I’m trying to add BitLocker to the base microsoft/windowsservercore image using a powershell command. I’m running into issues because this feature requires an OS restart.

I found the issue while playing with one of the labs at DockerCon. The easiest way to recreate the issue is to follow these steps.

1. Clone this repo - https://github.com/docker/dcus-hol-2017/tree/master/windows-101/tweet-app
2. Update the dockerfile to look like so -

# escape=`
FROM microsoft/windowsservercore
SHELL [“powershell”, “-Command”, “$ErrorActionPreference = ‘Stop’; $ProgressPreference = ‘SilentlyContinue’;”]

RUN Add-WindowsFeature Web-Server
RUN Add-WindowsFeature BitLocker
RUN Restart-Computer
EXPOSE 80

RUN Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.applicationHost/log’ -name ‘centralLogFileMode’ -value ‘CentralW3C’; `
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.applicationHost/log/centralW3CLogFile’ -name ‘truncateSize’ -value 4294967295; `
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.applicationHost/log/centralW3CLogFile’ -name ‘period’ -value ‘MaxSize’; `
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.applicationHost/log/centralW3CLogFile’ -name ‘directory’ -value ‘c:\iislog’

WORKDIR C:
COPY start.ps1 .
COPY index.html C:\inetpub\wwwroot

CMD .\start.ps1

HEALTHCHECK CMD powershell -command `
try { `
$response = Invoke-WebRequest http://localhost -UseBasicParsing; `
if ($response.StatusCode -eq 200) { return 0} `
else {return 1}; `
} catch { return 1 }

3. Attempt to build and run the image. The build appears to succeed, but it doesn’t run and will eventually return a timeout.

TIA for your help.

I don’t think you should do RUN Restart-Computer. Each line in the Dockerfile is run in a new container, so in principle it shouldn’t be needed. I tried, however, and it appears that it does not work:

FROM microsoft/windowsservercore
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

RUN Add-WindowsFeature BitLocker

docker build -t bitlocker .

docker run bitlocker powershell.exe -c get-windowsfeature bitlocker

Display Name                                            Name
------------                                            ----
[ ] BitLocker Drive Encryption                          BitLocker

… stepping back a little bit, why do you want to enable BitLocker inside a container image? I’m not sure it makes sense, and you should probably just use BitLocker on the drive that stores containers.

There are details here: https://github.com/Microsoft/Virtualization-Documentation/issues/355

I just got confirmation that BitLocker won’t work solely inside a container, you should just enable it on the hosts where you want to run the container.

There’s at least one simple deficiency building windows containers, where the implicit “shutdown/startup” between each Dockerfile directive doesn’t seem to be equivalent to a reboot, and thus where the ability to run “Restart-Computer” would seem to be a straightforward way to solve the problem:

Locale

Of the countless mechanisms which exist to set the “Locale” in windows, none of them work in running containers, nor when building docker images. Here are the two most concise commands for interacting with locale. On normal machines, one must reboot between the Set and Get commands.

Set-WinSystemLocale -SystemLocale ja-JP

Reboot

Get-WinSystemLocale

There is no way to achieve this in docker.

I agree that there seems to be no obvious way to ‘reboot’ a docker container.
Though it seems very strange that there is not a way to cause that effect. Surely there are Windows installation options that require a re-boot. Microsoft must have a way to do it.

The answer is simple. When you know how. Locale settings are inherited from the host! So change the host.
Details here: