Prerequisites for adding the Windows Container Build Box to create the Windows containers

Recommended resource requirements

Windows container image

• Though Windows Server 2019 can serve the purpose, Windows Server 2022 is preferred due to small container image size. So we strongly recommend to use Windows 2022 as build box.

Resource	CPU	RAM	Disk space
Requirement	4 cores / 25% free	16 GB	>100 GB in C:\ drive

Tip : You have an option on the OmniDeq UI to delete the files copied at C:\ drive once the docker container is successfully built. You can use this option to make sure that the required space is always available.

Windows container version compatibility

• Container images built on Windows 2019 build box should be deployed on Windows 2019 host and 2019 Kubernetes node
• Container images built on Windows 2022 build box should be deployed on Windows 2022 host and 2022 Kubernetes node
• For more information, please refer Windows container version compatibility

Windows updates

• It is recommended that the Windows build box is updated with the latest patches available from Microsoft. In case you observe failures in the transform process, this should be the first step.

Administrative access on host

• The user account used for authenticating with Windows Build Box from OmniDeq should have Administrator rights.

Docker

• Install any latest Docker community or enterprise edition on 2019 or 2022

If not, you can refer to Docker's Official Documentation.

For reference, visit the link to install docker on windows

Base Container Images Availability

The application container images are built using the standard images (e.g aspnet, wcf) as base. These base images are fetched from either the public/private docker repository over internet at run time or used from the locally available images on the build box. Please ensure that,

1. The public/private docker repository is accessible from Build Box to download the base container image at run time without any authentication.
2. Or Pre-download the base container image on Build Box in case of public/private repository which requires the authentication before the containerization.

Uploading Docker Containers To Container Repository

If the docker container images are to be uploaded to public repository like ECR, DockerHub please make sure that the internet access is enabled between Build Box and container repository.

Uploading to AWS ECR

If you use AWS ECR registry as the repository, please install AWSPowerShell on Windows Powershell using link

Remote Execution Policy

Set the said policy to RemoteSigned using the following powershell command.

PS> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

Verify the updated policy as follows.

PS> Get-ExecutionPolicy -List
    Scope ExecutionPolicy
    ----- ---------------
    MachinePolicy Undefined
    UserPolicy Undefined
    Process Undefined
    CurrentUser Undefined
    LocalMachine RemoteSigned

Configure WinRM for other prerequisites

The following other pre-requisites are also to be enabled.

• Enable PSRemoting.
• Set WinRM to run with following configuration:
• Basic authentication for server.
• Port 5986 is open.

OmniDeq uses a PowerShell script that ensures all the above prerequisites are set.

Please download the PowerShell script on Windows Build Box. The file will be named as "ConfigureRemotingForAnsible.ps1".

Execute the script as follows.

PS C:\> .\ConfigureRemotingForAnsible.ps1
    Self-signed SSL certificate generated; thumbprint: 89E65FE46301E79A5A583244945201C3A72FCEDE
    wxf: http://schemas.xmlsoap.org/ws/2004/09/transfer
    a : http://schemas.xmlsoap.org/ws/2004/08/addressing
    w : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
    Lang : en-US
    Address: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    ReferenceParameters : ReferenceParameters
    Ok.

Disable UAC remote restrictions

⚠️ Skip the below steps if you are using AD user or domain user to login to host

A. Open windows powershell as an Administrator and execute below command Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1

OR

B. Manually disable it as follows

1. Click Start, click Run, type regedit, and then press Enter.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. If the LocalAccountTokenFilterPolicy registry entry doesn't exist, follow these steps
   • Right-click on blank white area, click New, and then select DWORD Value.
   • Type LocalAccountTokenFilterPolicy, and then press Enter.
4. Right-click LocalAccountTokenFilterPolicy, and then select Modify.
5. In the Value data box, type 1, and then select Ok.
6. Exit Registry Editor.

Connection between Discovery Host and Windows Build Box

⚠️ If the config setting for "TrustedHosts" are not managed by policies then no change required.

• If the config setting for "TrustedHosts" is managed by policies then the policy would need to be set to "Not Configured" in order to change the config setting.

• Config settings could be set as "Not Configured" using "Local Group Policy Editor" (gpedit.msc) at

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management(WinRM)\WinRM Client\Trusted Hosts

• To reflect the changes gpupdate /force command needs to be executed using powershell

Connection between Windows Build Box and OmniDeq/Discovery Host

OmniDeq and Discovery Host authenticates with the Windows Build Box using the following 2 methods over winRM,

• Kerberos
• Username and password