Microsoft is a very large company and there is never going to be a single statement which encapsulates the exact direction that every division in the company is moving. The leaders of the company try to point in a wise direction and they hope like hell that the organization see their wisdom and starts to move toward that direction.
One of those big directional statements was Microsoft throwing its support behind Docker. MS runs a very large cloud provider in Azure and looking over the statistics they have (and I would assume internal feedback) they most likely are seeing a large shift towards the use of docker within their systems. It would only be reasonable to think that they should provide a platform that will support the systems their customers are using.
But, what are the challenges that they face with Docker …
- Docker Containers are not Domain Joined
Microsoft’s security methodology for many years has been based around Kerberos/AD and domain credentials. In order to provide least privilege access for your applications you create an AD account for that application and then you setup permissions for that account based upon it’s needs. Those credentials are authenticated against Domain Controllers and then a Kerberos token is passed everywhere to authn/authz the account on all services within the domain (SQL Server, Disk Access, LDAP).
So, if the docker instance isn’t domain joined, running an application under a domain account becomes a difficulty. How do they deal with this?
- Docker Hosts and gMSA accounts
Group Managed Service Accounts (gMSA) is a concept that was introduced into Active Directory prior to Docker. The idea behind the accounts are that they would be more locked down/secure than a normal AD user account. These accounts would be registered within AD to only be usable on a particular set of machines within the domain, and the accounts would need to pre-register themselves on those machines before they could be used.
Microsoft architects looked at this and thought, if we already have these accounts registered on the Docker Host machine and the Docker container can interact with the Host machine, maybe we can find a way to slide the authenticated Kerberos credentials into the Docker Container for use?
Which they did. But, their are a number of ‘gotchas’ along the way to make gMSA accounts work with Containers: - Container hostname must match the gMSA name for Windows Server 2016 and Windows 10, versions 1709 and 1803
- You can't use gMSAs with Hyper-V isolated containers on Windows 10 versions 1703, 1709, and 1803
- Container initialization will hang or fail when you try to use a gMSA with a Hyper-V isolated container on Windows 10 and Windows Server versions 1703, 1709, and 1803.
-
Using a gMSA with more than one container simultaneously leads to intermittent failures on Windows Server 2016 and Windows 10, version 1709 and 1803.
So, with the all the issues listed above here’s the Use Case:
Can you use Microsoft SQL Server within a Docker Container?
I think the answer is “I guess … but it feels like the SQL Server team (or the MS Docker Team) is focusing on supporting SQL Server in Linux Containers more than on Windows Containers.”
- Microsoft SQL Server Images for Windows Are Not Being Updated
The last version of MSSQL on Windows Servers was built in Feb. 2018 against Windows 10 1709 / Windows Server 2017-GA / Windows Server Core 2017. So, there hasn’t been an update for Windows 10 1803/1809 or Windows Server 2019.
So, why is that? I don’t know the answer, but maybe it’s because their isn’t a lot of usage of SQL Server in Containers due to licensing costs. Or that setting up a SQL Server instance to run under a gMSA account doesn’t necessarily mean it’s going to be able to authenticate Kerberos tokens/SSPI from clients (I never got to a place where I could test this). Or, maybe Azure usage statistics show that people aren’t using MSSQL in Windows Containers.
Either way, I’m not sure the MSSQL Team is really sold on investing their time into that platform. Only they know.
- Microsoft SQL Server Images for Linux are Working Great!
However, they are keeping up to date on the SQL Server for Linux images. Using Linux simplifies things as it breaks out of the constraints of using Kerberos/SSPI for authentication and will only need to support the SQL Login authentication model.
Potentially, that’s a good enough reason on it’s own to make supporting a container easier for the MSSQL team. But, I wonder if they have statistics from Azure that show the market is strongly preferring this configuration when using containers?
So, Is SQL Server looking to Dockerize on Windows?
It just doesn’t feel like it.
0 comments:
Post a Comment