在 Windows 10 容器上启用远程桌面 [英] Enable Remote Desktop on Windows 10 Container

问题描述

我正在尝试在容器映像上启用远程桌面.

I'm trying to enable remote desktop on a container image.

FROM mcr.microsoft.com/windows:2004

EXPOSE 3389

RUN net user administrator Stack0verflow
RUN net user administrator /active:yes

# I tried disabling the firewall; but this command errors as Windows Defender Firewall service 
# is not enabled; so presumably if the firewall's not running, it's not a firewall issue.
#RUN netsh advfirewall set allprofiles state off

# switch shell to powershell (note: pwsh not available on the image)
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; $ExecutionPolicy = 'Unrestricted';"]

# enable RDP (value is 1 on the base image)
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Type 'DWord' -Value 0
# per https://www.withinrafael.com/2018/03/09/using-remote-desktop-services-in-containers/
RUN Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'TemporaryALiC' -Type 'DWord' -Value 1

注意:由于它是 Windows 映像，我已将 Docker 桌面切换到 Windows 容器(参考:Docker:清单列表条目中没有与 windows/amd64 匹配的清单")

Note: Since it's a Windows image, I've switched Docker Desktop to Windows Containers (ref: Docker: "no matching manifest for windows/amd64 in the manifest list entries")

然后我通过:docker build -t win10poc .

...并通过以下方式运行:docker run --expose 3389 --publish 3390:3389 -it win10poc

... And run it via: docker run --expose 3389 --publish 3390:3389 -it win10poc

容器运行成功；但我无法连接到它(在主机设备上使用带有计算机名称 127.0.0.1:3390 的 mstsc；甚至执行 Test-NetConnection -ComputerName127.0.0.1 - 端口 3390).

The container runs successfully; but I can't connect to it (using mstsc with computer name 127.0.0.1:3390 on the host device; or even doing a Test-NetConnection -ComputerName 127.0.0.1 -Port 3390).

我还尝试从容器的命令提示符运行 powershell -command "Test-NetConnection -ComputerName 'localhost' -Port 3389"；但这也会返回失败；提示该服务未在此端口上侦听.

I've also tried running powershell -command "Test-NetConnection -ComputerName 'localhost' -Port 3389" from the container's command prompt; but this also returns a failure; suggesting that the service is not listening on this port.

注意:在容器上运行net start TermService返回请求的服务已经启动；所以它应该在倾听.

Note: Running net start TermService on the container returns The requested service has already been started; so it should be listening.

我的主机设备运行的是 Windows 10.0.19041.264.

My host device is running Windows 10.0.19041.264.

注意:我在 Windows Server 上看到了类似的问题;尽管再次询问，因为那是针对服务器而不是桌面，但该问题关于尝试过的内容的信息较少，并且没有答案.因此，我希望这不会被视为重复.

Note: I've seen a similar question for Windows Server; though asked again as that's for Server rather than Desktop, the question has less info on what's been tried, and there are no answers. As such, I'm hoping this doesn't count as a duplicate.

推荐答案

您用于构建 Dockerfile 的参考 指出在 1709_KB4074588 之后 RDP 无法再工作.今天拉取该标签也不起作用:您从服务器获得响应，但无法执行任何操作.我不知道 windows 和 servercore 映像在一般情况下和 RDP 方面有何不同，最重要的是我绝不是 windows 专家.到目前为止我的经验(使用 xfreerdp 作为客户端):

The reference you used to build your Dockerfile states that after 1709_KB4074588 RDP cannot be made to work anymore. Pulling today that tag does not work either: you get a response from the server but can't execute anything. I have no idea how the windows and servercore images differ in general and in terms of RDP, and on top of that I'm by no means a windows expert. My experience so far (using xfreerdp as client):

• windows/servercore:1607 cexecsvc 正在运行，端口 3389 未侦听
• windows/servercore:1709 可以连接到 RDP，但执行应用程序会导致 ERRINFO_LOGOFF_BY_USER
• windows/servercore:1709_KB4074588 的行为与 1709 相同

研究还表明需要禁用远程执行白名单(不知道正确名称).

Research shows also that you need to disable remote execution whitelist (don't know the correct name).

• reg 添加HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services";/v fAllowUnlistedRemotePrograms/t REG_DWORD/d 1
• reg 添加HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList";/v fDisabledAllowList/t REG_DWORD/f/d 1

阅读关于会话、桌面和工作站的简介 我写了一个枚举会话的快速测试(参见 LsaEnumerateLogonSessions 和 LsaGetLogonSessionData) 并看到，虽然正常的 RDP 会话显示同一用户的许多(为什么?不知道)会话，其中一些是交互式的(10- CachedInteractive 在我的例子中)Docker 实例中的控制台显示了类型 5(代理 - 不支持)的 ContainerAdministrator 用户的单个会话，因此据我所知，无法从该会话中获得交互式桌面.

After reading a brief about sessions, desktops and stations I wrote a quick test enumerating sessions (see LsaEnumerateLogonSessions and LsaGetLogonSessionData) and saw that while a normal RDP session shows many (why? no idea) sessions for the same user and a few of them are interactive (10 - CachedInteractive in my case) a console in a Docker instance shows a single session for the ContainerAdministrator user of type 5 (Proxy - not supported), so as I understand it there's no way to get an interactive desktop from this session.

这篇关于在 Windows 10 容器上启用远程桌面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！