
#Leave these AS-IS
$nicName = "NIC-"
$vnet = Get-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $ResourceGroupName
## Networking
$DNSNameLabel = "mydnsname" # mydnsname.westus.cloudapp.azure.com
$PublicIPAddressName = "MyPIP"
$PIP = New-AzPublicIpAddress -Name $PublicIPAddressName -DomainNameLabel $DNSNameLabel -ResourceGroupName $ResourceGroupName -Location $LocationName -AllocationMethod Dynamic
$networkName = "vnet name"
#VM names -- OS and VM size
$computerName = @("win01","win03","win02")
$vmSize = 'Standard_DS3_v2'
$publisherName = "MicrosoftWindowsServer"
#-DataDiskSizeInGb
# https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general#dsv3-series-1
Get-AzVMImageSku -PublisherName $publisherName -Offer $offer | Select Skus
#Get-AzVMImage -PublisherName $publisherName -Offer $offer -Sku $skuName | Select Version
$offer = "WindowsServer"
$skus = "2019-Datacenter"
# enter the creds you want to use -- not sure how to linux this?
$VMLocalAdminUser = "LocalAdminUser"
$VMLocalAdminSecurePassword = ConvertTo-SecureString "Password" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);
## Networking
$DNSNameLabel = "mydnsname" # mydnsname.westus.cloudapp.azure.com
$PublicIPAddressName = "MyPIP"
$PIP = New-AzPublicIpAddress -Name $PublicIPAddressName -DomainNameLabel $DNSNameLabel -ResourceGroupName $ResourceGroupName -Location $LocationName -AllocationMethod Dynamic
#Loops through the computer names you provide and provisions one at a time
#as-job command?
for($i = 0; $i -le $ComputerName.count -1; $i++)
{
$NIC = New-AzNetworkInterface -Name ($NICName+$ComputerName[$i]) `
-ResourceGroupName $ResourceGroupName `
-Location $LocationName `
-SubnetId $Vnet.Subnets[0].Id
$VirtualMachine = New-AzVMConfig -VMName $ComputerName[$i] `
-VMSize $VMSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine `
-Windows `
-ComputerName $ComputerName[$i] `
-Credential $Credential `
-ProvisionVMAgent `
-EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine `
-Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine `
-PublisherName $publisherName `
-Offer $offer `
-Skus $skus `
-Version latest
New-AzVM -ResourceGroupName $ResourceGroupName `
-Location $LocationName `
-VM $VirtualMachine `
-Verbose
}
Raw
azwin11vmdockerfile.txt
FROM mcr.microsoft.com/azure-cli
COPY "run.sh" .
RUN ["chmod", "+x", "./run.sh"]
ENTRYPOINT [ "./run.sh" ]
Contents of run.sh:
#!/bin/bash
echo "Login to Azure"
az login
echo "What is the name of your resource group?"
read resourcegroup
echo "What is the name of your NSG (network security group)"
read nsg
echo "Name of the VM?"
read vmname
echo "VM user name"
read username
echo "Set your VM password (recommend using 1password to create this)"
read pwd
echo "Set your location - example: eastus2, centralus (must be a valid azure location)"
read location
size="Standard_D4s_v3"
osdisksize=250
urn="MicrosoftWindowsDesktop:windows-11:win11-21h2-pro:22000.2416.230902"
win10="MicrosoftWindowsDesktop:Windows-10:win10-22h2-pro:19045.3448.230831"
buntu="Canonical:0001-com-ubuntu-pro-jammy:pro-22_04-lts-gen2:22.04.202305160"
echo "Username=${username}"
echo "Password=${pwd}"
echo "RDP to ${vmname}.${location}.cloudapp.azure.com"
az vm show -g $resourcegroup -n $vmname -d -o table
# Set the default command to start the Azure CLI shell
CMD ["az", "interactive"]
CMD prompt user for stuff and write to something?
# list vms and status
RUN az vm list -g $resourcegroup -d -o table
# delete selected vm
RUN az vm delete --force-deletion y -g $resourcegroup -n $vmname --yes --no-wait
RUN az extension add --name vm
# Create a VM
RUN az vm create --name $vmname -g $resourcegroup --image $winurn --public-ip-sku Standard --admin-username $username --admin-password $pwd --os-disk-size-gb $osdisksize --public-ip-address-dns-name $vmname --size $size --nsg $nsg --nic-delete-option delete --os-disk-delete-option delete --no-wait
#customize the VM on creation
RUN az vm run-command invoke --command-id RunPowerShellScript --name $vmname -g $resourcegroup --scripts @windowsconfig.ps1
#diplay the VM information
RUN az vm show -g $resourcegroup -n $vmname -d -o table
Raw
good powershells.txt
# enable nested virtualization
Set-VMProcessor TestVM -ExposeVirtualizationExtensions $true
https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-custom-script-windows
#Install Chocolatey
https://chocolatey.org/install
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
## Good Links
# docker EE
https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server#install-docker
https://codebase.cloudaix.com/developer-setup/docker-for-mac-limit-memory-allocation/
##Add user to docker-users group
Add-LocalGroupMember -Group docker-users -member domain\user
Add-LocalGroupMember -Group docker-users -member rctest\desktop
net localgroup docker-users <user> /add
## get folder permissions
get-acl -path c:\programdata\ | format-list
## disable defender real-time
Set-MpPreference -DisableRealtimeMonitoring $true
A list of all programs installed on the nodes - you can use this powershell command to generate a .txt file
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize >Installed-programs.txt
download procdump from sysinternals and generate a dump for vmpcompute.exec
https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Find PID of vmcompute.exe (not dockerd.exe)
Run: procdump64.exe -mk PID
Please provide windows event viewer logs - I prefer the application logs from event viewer, exported as a .evtx file - but for core versions of Windows you can use this in Powershell:
Get-EventLog -LogName Application -Source Docker | Sort-Object Index | Format-Table Index,TimeWritten,Message | Out-File ~/EventLog_Docker.csv
# Stop all running containers
docker ps --quiet | ForEach-Object {docker stop $_}
# Remove all containers and images
docker system prune --volumes --all
az group list --tag delete --query [].name -o tsv | xargs -otl az group delete --no-wait -n
Raw
jenkinsDocker
Hi, Thanks for your question.
It is possible to use Docker Desktop to run your Jenkins deployment, but it is not the best solution and will not be in line with current best practices for production infrastructure. Docker Desktop is not supported as a production runtime, and is not supported on Server platforms. Best practices say that you should use a Server platform, and the docker EE engine version.
https://docs.docker.com/desktop/windows/troubleshoot/#what-is-not-supported
See here for directions on setting up the Docker engine on Windows or Linux server platforms.
https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/system-requirements
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
Once you have either Linux or Windows servers setup, you can configure Jenkins pipelines to use the server remotely -
https://www.jenkins.io/doc/book/pipeline/docker/#using-a-remote-docker-server
https://docs.microsoft.com/en-us/azure/devops/pipelines/release/integrate-jenkins-pipelines-cicd?view=azure-devops&tabs=yaml
If you plan to use Docker Desktop as part of your Jenkins deployment instead of following best practices, you do not need to use a subscription seat.
https://www.docker.com/pricing/faq/
Thanks!
Docker Support
Raw
mixed-docker-compose.yml
version: '3.3'
services:
win16:
image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2016
deploy:
endpoint_mode: dnsrr
networks:
- net
win19:
image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
deploy:
endpoint_mode: dnsrr
networks:
- net
lin01:
image: nginx:alpine
deploy:
endpoint_mode: dnsrr
networks:
- net
lin02:
image: redis:latest
deploy:
endpoint_mode: dnsrr
networks:
- net
networks:
net:
Raw
proxies
Mac is supposed to auto-detect system proxies, but you can set them as variables and manually in the GUI
Windows is more complicated
I'll split this answer into two sections, ingress and proxy egress
Ingress: incoming connections to the docker engine
You can configure the engine to only accept secure connections on specific ports, and also enforce TLS policies with certs.
https://docs.docker.com/engine/security/protect-access/
Egress:
You can configure Docker to send docker engine requests through a proxy. Proxy settings will not be propagated into the containers you start. If you wish to set the proxy settings for your containers, you need to define environment variables for them,
Proxy settings are done in the Docker Desktop GUI - under the Resources tab.
https://docs.docker.com/desktop/windows/#resources
You can also configure proxy settings through the daemon.json or through Environment variables.
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon
https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#proxy-configuration
Raw
quicknotes
# Set progress preference to silent
$ProgressPreference = 'SilentlyContinue'
$dockerComposePath = "C:\Program Files\Docker\cli-plugins\"
Set-Location -Path = "C:\Program Files\Docker\cli-plugins"
FOR /L %i IN (1,1,35) DO docker run -d mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 sh -c "ping host.docker.internal"
FOR /L %i IN (1,1,65) DO docker run -d docker pull cimg/android:2024.04.1-node sh -c "ping host.docker.internal"
# Define paths
$dockerComposePath = "C:\Program Files\Docker\cli-plugins\docker-compose.exe"
$dockerComposeOldPath = "C:\Program Files\Docker\cli-plugins\docker-compose.old"
$downloadUrl = "https://github.com/docker/compose/releases/download/v2.22.0/docker-compose-windows-x86_64.exe"
https://github.com/docker/compose-desktop/releases/download/v2.22.0-desktop.2/docker-compose-windows-x86_64.exe
# Rename the existing docker-compose.exe to docker-compose.old
if (Test-Path $dockerComposePath) {
Rename-Item -Path $dockerComposePath -NewName $dockerComposeOldPath -Force
}
# Download the new docker-compose.exe
Invoke-WebRequest -Uri $downloadUrl -OutFile $dockerComposePath
# Restore progress preference
$ProgressPreference = 'Continue'
$Env:<variable-name> = "<new-value>"
## stop and rm all containers
docker rm $(docker ps -a -q)
https://docker.slack.com/archives/C0W4XJVFW/p1611755648205800?thread_ts=1611746566.196800&cid=C0W4XJVFW
https://docker.slack.com/archives/C0326G3P08M/p1670597619711999
docker context create --docker host=ssh://[email protected] \
--description="Remote engine" \
my-remote-engine
Hi Juan, thanks for working with us to investigate the problem.
We were able to analyze the diagnostics you shared, but we are still unable to find a root cause. We can see in the logs that any attempt by the Docker runtime to read or access a file inside the "C:\ProgramData\DockerDesktop" folder, it results in an UnauthorizedAccessException error.
How are you deploying the registry.json file? Are you copying it to the user's local machine using SCCM, or are you having the Docker Desktop installer create it using the `--allowed-orgs` flag?
https://docs.docker.com/docker-hub/configure-sign-in/
We are unable to recreate the error in our lab - but our domain is using default security policies and no specific GPO's are applied.
Please provide the output of these two powershell commands
Get-Acl -verbose -Path C:\programdata\DockerDesktop\ | Format-List
Get-Acl -verbose -Path C:\programdata\DockerDesktop\registry.json | Format-List
Make sure the local Users group has the correct permissions set on the DockerDesktop folder:
Specifically the BUILTIN\USER permissions for the C:\ProgramData\DockerDesktop folder should be "Read and Execute, List Folder Contents, Read"
The BUILTIN\USER permissions for the C:\ProgramData\DockerDesktop.registry.json file should be "Read and Execute, Read"
Please let us know if you have any questions, or if you need any details. We have seen this issue in the past caused by SCCM security policies, but we would be glad to help troubleshoot to make sure Docker Desktop is working properly.
Thanks!
Docker Support
stop and unregister docker-desktop-data delete files
wsl --unregister docker-desktop-data
wsl -d docker-desktop-data -e /wsl-keepalive
ls \\wsl$\docker-desktop-data
C:\Users\dave\AppData\local\Docker\wsl\data
Hi , thanks for reaching out to us.
We'll need a few more details to troubleshoot this for you, please send us a diagnostics ID at your convenience. Screenshots may be helpful too.
You mentioned that Docker Desktop can't start, so here are the instructions for gathering the diagnostic data from the CLI.
https://docs.docker.com/desktop/windows/troubleshoot/#diagnosing-from-the-terminal
https://docs.docker.com/desktop/mac/troubleshoot/#diagnosing-from-the-terminal
Thanks!
Docker
Hi, thanks for reaching out to us.
You've submitted your request to the Docker Hub support page, but it looks like you have questions on Docker Desktop.
For Docker Desktop support, please resubmit your ticket to the Docker Desktop support page along with a diagnostic ID for us to analyze.
https://hub.docker.com/support/desktop/
You can find instructions on how to create the diagnostics bundle from the command line here:
https://docs.docker.com/desktop/windows/troubleshoot/#diagnosing-from-the-terminal
https://docs.docker.com/desktop/mac/troubleshoot/#diagnosing-from-the-terminal
Thanks!
Docker
https://docs.docker.com/desktop/windows/troubleshoot/#running-docker-desktop-in-nested-virtualization-scenarios
https://docs.docker.com/desktop/windows/troubleshoot/#in-app-diagnostics
PAT
85fef730-e774-4f5e-ba02-c68f7a0c4acd
https://docs.docker.com/desktop/windows/troubleshoot/#diagnosing-from-the-terminal
Please download and install the update to the latest release, and then restart your machine.
Please note that there are two installers, based on your system.
https://docs.docker.com/desktop/mac/install/
If your problems persist - please submit a new diagnostics ID for us to analyze.
https://docs.docker.com/desktop/mac/troubleshoot/#diagnosing-from-the-terminal
Hi, thanks for reaching out to us.
We can only provide support for recent releases of Docker Desktop, your version is V.v.V and the most recent version is V.v.V
https://docs.docker.com/support/#what-docker-desktop-versions-are-supported
Please download and install the update to the latest release, and then restart your machine. Please note that there are two installers, based on your system.
https://docs.docker.com/desktop/mac/install/
If your problems persist after upgrading - please submit a new diagnostics ID for us to analyze.
https://docs.docker.com/desktop/mac/troubleshoot/#diagnosing-from-the-terminal
Please reboot your machine, then download and install the most recent release.
https://docs.docker.com/desktop/windows/install/
If your problems persist after upgrading, you can find instructions on how to create a fresh diagnostics bundle here:
https://docs.docker.com/desktop/windows/troubleshoot/#diagnosing-from-the-terminal
Thanks!
Docker Support
Hi Eric, thanks for reaching out to us.
You're installing an older version of Docker Desktop, and the prerequisites may not be configured correctly.
First, check the status of WSL by using the wsl --status command
If WSL is not installed, then you'll need to set it up by following these steps. You can use any distro you like instead of ubuntu
Open up a CMD prompt as admin
wsl --install -d ubuntu
wsl --update
#restart
shutdown /r /t 0
Please reboot your machine, then download and install the most recent release.
https://docs.docker.com/desktop/windows/install/
If there are problems with the fresh installer, you can find instructions on how to create the diagnostics bundle from the command line here:
https://docs.docker.com/desktop/windows/troubleshoot/#diagnosing-from-the-terminal
Thanks!
Docker Support
Hi Peter, thanks for your questions.
Please see here for microsoft's documentation on securing the windows container engine with certificates. It also has a section on the edits you'll need to make to the Windows daemon.json
https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-security
https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon?source=recommendations#configure-docker-with-a-configuration-file
We'll go ahead and close this ticket out now since your issues don't seem to be related to Docker Desktop. Feel free to open a new ticket along with a diagnostics ID if you have any Docker Desktop issues or questions.
https://docs.docker.com/support/#what-is-not-supported
Thanks!
Docker Support
At this point, the diagnostics are expired on our side, and we have included some fixes in the latest release that should help to resolve this for you.
Can you download and run the installer for the latest version, 4.71 - and then reboot your machine?
Hi, thanks for reaching out to us. Currently there is no directly supported way to run Linux containers on Windows Server platforms.
Hi, thanks for reaching out to us.
Docker Desktop is not supported on any Server platform, and support for Docker Desktop on Server platforms is explicitly exluded in our support policy. Please see our system requirements and our support policy page for more details.
https://docs.docker.com/desktop/windows/install/#system-requirements
https://docs.docker.com/desktop/windows/troubleshoot/#what-is-not-supported
The docker runtime itself is actually licensed as part of Windows Server, so you do have the ability use the engine only version on your servers. See here for directions on setting up the Docker engine on Windows server platforms.
https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/system-requirements
Thanks!
Docker
We do have a bit of information that may help in our troubleshooting FAQ's - but due to the limitations of nested virtualization and networking, we're not able to provide direct support.
https://docs.docker.com/desktop/windows/troubleshoot/#running-docker-desktop-in-nested-virtualization-scenarios
If your Windows server is capable of running Hyper-V, then you can run a Linux VM inside Hyper-V - and then run your linux containers from your preferred distribution.
See here for directions on setting up the Docker engine on Windows or Linux server platforms.
https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/system-requirements
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
## complete docker unininstall
full uninstall and cleanup of all docker system files
-- Uninstall Docker Desktop through Windows > Programs and Features
-- Shutdown WSL
wsl --shutdown
-- Delete the below files (note that the below commands are destructive, meaning it will delete all your images, volumes, and any Docker related files on your system)
Remove-Item -Recurse C:\ProgramData\Docker
Remove-Item -Recurse C:\ProgramData\DockerDesktop
Remove-Item -Recurse C:\Program Files\Docker
Remove-Item -Recurse C:\Users\<your user name>\.docker
Remove-Item -Recurse C:\Users\<your user name>\AppData\Local\Docker
Remove-Item -Recurse C:\Users\<your user name>\AppData\Roaming\Docker
Remove-Item -Recurse C:\Users\<your user name>\AppData\Roaming\Docker Desktop
Remove-Item C:\ProgramData\Docker
Remove-Item C:\ProgramData\DockerDesktop
Remove-Item C:\Program Files\Docker
Remove-Item C:\Users\azureuser.rctest\.docker
Remove-Item C:\Users\azureuser.rctest\AppData\Local\Docker
Remove-Item C:\Users\azureuser.rctest\AppData\Roaming\Docker
Remove-Item C:\Users\azureuser.rctest\AppData\Roaming\Docker Desktop
-- Reinstall Docker Desktop
https://docs.docker.com/desktop/release-notes/
windows version doesnt support teh newer wsl backend:
windows build version 19041 is almost out of service, need to run Windows updates
https://learn.microsoft.com/en-us/windows/release-health/supported-versions-windows-client
after windows updates, run wsl --update
https://docs.docker.com/desktop/install/windows-install/#wsl-2-backend
requirements are not enabled, need to enable containers
Enable-WindowsOptionalFeature -online -FeatureName containers
docker run -it -v ${HOME}/.ssh:/root/.ssh mcr.microsoft.com/azure-cli
$ProgressPreference = 'SilentlyContinue'
# create temp working directory
New-Item -ItemType Directory -Force -Path C:\dockerconfig
Set-Location -Path c:\dockerconfig
Invoke-WebRequest -UseBasicParsing -Uri "https://desktop-stage.docker.com/win/main/amd64/148260/DockerDesktop.msi" -OutFile "DockerDesktop.msi"
https://desktop-stage.docker.com/win/main/amd64/148260/DockerDesktop.msi
Invoke-WebRequest -UseBasicParsing -Uri "https://desktop-stage.docker.com/win/main/amd64/148260/Docker%20Desktop%20Installer.exe" -OutFile "DockerDesktopInstaller.exe"
If the mayoclinicplatform Org is removed from the mayoclinicenterprise/mayoclinicorg structure,
and the mayoclinicenterprise SSO setup is set to Enforce SCIM,
how would this affect non-SSO @mayo.edu user sign-ins to that disconnected mayoclinicplatform Org?
https://desktop-stage.docker.com/win/main/amd64/appcast.xml
https://desktop-stage.docker.com/win/main/amd64/appcast.xml
https://desktop-stage.docker.com/mac/main/amd64/appcast.xml
https://desktop-stage.docker.com/mac/main/arm64/appcast.xml
https://desktop.com/mac/main/arm64/appcast.xml
https://desktop.docker.com/linux/main/amd64/appcast.xml
https://desktop.docker.com/linux/main/arm64/appcast.xml
https://download.docker.com/linux/rhel/9/
We've identified that the issue arises because the Docker installation process is being run under a system account. This causes Docker to misidentify the user's home directory, defaulting to C:\WINDOWS\system32\config\systemprofile instead of the correct path, C:\Users\<username>\.
We identified that You are already using the local Windows docker-users group, and we saw that running the installer as a logged in user was successful.
The problem appears to be in the installation tool, which uses a Windows system account. When Docker starts, the user files are pointed is the system accounts env profile and attempts to write user-specific configurations to the system directory. This results in the errors you're seeing, as it tries to place files in protected system directories.
To work around this, you should ensure that Docker is installed using a local or domain user account, not a system account. If your installation tool requires elevated permissions, try configuring it to temporarily elevate the user's permissions or run as an account with administrative privileges.
To be clear, the Windows requirements for Docker Destkop like Hyper-V and containers can be installed under a system account, but Docker Destkop itself must be installed using a Windows user account.
Here's an example I use in my own powershell scripts in my labs I install the windows requirements, and then set the run-once registry key for the next time the user logs in. You could use a scheduled task set to run under an admin account at startup once.
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" ('C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe -executionPolicy Unrestricted -File ' + "C:\dockerconfig\windowssetup.ps1")
You could possiby try to set environment variables such as $HOME $env:Profile and %APPDATA% pointed to user directories during the installation, but I have not tested this myself.
By addressing these points, Docker should correctly identify and use the user's home directory, preventing it from attempting to write configurations to the system directory. We are going to release an updated .msi version of the Docker Desktop installer soon, I'll check to see if it covers this situation.
If you need further assistance or run into additional issues, please let us know, and we'll continue to help you resolve them.
Problem statment
FRB :
_problems_
Ongoing: GUI flickering issue:
https://docker.atlassian.net/browse/SEG-510
https://docker.atlassian.net/browse/DACC-438
In validation: Compose file crashes
https://docker.atlassian.net/browse/SEG-486
https://docker.atlassian.net/browse/CSESC-153
Upcoming: Install issues
no tickets yet, but several users encountered issues with windows permissions on installation, and windows env variable inconsistencies. customer will enter tickets as needed
_resolution_
GUI flicker issue continues - engineering is engaged and actively working to fix
Container crash issue looks to be resolved by Docker-Compose update. Customer is testing their app but running into connectivity issues within their app. The end user is not convinced that Docker is working, the other users opinion is that DD is working now and are working to validate.
Install issues are ongoing and we are working to resolve as they appear.
_current state_
Weekly check-in calls are still on schedule - engineering is involved and working to fix the GUI flickering issues
trying to schedule time with their IT to work with them on installation packages but not having luck, they are struggling with our documentation
users are validating the compose file issues - all users but Anita agree the original issue is resolved and that connectivity issues are caused by internal security blockers.
-MSFT Azure team
End users will be registering an application that requires SSO and will need a non production, test infrastructure to provide the SSO authentication.
The infrastructure creation and destruction should be as automated as possible - but allow users full control to customize.
Initially this will be dedicated to creating infrastructure to support SSO based applications, but it would be nice to have an option in the future for VDI based environments as well.
- Following the theory of least permissions, please advise on specific RBAC configurations and account level setup.
- Specifically if this should be created as a new Azure tenant, or if it should be integrated into our existing Azure tenant as a new subscription.
- please evaluate our requirements and provide recommendations on how to move forward with building infrastructure. This is not a production environment, and would not need production level performance or disaster recovery.
Custom Domains:
- Users will need to be able to create, manage and delete custom domains.
- Is Domain Name administrator the correct Role for all users to have? what is the least permissive role for users to have full control of custom domains?
- Entra Domain Services don't look like the best option here
Ldap and DNS records:
- Users will need to be able to create and manage Active Directory users and groups in relation to the Custom Domains
- DNS records for domains will also need to be included as part of the SSO system requirements. Will this need to be done as a DNS server at an active directory level, or is this automated as part of the custom domain creation process?
App Registrations:
- Users will need the minimum rights required to be able to create and register Enterprise Applications within the account.
Optional:
- eventually we might consider moving our devcenter infrastructure to this environment as well as our azure resource groups. would this affect anything in planning for the initial project?
Raw
simple-healthcheck.yml
version: "3.7"
services:
lin01:
image: nginx
deploy:
endpoint_mode: vip
networks:
- net4
volumes:
- ./ping_logs:/usr/src/app/logs # Bind mount local directory to store logs
command: >
/bin/sh -c '
apk add --no-cache iputils && # Install ping in the container
LOG_DIR="/usr/src/app/logs";
LOG_FILE_PREFIX="ping_output";
MAX_SIZE=2000000;
COUNTER=1;
HOST="your-host-to-ping"; # Replace with the host you want to ping
# Ensure the log directory exists
mkdir -p "$LOG_DIR";
while true; do
CURRENT_LOG="${LOG_DIR}/${LOG_FILE_PREFIX}_${COUNTER}.txt";
# Rotate log file if it exceeds 2MB
if [ -f "$CURRENT_LOG" ] && [ $(stat -c%s "$CURRENT_LOG") -ge $MAX_SIZE ]; then
COUNTER=$((COUNTER + 1));
CURRENT_LOG="${LOG_DIR}/${LOG_FILE_PREFIX}_${COUNTER}.txt";
fi;
# Ping the host and append the output to the current log file
ping -c 1 "$HOST" >> "$CURRENT_LOG";
# Sleep for 1 second between pings (adjust as needed)
sleep 1;
done
'
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost"]
interval: 1m30s
timeout: 10s
retries: 3
start_period: 40s
networks:
net4:
Raw
squidward.txt
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
## update server
sudo apt-get update && sudo apt-get dist-upgrade && sudo apt-get autoremove && sudo apt-get autoclean
## install msktutil
sudo apt-get install msktutil
## krb5.conf
sudo nano /etc/krb5.conf
[libdefaults]
default_realm = jbiv.local
dns_lookup_kdc = yes
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
; for Windows 2003
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;
; for MIT/Heimdal kdc no need to restrict encryption type
[realms]
jbiv.local = {
kdc = adcoreserv.jbiv.local
admin_server = adcoreserv.eastus2.cloudapp.azure.com
}
[domain_realm]
.linux.home = WIN2003R2.HOME
.win2003r2.home = WIN2003R2.HOME
win2003r2.home = WIN2003R2.HOME
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Raw
ticket_notes.md
Raw
vmconfig.ps1
# make sure wsl is up to date
wsl --install -d ubuntu --no-launch
# install nice things to have like choco and sysinternals
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
choco feature enable -n allowGlobalConfirmation
choco install psql
choco install rsat -params '"/AD /DNS"'
choco install firefox
choco install chromium
choco install vscode
choco install visualstudio2019professional
choco install git
choco install sysinternals
choco install wireshark
# scheduled task to config on reboot
$User= "NT AUTHORITY\SYSTEM"
# The name of your scheduled task.
$taskName = "vmconfig"
# Describe the scheduled task.
Stop-ScheduledTask -TaskName $TaskName
Unregister-ScheduledTask -Taskname $TaskName -Confirm:$false
#Restart-Computer -Force
Raw
Windows_Container_GPO_stub.md

Windows container mode startup failure

Can't switch to Windows container mode

Here is the specific error message we get from Hyper-V and Docker Desktop when it fails to start. The gui app logs are also showing that the child processes ended unexpectedly.

The Hyper-V Virtual Machine Management service encountered an unexpected error: Logon failure: the user has not been granted the requested logon type at this computer

There are GPO policies that prevent the local system user from being able to access Hyper-V. This could be intentional, or unintentional.

Please see Microsoft's troubleshooting guide on the error for details on how to resolve it. https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/starting-or-live-migrating-hyper-v-vms-fails#symptoms

Desktop fails to start - access denied on imagedb folder

C:\ProgramData is a protected folder in Windows and has special permission sets. Docker in Hyper-V or WSL Linux mode writes and stores data in C:\ProgramData\DockerDesktop and we set special file permissions on this folder at install (will probably change soon) In Windows container mode it writes to C:\ProgramData\Docker and we don't set special permissions for this

If the user is blocked by security policy from editing files in C:\ProgramData\Docker - then Windows container mode will fail to start because it can't create or edit anything in the root directory.

Best practices say that the GPO will need to be adjusted. But you can also edit the specific user or the local docker-users group and grant read/write and more specifically edit access to the C:\ProgramData\Docker folder

[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\image\windowsfilter\imagedb: Attempted to perform an unauthorized operation. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\image\windowsfilter\imagedb: Access to the path 'C:\ProgramData\Docker\image\windowsfilter\imagedb' is denied. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\image\windowsfilter\imagedb: Access to the path 'C:\ProgramData\Docker\image\windowsfilter\imagedb' is denied. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\network: Attempted to perform an unauthorized operation. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\network: Access to the path 'C:\ProgramData\Docker\network' is denied. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\network: Access to the path 'C:\ProgramData\Docker\network' is denied. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\tmp: Attempted to perform an unauthorized operation. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\tmp: Access to the path 'C:\ProgramData\Docker\tmp' is denied. 
[2022-05-04T05:22:26.937857400Z][WindowsContainersController][Warning] C:\ProgramData\Docker\tmp: Access to the path 'C:\ProgramData\Docker\tmp' is denied.
Raw
winstartup.ps1
# create temp working directory
New-Item -ItemType Directory -Force -Path C:\dockerconfig
Set-Location -Path c:\dockerconfig
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -UseBasicParsing -Uri "https://desktop-stage.docker.com/win/main/amd64/161083/Docker%20Desktop%20Installer.exe" -OutFile "Docker Desktop Installer.exe"
Get-ItemProperty 'HKCU:\Control Panel\Mouse' | Select SwapMouseButtons
Set-ItemProperty 'HKCU:\Control Panel\Mouse' -Name SwapMouseButtons -Value 1
# enable ssh
# enable system requirements
# hyper-v
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
# containers:
Enable-WindowsOptionalFeature -online -FeatureName containers -NoRestart
#virtual machine platform
Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform -All -NoRestart
# reboot
Restart-Computer -Force
Raw
x509.md

Quick Description of the error or problem:

Cant pull from private registry, daemon returns x509 error

Error response from daemon: Get "https://YOURREGISTRYURL/v2/": x509: certificate signed by unknown

Description of the issue:

cert is not recognized by windows, needs to be installed to trusted root

Solution or Workaround

download the ca.crt file curl -k https://YOURREGISTRYURL/ca.crt invoke-webrequest -usebasicparsing -url blah -outfile ca.crt

install it to Windows Certificate Store run certmgr.msc and import the cert to trusted root or right click the ca.crt file and choose Install. I like to run it twice and add to the local machine and to the user

run docker logout command, then reboot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment