How to use Logmon when running as ContainerUser

[profnandaa]

Discussed in #142

^{Originally posted by rigdal May 15, 2023}
Running apps in containers as a non-root user is standard with containers nowadays.

I am new to Windows containers, but it appears that I should leverage USER ContainerUser in my Dockerfile for running as non-root.

However, I cannot seem to start Logmon or maybe there is a better spot to have my USER layer in my Dockerfile. Here is the output I get upon startup.

_npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to start ETW trace. Error: 5
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to start ETW trace session. Error: 5
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to start ETW monitor. Error: 5
npc-oes-webapp  | 
npc-oes-webapp  | ERROR: Failed to stop or query status of service 'w3svc' error [80070005]
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to open log directory handle. Directory: \\?\c:\inetpub\logs Error=5
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to start log file monitor. Log files in a directory \\?\c:\inetpub\logs will not be monitored. Error: 5
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] INFO: Entrypoint processs exit code: -2147024891
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] WARNING: The given session is not running. Error: 4201
npc-oes-webapp  | [2023-05-15T16:48:49.000Z][LOGMONITOR] ERROR: Failed to wait for log file monitor to stop. Log directory: \\?\c:\inetpub\logs Error: 2147942406_

[rigdal]

Sample of the Dockerfile used when receiving this.

FROM mcr.microsoft.com/dotnet/framework/sdk:4.8 AS build
WORKDIR /app

# copy csproj and restore as distinct layers
COPY *.sln .

#copy over our custom DLLs
COPY dlls/* ./dlls/

# copy csproj and restore as distinct layers
COPY OES_WebApp/*.csproj ./OES_WebApp/
COPY OES_WebApp/*.config ./OES_WebApp/
RUN nuget restore

# copy everything else and build app
COPY OES_WebApp/. ./OES_WebApp/
#RUN msbuild /p:Configuration=Release,RestorePackagesConfig=true -r:False -t:restore,build
RUN msbuild -t:build -p:RestorePackagesConfig=true

# Use a smaller image as base for runtime 
FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8 AS runtime

# Set the shell to PowerShell
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; Set-ExecutionPolicy Unrestricted -Force;"]

# Disable IIS auto start
RUN ["cmd", "/S", "/C", "sc", "config", "w3svc", "start=demand"]

# Update IIS config
# c:/windows/system32/inetsrv/appcmd.exe set config -section:system.applicationHost/sites /[name='Default Web Site'].logFile.logTargetW3C:File,ETW /commit:apphost ; 
# c:/windows/system32/inetsrv/appcmd.exe set config -section:system.applicationHost/sites /\"[name='Default Web Site'].logFile.logTargetW3C:\"File,ETW\"\" /commit:apphost ;
RUN \
    # Enable ETW logging for Default Web Site on IIS    
    c:/windows/system32/inetsrv/appcmd.exe set config -section:system.applicationHost/sites /\"[name='Default Web Site'].logFile.logTargetW3C:\"File,ETW\"\" /commit:apphost ;

# swap to unprivilaged - unable to use with Logmon? Errors when using ContainerUser
# USER ContainerUser

# Add Logmon to the image to export various sources to STDOUT - see LogMonConfig for details
COPY logmon/LogMonitor.exe logmon/LogMonitorConfig.json c:/LogMonitor/

# Pull in our built application from the 'build' base
WORKDIR /inetpub/wwwroot
COPY --from=build /app/OES_WebApp/. ./ 

# Start IIS Remote Management and monitor IIS
ENTRYPOINT ["C:\\LogMonitor\\LogMonitor.exe", "C:\\ServiceMonitor.exe", "w3svc"]

# TODO - need to start IIS after config and wrapping with logmon

EXPOSE 80

[bevinsunth]

We are having the same issue on AKS. The image is failing to start at the entry point with the below error.

INFO: Entrypoint processs exit code: 0
[LOGMONITOR] ERROR: Failed to wait for log file monitor to stop

Etrypoint we have in docker file:
ENTRYPOINT ["C:\\LogMonitor\\LogMonitor.exe", "dotnet.exe", "Application.dll"]

Below are the AKS details
v1.27.1 Windows Server 2019 Datacenter 10.0.17763.4974 containerd://1.6.21+azure

Any update on this issue?

[oobug]

The non-privileged user can be given access to ETW logs by adding the user to the "Performance Log Users" group. To deal with the Failed to stop or query status of service 'w3svc' error, set permissions on the w3svc service.

FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2022
SHELL [ "powershell", "-NoProfile", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls12'; " ]

# Add ContainerUser to Performance Log Users group to allow LogMonitor to access ETW logs
RUN Add-LocalGroupMember -Group 'Performance Log Users' -Member 'User Manager\ContainerUser'`

# Allow ContainerUser to start/stop/restart/read status of the IIS Windows Service
# (S-1-5-93-2-2 is user "User Manager\ContainerUser" in this container image)
RUN cmd.exe /C "sc.exe sdset w3svc 'D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)    (A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPDTLO;;;S-1-5-93-2-2)'"

Some of this information was originally sourced from the following links:

• https://stackoverflow.com/a/67502244/144713
• https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/