I describe the problem in detail in the WCF docker image project here:

microsoft/dotnet-framework-docker#607

This is a showstopper for us. We need some ideas on how to resolve it.

The latest release of ServiceMonitor.exe was built from 5f6d967

docker file

Entrypoint.ps1

From @vladimir-kazakov on August 30, 2017 6:51

When I start ServiceMonitor inside a container for the first time, I see the following output:

PS C:> .\ServiceMonitor.exe w3svc

Service 'w3svc' has been stopped
ERROR ( message:Cannot find requested collection element. )

APPCMD failed with error code 4312
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( message:Cannot find requested collection element. )

APPCMD failed with error code 4312
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

Service 'w3svc' started

Terminating it and starting ServiceMonitor again results in the following output:

PS C:> .\ServiceMonitor.exe w3svc

Service 'w3svc' has been stopped
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

Service 'w3svc' started

These errors (in the first quote) happen only if starting ServiceMonitor manually. Without overriding the entry point, everything works as expected and the output looks like:

Service 'w3svc' has been stopped

Service 'w3svc' started

Since the default entry point and manually starting ServiceMonitor is the same command in this case, I'd expect the output to be the same - without any errors.

In order to reproduce these errors:

1. Pull the latest image: docker pull microsoft/aspnet (I tried 4.6.2 and 4.7 - the result is the same).
2. Enter the container by overriding the default entry point: docker run -it --rm --entrypoint powershell microsoft/aspnet.
3. Inside the container, start ServiceMonitor: .\ServiceMonitor.exe w3svc.

The container host is Windows Server 2016 Standard (Version 1607, Build 14393.1593) and the Docker version is 17.03.2-ee-5, build fa09039.

It would be also interesting to know whether these errors can be safely ignored (until they're being fixed). It seems that everything else works as expected, but maybe I don't notice something.

Copied from original issue: microsoft/aspnet-docker#47

One automatically generated password that is set in an environment variable in a container accidentally contained the sequence %18.

This resulted in the following appcmd command:

C:\Windows\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/applicationPools /+"[name='DefaultAppPool'].environmentVariables.[name='MY_ENV_VAR',value='%18']" /commit:apphost

The result of which is:

ERROR ( hresult:c00cee2b, message:Failed to commit configuration changes.
 )

When using %64 it "works", resulting in a value of 'd' in the configuration, it seems clear that %## is interpreted as an ascii hex code. When using %25, I get a percent-sign in the value, as "expected".

I think a % value should be escaped (as %25 perhaps, maybe there's another escape sequence available?) while passing it to appcmd.

Note: Error code 0xc00cee2b is "WC_E_XMLCHARACTER".

If an environment variable contains a single quote, I get the following error:

Service 'w3svc' has been stopped APPCMD failed with error code 13 Failed to update IIS configuration

Since appcmd.exe is just being used to write environment variables to applicationHost.config, should it XML encode the data?

Hello,

I use ServiceMonitor in my container to monitor a "classical" Windows NT service.
This service is a self-hosted WCF application (not using IIS).

ServiceMonitor is great to monitor my service as entrypoint, but it does not pass container image's environment variables to the service...
I had to put a intermediary PS script as Entrypoint, which copy each env vars to system level, and then lanches ServiceMonitor (and my service).

Can a future version of ServiceMonitor handle environment variables passing for every kind of service (not for only IIS/ App pools) ?

Also, my container can be run in a mode which imply starting 2 services on startup :
Can ServiceMonitor evolve to monitor multiples services or processes ?

Thank you,
Geoffrey

To reproduce:

C:\Test>ServiceMonitor.exe Schedule

ERROR: Failed to start or query status of service 'Schedule' error [80070005]

ERROR: Failed to stop or query status of service 'Schedule' error [80070005]

And ServiceMonitor exits immediately.

Expected output would be something that indicates success and ServiceMonitor not quitting.

Operating system: Windows 10 Enterprise, version 1809, build 17763.437.

AppCmd can not handle a command longer than 33k characters.

Sometimes our IIS container does not start up since the timeout of 20 seconds is quite low for a large site spinned up on a machine with high load. Could you add an additional option to set the timeout as commandline parameter?

Hi,

I'm not sure if it's a bug or a feature.

If we delete the DefaultAppPool, ServiceMonitor return this error:

Service 'w3svc' has been stopped
APPCMD failed with error code 4312
Failed to update IIS configuration

I do delete the DefaultAppPool because I don't use it in my Docker image. Maybe it's a bad practice to do that.

I did notice in the code that then environment variables are updated in the DefaultAppPool configHelper.UpdateEnvironmentVarsToConfig(L"DefaultAppPool"). Which explain why ServiceMonitor is not happy about the missing DefaultAppPool.

Thanks in advance.

Francis

Azure DevOps sets a few empty environment variables. ServiceMonitor then converts these to an APPCMD command and then APPCMD fails with a configuration error.

ServiceMonitor Output:

Stopping service 'w3svc'

 Service 'w3svc' has been stopped 

APPCMD failed with error code 13

Example environment variables:

PSPath        : Microsoft.PowerShell.Core\Environment::INPUT_ARGUMENTS
PSDrive       : Env
PSProvider    : Microsoft.PowerShell.Core\Environment
PSIsContainer : False
Key           : INPUT_ARGUMENTS
Value         : 
Name          : INPUT_ARGUMENTS


PSPath        : Microsoft.PowerShell.Core\Environment::RESOURCES_TRIGGERINGALIAS
PSDrive       : Env
PSProvider    : Microsoft.PowerShell.Core\Environment
PSIsContainer : False
Key           : RESOURCES_TRIGGERINGALIAS
Value         : 
Name          : RESOURCES_TRIGGERINGALIAS


PSPath        : Microsoft.PowerShell.Core\Environment::RESOURCES_TRIGGERINGCATEGORY
PSDrive       : Env
PSProvider    : Microsoft.PowerShell.Core\Environment
PSIsContainer : False
Key           : RESOURCES_TRIGGERINGCATEGORY
Value         : 
Name          : RESOURCES_TRIGGERINGCATEGORY

Example Azure DevOps yaml:

- powershell: |
    Invoke-WebRequest -UseBasicParsing -Uri "https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.10/ServiceMonitor.exe" -OutFile "C:\ServiceMonitor.exe"
  displayName: Install Service Monitor
- powershell: |
    & C:\ServiceMonitor.exe w3svc
  displayName: Start IIS

Currently we are running this as a workaround before starting ServiceMonitor

Get-ChildItem -Path env: | Where-Object Value -eq "" | ForEach-Object { Set-Item -Path "Env:$($_.Name)" -Value "" }

There is no possibility to run ServiceMonitor with multiple application pools;
There shoud be possibility to pass more arguments (pool names) to command line like:

ServiceMonitor.exe w3svc DefaultAppPool SecondAppPool ThirdAppPool

ServiceMonitor converts the environment variable names to upper case when adding to the app pool process.
Below line in IISConfigUtil.cpp seems to do a in place conversion of the environment name to upper case. FilterEnv(filter, CharUpper(pstrNameCheck), pstrValue)
This is causing environment variable replacement using ConfigBuilders to fail unless we change all AppSetting keys to be upper case which is not ideal.

We're running into errors with our Docker images that are using ServiceMonitor.exe as an ENTRYPOINT. The last thing in the Docker logs is:

ERROR: Failed to stop or query status of service 'w3svc' error [800705b4]

Any ideas what would cause this? Is there a suggested work around?

From @MichaelSimons on December 7, 2017 22:17

The ServiceMonitor.exe should be downloaded within the Dockerfile instead of copied from the build context. The following are reasons to do this.

1. It is currently copied within 6 different locations within the repo. This number will soon grow with #67.
2. Pulling the resource from a public URL will allow anyone to easily duplicate the ASP.NET Dockerfiles as needed. There are several scenarios which users may not be able to use the ASP.NET images (e.g. they need to base their Dockerfile on a different base image yet they need ASP.NET support).

One possible place to host this content would be https://dotnetbinaries.blob.core.windows.net/dockerassets. This is used to host other content needed by the various .NET Dockerfiles.

Copied from original issue: microsoft/aspnet-docker#78

https://github.com/Microsoft/IIS.ServiceMonitor/blob/9ffa751e183989ff94e033b6aa6a09e9ca2293d1/src/ServiceMonitor/ServiceMonitor.rc#L72-L79

Our versioning strategy makes no sense right now.
Let's bump both the file version and product version to 2.0.0.0 and re-spin a build

So i started fiddling around with Azure container instances and it works like a charm with linux container images. But when i try to deploy a windows container instance then the ACI continuously restarts and the state is set to waiting.
In logs it says

Service 'w3svc' has been stopped

APPCMD failed with error code 183

Failed to update IIS configuration

The image that i am using is a public image in my docker repo.
It has a custom website running inside of it on IIS. Base image was a microsoft/nanoserver .
Any help would be much appreciated.

The wstring allocated here:
https://github.com/Microsoft/IIS.ServiceMonitor/blob/208e504bbc0d2f7b20aac08a9c83e29953639c51/src/ServiceMonitor/IISConfigUtil.cpp#L64
is never delete'd.
Suggest using a stack-allocated wstring instead of new.

I'm currently running IIS app inside a windows container.
These are the three last lines of my startup script:
Invoke-Expression -Command "net start w3svc"; Invoke-Expression -Command "iisreset"; Invoke-Expression -Command "C:\\ServiceMonitor.exe w3svc"
And here are the log trail from startup script:

Attempting stop...

Restart attempt failed.

The system cannot find the file specified. (2147942402, 80070002)

ERROR: Failed to stop or query status of service 'w3svc' error [800705b4]

I've reviewed the log trail for the startup script and It seems to be failed during on iisreset not sure if ServiceMonitor is contributing anything here.
I can see this error was reported in the past - #49

Could you please confirm if this error has been fixed in the latest version of IIS.ServiceMonitor or provide guidance on how we can resolve this issue? Thank you for your assistance.

Usually Docker containers output logs to the console, which lets users access them with docker logs or kubectl logs. That is not the case with IIS and ServiceMonitor - we get nothing. Classic ASP.NET applications do have their logs though. It would be a great feature if we could pass a second argument to ServiceMonitor with a log file path, which would then be read (like with tail -f) and written to the standard output for Docker tools to consume.

• ServiceMonitor.exe: error BA2008: 'ServiceMonitor.exe' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /GUARD:CF on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
• ServiceMonitor.exe: error BA2024: 'ServiceMonitor.exe' was compiled with one or more modules that do not properly enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre).

@dasiths commented on Mon Nov 09 2020

The W3SVC doesn't start on the 4.8-windowsservercore-1909 image

I'm trying to run the image using docker run but keep running in to this error.

PS C:\Users\Administrator> docker run mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909                                           
 Service 'w3svc' has been stopped

ERROR: Failed to start or query status of service 'w3svc' error [80004005]

 Service 'w3svc' has been stopped

When defining the port it fails with a slightly different error

PS C:\Users\Administrator> docker run mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909 -p:80:8080                                
 Service 'w3svc' has been stopped

APPCMD failed with error code 4312

Failed to update IIS configuration

I also tried to create my own dockerfile from this image. In the build steps I tried calling

Start-Service W3SVC

which failed with

Service 'World Wide Web Publishing Service (W3SVC)' cannot be started due to the following error: Cannot start service W3SVC on computer '.'.

Then I tried doing this

docker run -it --rm --entrypoint powershell mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909

and when inside the container ran following commands to start w3svc with no success as well.

PS C:\> start-service w3svc
start-service : Service 'World Wide Web Publishing Service (w3svc)' cannot be started due to the following error:
Cannot start service w3svc on computer '.'.
At line:1 char:1
+ start-service w3svc
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

PS C:\> net start w3svc
System error 1068 has occurred.

The dependency service or group failed to start.

Steps to Reproduce

docker pull mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909
docker run mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909

Other Information

Output of docker version

PS C:\Users\Administrator> docker version                                                                                                            Client: Docker Engine - Enterprise
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        2ee0c57608
 Built:             11/13/2019 08:00:16
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.12.12
  Git commit:       2ee0c57608
  Built:            11/13/2019 07:58:51
  OS/Arch:          windows/amd64
  Experimental:     false

Output of docker info

PS C:\Users\Administrator> docker info 
 Client:
 Debug Mode: false
 Plugins:
  cluster: Manage Docker clusters (Docker Inc., v1.2.0)

Server:
 Containers: 10
  Running: 0
  Paused: 0
  Stopped: 10
 Images: 275
 Server Version: 19.03.5
 Storage Driver: windowsfilter
  Windows:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: process
 Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
 Operating System: Windows Server Datacenter Version 1909 (OS Build 18363.836)
 OSType: windows
 Architecture: x86_64
 CPUs: 4
 Total Memory: 16GiB
 Name: IP-0A9D15BF
 ID: 3KVH:ECXF:6ALL:XNFM:CDKW:APWQ:RJW3:RVQE:3VP2:MS4N:JH76:RG3A
 Docker Root Dir: C:\ProgramData\docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

@MichaelSimons commented on Mon Nov 09 2020

@HongGit - Can you help out with this issue?

@dasiths commented on Mon Nov 09 2020

it's possibly related to #34

@dasiths commented on Mon Nov 09 2020

I've just checked the same image on a Windows 10 pro machine with 2004 kernel version and it works. So it's tied to the Windows Data Centre version I tried before.

Here is the environment it fails in. It's running in an AWS EC2 instance.

PS C:\Users\Administrator> [System.Environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      18363  0


PS C:\Users\Administrator> (Get-WmiObject -class Win32_OperatingSystem).Caption
Microsoft Windows Server Datacenter
PS C:\Users\Administrator> systeminfo /fo csv | ConvertFrom-Csv | select OS*, System*, Hotfix* | Format-List


OS Name             : Microsoft Windows Server Datacenter
OS Version          : 10.0.18363 N/A Build 18363
OS Manufacturer     : Microsoft Corporation
OS Configuration    : Standalone Server
OS Build Type       : Multiprocessor Free
System Boot Time    : 11/9/2020, 10:00:54 AM
System Manufacturer : Xen
System Model        : HVM domU
System Type         : x64-based PC
System Directory    : C:\Windows\system32
System Locale       : en-us;English (United States)
Hotfix(s)           : 10 Hotfix(s) Installed.,[01]: KB4552931,[02]: KB4497165,[03]: KB4513661,[04]: KB4517245,[05]:
                      KB4521863,[06]: KB4524569,[07]: KB4528759,[08]: KB4541338,[09]: KB4552152,[10]: KB4556799

PS C:\Users\Administrator> docker run -it --rm --entrypoint powershell mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-1909
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\> get-iissite

Name             ID   State      Physical Path                  Bindings
----             --   -----      -------------                  --------
Default Web Site 1    Stopped    %SystemDrive%\inetpub\wwwroot  http *:80:


PS C:\> start-iissite "default web site"
start-iissite : The World Wide Web Publishing Service (W3SVC) is stopped. Websites cannot be started unless the World
Wide Web Publishing Service (W3SVC) is running.
At line:1 char:1
+ start-iissite "default web site"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Start-IISSite], ServerManagerException
    + FullyQualifiedErrorId : Microsoft.Web.Administration.ServerManagerException,Microsoft.IIS.Powershell.Commands.St
   artIISSiteCommand

PS C:\> net start w3svc
System error 1068 has occurred.

The dependency service or group failed to start.

@MichaelSimons commented on Tue Nov 10 2020

@dasiths - did you try the workaround mentioned here?

@shirhatti, I'm transferring this to IIS as this seems related to #34.

Periodically, I see that IIS application starts without environment variables set on docker container. After careful validation, I see correct environment variables in settings, but not in the app hosted on IIS. Can it be some race condition if app pool started before ServiceMonitor updates environment variables?

Containers die with the following log:

Service 'w3svc' has been stopped
APPCMD failed with error code 259
Failed to update IIS configuration

Not sure if this is related at all with #29 and #4 but have been seeing this when running the latest tag of microsoft:iis on a Windows Server 2016 AMI on AWS EC2.

Based on feedback from @artisticcheese in microsoft/iis-docker#44, we should consider writing w3c logs to stdout.

Currently the servicemonitor.exe is always blocked (on purpose to keep the container alive), but there are cases user need to do other initialization in the entrypoint. Please add a parameter to allow service monitor to exit instead of blocking.

Thanks.

ControlService will return error 0x8007041c when w3svc service is in SERVICE_STOP_PENDING state.

We should investigate how AppCmd.exe handles special characters.
Currently we handles only single/double quotation marks, which might not be enough.

When I add a few layers on the the wcf container from microsoft, somehow the entrypoint gets lost and the container just starts and stops.

It would be nice to show the syntax here (in the readme) of how to get service monitor as your container's entrypoint.

It would be useful if ServiceMonitor.exe supports /? command line switch and dumps not only usage info but also version info, similar to LogMonitor.exe:

> LogMonitor.exe /?
LogMonitor Tool Version 1.2.0.0

Usage: LogMonitor.exe [/?] | [--help] | [[/CONFIG <PATH>][COMMAND [PARAMETERS]]]

/?|--help   Shows help information
<PATH>      Specifies the path of the Json configuration file. This is
an optional parameter. If not specified, then default Json
configuration file path C:\LogMonitor\LogMonitorConfig.json is used
COMMAND     Specifies the name of the executable to be run
PARAMETERS  Specifies the parameters to be passed to the COMMAND

This tool monitors Event log, ETW providers and log files and write the log entries
to the console. The configuration of input log sources is specified in a Json file.
file.

Simply, it would be helpful of command line interface of ServiceMonitor.exe is somewhat unified with the LogMonitor.exe.

IIS Service monitor should have a debug flag to show any necessary debugging output.

Get error

Service 'w3svc' has been stopped
APPCMD failed with error code 4312
Failed to update IIS configuration

after trying to install chocolatey

RUN Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

I'm using microsoft/iis:latest image.
After trying to fix this issue I figured out that if I use mcr.microsoft.com/windows/servercore:ltsc2019 image and do the same settings as microsoft/iis, but instead of ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"] use CMD ["C:\ServiceMonitor.exe", "w3svc"] everything is fine. How I can fix this issue?

As I understand I need ServiceMonitor only if I want to monitor containers on production and use it with kubernates or prometeus. Can I ignore ServiceMonitor for locale developement?

There are cases that ServiceMontor.exe will get Environment Variables Value as Short Path Name. They need to be convert to full path name before add to ApplicationHost.config.

env NAME:|TEMP| VALUE:|C:\Users\CONTAI1\AppData\Local\Temp| will be added
env NAME:|TMP| VALUE:|C:\Users\CONTAI1\AppData\Local\Temp| will be added

From my local testing (SSD with a recent RS3 image), each call to AppCmd.exe takes between 130ms and 280ms. Can we do better?

Each (non-filtered) environment variable results in two calls to AppCmd (one to remove it if it's already there, then another to add), that's 260ms, at best, per environment variable added.

One improvement would be to batch multiple changes together. AppCmd.exe does allow multiple writes in a "set config" command but it will error out if any of them fail. That includes the attempted removal of non-existent elements. So, we could batch together the add commands, but not the remove commands (since they are expected to fail).

A (radical) alternative is to avoid calling AppCmd.exe altogether and doing the applicationHost manipulation directly in ServiceMonitor.exe

Running a container with many environment variables leads to following error:

Service 'w3svc' has been stopped
APPCMD failed with error code 259
Failed to update IIS configuration

Service monitor builds a command for appcmd.exe limited to 30000 symbols. When there are many variables appcmd.exe is executed several times. First run on my environment finishes in about 0.3 second. Each subsequent run takes increased time and eventually exceeds 5 seconds limit (GetExitCodeProcess returns STILL_ACTIVE 259).

Workaround:
Set enableServiceLinks: false in pod’s spec.

EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.

It will remove set of variables like:

• SERVICE_NAME_PORT
• SERVICE_NAME_PORT_80_TCP
• SERVICE_NAME_PORT_80_TCP_ADDR
• SERVICE_NAME_PORT_80_TCP_PORT
• SERVICE_NAME_PORT_80_TCP_PROTO
• SERVICE_NAME_SERVICE_HOST
• SERVICE_NAME_SERVICE_PORT
• SERVICE_NAME_SERVICE_PORT_HTTP

Please make the copying of environment variables optional or make it possible to setup exclusions. Some environment variables are used for container configuration and should not be accessible from the apppoolidentity.

I'm using microsoft/iis on Win2019 RS5 and whenever I pass an environment variable with single quote, the container exits when trying to start.

For example:
ABC=a'b

If I override the entrypoint with my own custom script, the container starts fine.

We're running into errors with our Docker images that are using ServiceMonitor.exe as an ENTRYPOINT. The last thing in the Docker logs is:

Service 'w3svc' has been stopped 
ERROR: Failed to stop or query status of service 'w3svc' error [8007045b]
Service 'w3svc' started 

Any ideas what would cause this? Is there a suggested work around?

Docker image: microsoft/aspnet:4.6.2

Dockerfile:

FROM microsoft/aspnet:4.6.2
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

RUN Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters' -Name ServerPriorityTimeLimit -Value 0 -Type DWord

COPY publish/localhost/ C:/inetpub/wwwroot/site
COPY web.config C:/inetpub/wwwroot/site/web.config
COPY web.config.root C:/inetpub/wwwroot/web.config

RUN New-WebApplication -Site 'Default Web Site' -Name 'site' -PhysicalPath 'C:\inetpub\wwwroot\site'

Running as part of docker-compose brings back the following:

web_1        | ERROR ( message:Cannot find requested collection element. )
web_1        | ERROR ( message:Malformed collection indexer; format is [@position,name='value',name2='value2',...].  The
 @position specifier is optional, and be '@start', '@end', or '@N' where N is a numeric index into the collection. )
web_1        |
web_1        |  Service 'w3svc' has been stopped
web_1        |
web_1        | APPCMD failed with error code 4312
web_1        |
web_1        | APPCMD failed with error code 13
web_1        |
web_1        | Failed to update IIS configuration
site_web_1 exited with code 2147500037

The error indicates it's coming from an appcmd set config call, which we're not making - so presumably it's part of ServiceMonitor. For whatever reason, if the container is run manually using docker, it seems to work fine.

I'm working with the docker image mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019. I've noticed that the default user for windowsservercore is ContainerAdministrator.

If I try to run the image with the user ContainerUser docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019 I get the following error:

ERROR: Failed to stop or query status of service 'w3svc' error [80070005

]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?

If the assumption above is correct I would like to confirm if running the container with ContainerAdministrator can expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?

Dockerfile:

# escape=`

FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019

ENV website-name=WebApp

WORKDIR /

RUN mkdir C:\WebApp

COPY WebApp/ /WebApp

RUN powershell -Command  `
    New-Website -Name 'WebApp' -IPAddress '*' -Port 443 -PhysicalPath C:\WebApp -ApplicationPool 'DefaultAppPool' -Ssl -SslFlags 0; `

USER ContainerUser

ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]

https://github.com/Microsoft/IIS.ServiceMonitor/blob/9ffa751e183989ff94e033b6aa6a09e9ca2293d1/src/ServiceMonitor/ServiceMonitor.cpp#L116

From microsoft/aspnet-docker#43

Can you provide a description of the purpose of ServiceMonitor. I know it monitors the w3svc service, but for what purpose?
Thanks

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request