Docker container running gMSA whilst having admin permissions

Shaamaan

11/1/23, 7:37 PM

I'm trying to set up a Docker container for our DevOps pipelines. I've... almost got it all.

Right now I've got a Windows-based container which:

has pre-installed SDKs, Java and the like
can manipulate (start, stop, build) docker containers
can access our network shares

The problem is that I can't get points 2) and 3) to be available simultaneously. To enable 3) I've had to prepare a group managed service account and the docker container needs to run as the NT AUTHORITY\NETWORK SERVICE. However, when the container IS running as NT AUTHORITY\NETWORK SERVICE it seems to lose access to the Docker pipeline.

Any idea how I can get both these things to work at the same time?

1 + 2

active-directory

docker

windows-server-2022

Semicolon

11/2/23, 10:32 PM

Normally, if a process running under the Network Service accesses a file share, it does so in the context of the "computer" account. If this is network service in a container , I'm not sure what context it runs under when it comes out of the container host. Have you checked the security logs to see which access was attempted, and then adjusted the ACL of the share accordingly?

Shaamaan

11/2/23, 10:50 PM

@Semicolon gSMA was set up and a credential spec file is provided to get share access (see https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/gmsa-run-container). But, AFAIK, NETWORK SERVICE has to be used to get gSMA to work -> in turn prevents docker pipe access...

Score:1

Server

Shaamaan

11/3/23, 8:05 AM

Apparently NT AUTHORITY\NETWORK SERVICE isn't the only account that will work with gMSA - it can be another NT AUTHORITY account, such as NT AUTHORITY\SYSTEM (which does have permission to handle docker containers).

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Docker container running gMSA whilst having admin permissions

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.