Add GMSA support for V2 HCS schema xenon containers #856
Conversation
|
Draft just to get feedback/OS changes get in. Pretty simple change. |
|
Looks like we want hot-remove as well so this will be updated quite a bit more |
|
Ok after investigating further with Nitin, hot-remove is not actually needed for this scenario. A ccg.exe process gets launched on the host per unique credential spec to host the hvsocket service. If the same credential spec is used multiple times an internal ref of how many there are is kept and when it reaches 0, the ccg process exits and brings the service down with it automatically, no need to keep a ref on our end and emulate this. The hot-remove changes are still being added as there's no reason to not include them if we find a use case for the future. |
dcantah
force-pushed
the
hyperv-gmsa
branch
2 times, most recently
from
bc1b75a to
868f615
Compare
dcantah
force-pushed
the
hyperv-gmsa
branch
2 times, most recently
from
c3f3d17 to
c3619fe
Compare
|
@kevpar When would we want to merge this in, when it gets far enough back in the backporting cycle or? Nitins waiting for a build to finish but merging the OS changes right after. |
|
@kevpar Added a build check. Could you give this another peek? |
internal/hcsoci/resources_wcow.go
Outdated
| coi.ccgState = ccgInstance.CredentialGuard | ||
| r.Add(ccgResource) | ||
| if hypervisorIsolated { | ||
| if osversion.Get().Build < 19041 { |
There was a problem hiding this comment.
Discussed offline, but need to add a better check here to determine if the support for hv-iso GMSA is present in the build.
Are there fixes in the guest that we rely on as well?
There was a problem hiding this comment.
For the hvsocket functionality no not that I'm aware of. The container.dll fix will be needed in the image for smb access to work but thats not related to this functionality.
There was a problem hiding this comment.
@kevpar So the plan seems like just remove the check and just document what build this will work on?
internal/credentials/credentials.go
Outdated
| @@ -1,8 +1,5 @@ | |||
| // +build windows | |||
|
|
|||
| // Package credentials holds the necessary structs and functions for adding | |||
There was a problem hiding this comment.
Are we losing our package doc comment? Those are really nice to have.
There was a problem hiding this comment.
haha commented the same below. Must have gotten removed during rebase
internal/credentials/credentials.go
Outdated
| @@ -1,8 +1,5 @@ | |||
| // +build windows | |||
|
|
|||
| // Package credentials holds the necessary structs and functions for adding | |||
There was a problem hiding this comment.
Just now realizing this got removed for some reason..
* Add new UVM function 'UpdateHvSocketService' to be able to hot add Hvsocket service table entries. * Add new UVM function 'RemoveHvSocketService' to be able to hot remove an Hvsocket service. * Add disabled field to HvSocketServiceConfig (used to be private in the schema) * Remove hardcoded error if supplying a cred spec and the client asked for a hypervisor isolated container. * Misc refactors (comments, style) Signed-off-by: Daniel Canter <[email protected]>
Related work items: microsoft#173, microsoft#839, microsoft#856, microsoft#877, microsoft#881, microsoft#886, microsoft#887, microsoft#888, microsoft#889, microsoft#890, microsoft#893, microsoft#894, microsoft#896, microsoft#899, microsoft#900, microsoft#902, microsoft#904, microsoft#905, microsoft#906, microsoft#907, microsoft#908, microsoft#910, microsoft#912, microsoft#913, microsoft#914, microsoft#916, microsoft#918, microsoft#923, microsoft#925, microsoft#926, microsoft#928, microsoft#929, microsoft#932, microsoft#933, microsoft#934, microsoft#938, microsoft#939, microsoft#942, microsoft#943, microsoft#945, microsoft#946, microsoft#947, microsoft#949, microsoft#951, microsoft#952, microsoft#954
Hvsocket service table entries.
hypervisor isolated container.
Signed-off-by: Daniel Canter [email protected]