I've got a Docker swarm hosted on Windows Server 2022. I've created a credentialspec
file since I need the service to use a gMSA. I've also defined a compose file to launch my service:
version: '3.8'
services:
agent:
image: privaterepo.local/devops-agent-win-generic:latest
hostname: '${AZPOOL}_Generic-{{.Task.Slot}}'
user: "NT AUTHORITY\\NETWORK SERVICE"
security_opt:
- "credentialspec=file://domain_devopsagent.json"
environment:
AZP_URL: ${AZURL}
AZP_POOL: ${AZPOOL}
AZP_TOKEN: ${AZTOKEN}
AZP_ONCE: ${AZONCE:-false}
AZP_REMOVE: ${AZREMOVE:-true}
deploy:
replicas: 2
placement:
constraints: [node.platform.os == windows]
This starts the containers fine (no errors), and the containers seem to operate as NETWORK SERVICE
, as expected, however they do not have access to the network shares as expected.
If I run the container manually then the container DOES have access to the network shares.
docker run --rm -it --user "NT AUTHORITY\NETWORK SERVICE" --security-opt "credentialspec=file://domain_devopsagent.json" privaterepo/devops-agent-win-generic:latest
This leads me to believe there's an issue in either the compose definition or in how the Docker Swarm handles the compose definition.
I've also tried using the credentialspec=raw://<json>
version - the container launched fine but as before it couldn't access the network shares.
Any idea what's wrong?
I've clearly missed a critical part of the documentation on the compose file structures (specifically this part).
The final definition should look like:
Prior to launching the above the
credspec
config needs to be created in the swarm viadocker config create
(should contain the original credspec file JSON).