The latest articles on DEV Community by Miro (@milolav). https://dev.to/milolav https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F287202%2F1d03bb8f-6eca-4e40-8802-311ab5c261ab.png https://dev.to/milolav en Miro Mon, 08 Mar 2021 01:00:08 +0000 https://dev.to/milolav/oauth2-certificate-authentication-in-bash-script-3b1e https://dev.to/milolav/oauth2-certificate-authentication-in-bash-script-3b1e <p>I was exploring the possibility of getting the auth token in bash using certificate authentication. Here are two examples how to obtain access token, one for Microsoft Graph and the other one for Google APIs.</p> <p>Both scripts are similar:</p> <ul> <li>create jwt payload/claims</li> <li>sign header +payload with private key of the certificate uploaded to Microsoft/Google</li> <li>post data to token endpoint</li> <li>acquire access_token </li> </ul> <h3> A bit of explanation </h3> <ul> <li> <code>base64 -w 0 | tr '/+' '_-' | tr -d '='</code> - this is simple base64url encoding <code>base64 -w 0</code> means that data won't be broken in multiple lines, <code>tr '/+' '_-'</code> is used to replace <code>/</code> with <code>_</code> and <code>+</code> with <code>-</code>, and finally <code>tr -d '='</code> is used to remove <code>=</code> which is standard base64 padding</li> <li> <code>openssl dgst -sha256 -sign $key_file</code> is signing input with certificate key stored in the <code>$key_file</code> </li> <li> <code>date +%s</code> is current timestamp, and <code>$(($ts + 600))</code> adds 10 minutes of token validity</li> </ul> <p>Microsoft uses certificate fingerprint (thumbprint) in jwt header and it is a binary value encoded as base64url.</p> <ul> <li> <code>openssl x509 -fingerprint -noout -in $cert_file</code> will produce something like <code>SHA1 Fingerprint=AA:BB:CC:DD:EE...</code> after which <code>cut -d '=' -f 2</code> is used to get everything right of the <code>=</code> sign (the fingerprint), which is then converted into binary using <code>xxd -r -p</code> and finally converted into base64url</li> </ul> <p>It also uses "a Guid" for unique identifier of a jwt where <code>cat /proc/sys/kernel/random/uuid</code> is used to create it.</p> <p>In the end, <code>jq</code> is used to extract <code>auth_token</code> into the file or to display the error message in case authentication was not successful. </p> <p>It is probably easier just to use vendor provided tools or libraries, but sometimes having a simple shell script is just good enough. </p> <h2> Microsoft Graph </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">client_id</span><span class="o">=</span><span class="s1">'&lt;replace_with_client_id&gt;'</span> <span class="nv">tenant_id</span><span class="o">=</span><span class="s1">'&lt;replace_with_tenant_id&gt;'</span> <span class="nv">cert_file</span><span class="o">=</span><span class="s1">'my.crt'</span> <span class="c">#certificate (used for fingerprint)</span> <span class="nv">key_file</span><span class="o">=</span><span class="s1">'my.key'</span> <span class="c">#certificate private key (for signing)</span> <span class="nv">cert_hash</span><span class="o">=</span><span class="si">$(</span>openssl x509 <span class="nt">-fingerprint</span> <span class="nt">-noout</span> <span class="nt">-in</span> <span class="nv">$cert_file</span> | <span class="nb">cut</span> <span class="nt">-d</span> <span class="s1">'='</span> <span class="nt">-f</span> 2 | xxd <span class="nt">-r</span> <span class="nt">-p</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0| <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span> <span class="nv">jwt_header</span><span class="o">=</span><span class="s2">"{</span><span class="se">\"</span><span class="s2">alg</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">RS256</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">typ</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">JWT</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">x5t</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$cert_hash</span><span class="se">\"</span><span class="s2">}"</span> <span class="nv">ts</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nv">part_aud</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">aud</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">https://login.microsoftonline.com/</span><span class="nv">$tenant_id</span><span class="s2">/oauth2/v2.0/token</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_nbf</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">nbf</span><span class="se">\"</span><span class="s2">:</span><span class="nv">$ts</span><span class="s2">"</span> <span class="nv">part_exp</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">exp</span><span class="se">\"</span><span class="s2">:</span><span class="k">$((</span><span class="nv">$ts</span> <span class="o">+</span> <span class="m">600</span><span class="k">))</span><span class="s2">"</span> <span class="nv">part_jti</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">jti</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="si">$(</span><span class="nb">cat</span> /proc/sys/kernel/random/uuid<span class="si">)</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_iss</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">iss</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$client_id</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_sub</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">sub</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$client_id</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">jwt_payload</span><span class="o">=</span><span class="s2">"{</span><span class="nv">$part_aud</span><span class="s2">,</span><span class="nv">$part_exp</span><span class="s2">,</span><span class="nv">$part_iss</span><span class="s2">,</span><span class="nv">$part_jti</span><span class="s2">,</span><span class="nv">$part_nbf</span><span class="s2">,</span><span class="nv">$part_sub</span><span class="s2">}"</span> <span class="nv">token_data</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$jwt_header</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span><span class="s2">.</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$jwt_payload</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span><span class="s2">"</span> <span class="nv">signature</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$token_data</span> | openssl dgst <span class="nt">-sha256</span> <span class="nt">-sign</span> <span class="nv">$key_file</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span> <span class="nv">assertion</span><span class="o">=</span><span class="s2">"</span><span class="nv">$token_data</span><span class="s2">.</span><span class="nv">$signature</span><span class="s2">"</span> <span class="nv">resp</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-Ssl</span> <span class="nt">-X</span> POST <span class="s2">"https://login.microsoftonline.com/</span><span class="nv">$tenant_id</span><span class="s2">/oauth2/v2.0/token"</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s2">"client_id=</span><span class="nv">$client_id</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'scope=https://graph.microsoft.com/.default'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s2">"client_assertion=</span><span class="nv">$assertion</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'grant_type=client_credentials'</span> <span class="se">\</span> <span class="si">)</span> <span class="k">if </span><span class="nb">echo</span> <span class="nv">$resp</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'access_token'</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="nv">$resp</span> | jq <span class="nt">-j</span> <span class="s1">'.access_token'</span> <span class="o">&gt;</span>access_token <span class="k">else </span><span class="nb">echo</span> <span class="nv">$resp</span> | jq <span class="nt">-r</span> <span class="s1">'.error + " error:\n" + .error_description'</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p>Source:</p> <p><a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate">https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate</a></p> <p><a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials">https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials</a></p> <h2> Google APIs </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nv">client_email</span><span class="o">=</span><span class="s1">'client@your-project-name.iam.gserviceaccount.com'</span> <span class="nv">subject_email</span><span class="o">=</span><span class="s1">'subject@example.com'</span> <span class="c">#user that will be impersonated</span> <span class="nv">scopes</span><span class="o">=</span><span class="s1">'https://www.googleapis.com/auth/&lt;scope1&gt; https://www.googleapis.com/auth/&lt;scope2&gt;'</span> <span class="nv">key_file</span><span class="o">=</span><span class="s1">'my.key'</span> <span class="c">#certificate private key (for signing)</span> <span class="nv">jwt_header</span><span class="o">=</span><span class="s2">"{</span><span class="se">\"</span><span class="s2">alg</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">RS256</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">typ</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">JWT</span><span class="se">\"</span><span class="s2">}"</span> <span class="nv">ts</span><span class="o">=</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span> <span class="nv">part_iss</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">iss</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$client_email</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_sub</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">sub</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$subject_email</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_scope</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">scope</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$scopes</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_aud</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">aud</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">https://oauth2.googleapis.com/token</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_exp</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">exp</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="k">$((</span><span class="nv">$ts</span> <span class="o">+</span> <span class="m">600</span><span class="k">))</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">part_iat</span><span class="o">=</span><span class="s2">"</span><span class="se">\"</span><span class="s2">iat</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$ts</span><span class="se">\"</span><span class="s2">"</span> <span class="nv">jwt_payload</span><span class="o">=</span><span class="s2">"{</span><span class="nv">$part_iss</span><span class="s2">,</span><span class="nv">$part_sub</span><span class="s2">,</span><span class="nv">$part_scope</span><span class="s2">,</span><span class="nv">$part_aud</span><span class="s2">,</span><span class="nv">$part_exp</span><span class="s2">,</span><span class="nv">$part_iat</span><span class="s2">}"</span> <span class="nv">token_data</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$jwt_header</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span><span class="s2">.</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$jwt_payload</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span><span class="s2">"</span> <span class="nv">signature</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$token_data</span> | openssl dgst <span class="nt">-sha256</span> <span class="nt">-sign</span> <span class="nv">$key_file</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 | <span class="nb">tr</span> <span class="s1">'/+'</span> <span class="s1">'_-'</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'='</span><span class="si">)</span> <span class="nv">assertion</span><span class="o">=</span><span class="s2">"</span><span class="nv">$token_data</span><span class="s2">.</span><span class="nv">$signature</span><span class="s2">"</span> <span class="nv">resp</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-Ssl</span> <span class="nt">-X</span> POST <span class="s1">'https://oauth2.googleapis.com/token'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s2">"assertion=</span><span class="nv">$assertion</span><span class="s2">"</span> <span class="se">\</span> <span class="si">)</span> <span class="k">if </span><span class="nb">echo</span> <span class="nv">$resp</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s1">'access_token'</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="nv">$resp</span> | jq <span class="nt">-j</span> <span class="s1">'.access_token'</span> <span class="o">&gt;</span>access_token <span class="k">else </span><span class="nb">echo</span> <span class="nv">$resp</span> | jq <span class="nt">-r</span> <span class="s1">'.error + " error:\n" + .error_description'</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p>Source:</p> <p><a href="https://developers.google.com/identity/protocols/oauth2/service-account#httprest">https://developers.google.com/identity/protocols/oauth2/service-account#httprest</a></p> <h2> Code </h2> <div class="ltag_gist-liquid-tag"> </div> oauth2 bash microsoftgraph googleapi Miro Fri, 07 Aug 2020 16:05:55 +0000 https://dev.to/milolav/wsl2-containers-45bp https://dev.to/milolav/wsl2-containers-45bp <p>Because, why not?</p> <p>Playing around with WSL2, I figured it could be used to make one-off build containers. In a similar way I usually use docker.</p> <p>For example, building TDLib for Telegram Messenger.</p> <p>My <code>run.cmd</code> is simple:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>@echo off wsl --import alpine-build .\VM alpine-minirootfs-3.12.0-x86_64.tar.gz wsl -d alpine-build /bin/sh /mnt/e/Temp/TDLib/build.sh wsl --unregister alpine-build </code></pre></div> <ol> <li>Install alpine distribution by running <code>wsl --import</code> </li> <li>Execute the build script</li> <li>Unregister the distribution</li> </ol> <p>Build script, <code>build.sh</code> , is made using TDLib <a href="https://tdlib.github.io/td/build.html">Build instrunction generator</a>, with the addition of the <code>OUT_DIR</code> variable just to make it easier.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">OUT_DIR</span><span class="o">=</span>/mnt/e/Temp/TDLib/lib <span class="nb">cd</span> ~ apk update apk upgrade apk add <span class="nt">--update</span> alpine-sdk linux-headers git zlib-dev openssl-dev gperf php php-ctype cmake git clone https://github.com/tdlib/td.git <span class="nb">cd </span>td git checkout v1.6.0 <span class="nb">rm</span> <span class="nt">-rf</span> build <span class="nb">mkdir </span>build <span class="nb">cd </span>build <span class="nb">export </span><span class="nv">CXXFLAGS</span><span class="o">=</span><span class="s2">""</span> cmake <span class="nt">-DCMAKE_BUILD_TYPE</span><span class="o">=</span>Release <span class="nt">-DCMAKE_INSTALL_PREFIX</span>:PATH<span class="o">=</span><span class="nv">$OUT_DIR</span> .. cmake <span class="nt">--build</span> <span class="nb">.</span> <span class="nt">--target</span> <span class="nb">install cd</span> .. <span class="nb">cd</span> .. <span class="nb">ls</span> <span class="nt">-l</span> <span class="nv">$OUT_DIR</span> </code></pre></div> <p>Running it and it works.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp\TDLib&gt; .\run.cmd fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz v3.12.0-214-g4076381e49 [http://dl-cdn.alpinelinux.org/alpine/v3.12/main] v3.12.0-213-gfedcac4c0f [http://dl-cdn.alpinelinux.org/alpine/v3.12/community] OK: 12749 distinct packages available (1/6) Upgrading musl (1.1.24-r8 -&gt; 1.1.24-r9) &lt;snip&gt; -- The CXX compiler identification is GNU 9.3.0 -- The C compiler identification is GNU 9.3.0 -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ - works &lt;snip&gt; -- Configuring done -- Generating done -- Build files have been written to: /root/td/build Scanning dependencies of target tdsqlite [ 0%] Building C object sqlite/CMakeFiles/tdsqlite.dir/sqlite/sqlite3.c.o [ 0%] Linking C static library libtdsqlite.a [ 0%] Built target tdsqlite &lt;snip&gt; Scanning dependencies of target bench_queue [100%] Building CXX object benchmark/CMakeFiles/bench_queue.dir/bench_queue.cpp.o [100%] Linking CXX executable bench_queue [100%] Built target bench_queue Install the project... -- Install configuration: "Release" -- Installing: /mnt/e/Temp/TDLib/lib/lib/libtdjson.so.1.6.0 -- Installing: /mnt/e/Temp/TDLib/lib/lib/libtdjson.so -- Installing: /mnt/e/Temp/TDLib/lib/lib/libtdjson_static.a -- Installing: /mnt/e/Temp/TDLib/lib/lib/libtdjson_private.a &lt;snip&gt; total 0 drwxrwxrwx 1 root root 512 Aug 7 14:03 include drwxrwxrwx 1 root root 512 Aug 7 14:03 lib Unregistering... PS E:\Temp\TDLib&gt; </code></pre></div> <p>Not as versatile as <code>docker run</code> but does the job.</p> <h2> Using differencing disks </h2> <p>Using differencing disks, I can have all build tools installed in the base vhdx and spawn "build container" just for a single build.</p> <p>For example, based on above, I've created base<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --import Alpine-BuildBase E:\WSL2\Alpine-BuildBase E:\WSL2\alpine-minirootfs-3.12.0-x86_64.tar.gz </code></pre></div> <p>And installed everything I need<br> </p> <div class="highlight"><pre class="highlight shell"><code>apk update apk upgrade apk add <span class="nt">--update</span> alpine-sdk linux-headers git zlib-dev openssl-dev gperf php php-ctype cmake </code></pre></div> <p>Now my <code>build.sh</code> omits tools installation and looks like:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">OUT_DIR</span><span class="o">=</span>/mnt/e/Temp/TDLib/lib <span class="nb">cd</span> ~ git clone https://github.com/tdlib/td.git <span class="nb">cd </span>td git checkout v1.6.0 <span class="nb">rm</span> <span class="nt">-rf</span> build <span class="nb">mkdir </span>build <span class="nb">cd </span>build <span class="nb">export </span><span class="nv">CXXFLAGS</span><span class="o">=</span><span class="s2">""</span> cmake <span class="nt">-DCMAKE_BUILD_TYPE</span><span class="o">=</span>Release <span class="nt">-DCMAKE_INSTALL_PREFIX</span>:PATH<span class="o">=</span><span class="nv">$OUT_DIR</span> .. cmake <span class="nt">--build</span> <span class="nb">.</span> <span class="nt">--target</span> <span class="nb">install cd</span> .. <span class="nb">cd</span> .. <span class="nb">ls</span> <span class="nt">-l</span> <span class="nv">$OUT_DIR</span> </code></pre></div> <p>And the final part, <code>run.ps1</code> PowerShell script that will:</p> <ol> <li>Create differencing vhdx</li> <li>Make a registry key for the linux distribution "container"</li> <li>Execute the build script</li> <li>Unregister the distribution </li> </ol> <div class="highlight"><pre class="highlight powershell"><code><span class="c">#Must be run as an Administrator</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="p">([</span><span class="no">Security.Principal.</span><span class="kt">WindowsPrincipal</span><span class="p">][</span><span class="no">Security.Principal.</span><span class="kt">WindowsIdentity</span><span class="p">]::</span><span class="nf">GetCurrent</span><span class="p">())</span><span class="o">.</span><span class="nf">IsInRole</span><span class="p">([</span><span class="no">Security.Principal.</span><span class="kt">WindowsBuiltInRole</span><span class="p">]::</span><span class="nx">Administrator</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Start-Process</span><span class="w"> </span><span class="nx">PowerShell</span><span class="w"> </span><span class="nt">-Verb</span><span class="w"> </span><span class="nx">RunAs</span><span class="w"> </span><span class="s2">"-NoProfile -ExecutionPolicy Bypass -Command </span><span class="se">`"</span><span class="s2">cd '</span><span class="nv">$pwd</span><span class="s2">'; &amp; '</span><span class="bp">$PSCommandPath</span><span class="s2">';</span><span class="se">`"</span><span class="s2">"</span><span class="p">;</span><span class="w"> </span><span class="kr">exit</span><span class="p">;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$DISTRO_NAME</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"alpine-build"</span><span class="w"> </span><span class="c">#Create a new differencing VHD</span><span class="w"> </span><span class="nf">New-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nx">VM</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">Directory</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-VHD</span><span class="w"> </span><span class="nt">-ParentPath</span><span class="w"> </span><span class="nx">E:\WSL2\Alpine-BuildBase\ext4.vhdx</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="o">.</span><span class="nx">\VM\ext4.vhdx</span><span class="w"> </span><span class="nt">-Differencing</span><span class="w"> </span><span class="nt">-BlockSizeBytes</span><span class="w"> </span><span class="nx">1048576</span><span class="w"> </span><span class="c">#Add a registry key</span><span class="w"> </span><span class="nv">$guid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">New-Guid</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\"</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nv">$guid</span><span class="o">.</span><span class="nf">ToString</span><span class="p">(</span><span class="s2">"B"</span><span class="p">)</span><span class="w"> </span><span class="nf">New-Item</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nf">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">BasePath</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">String</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="bp">$PWD</span><span class="nx">\VM</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">DefaultUid</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">DWord</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">DistributionName</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">String</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nv">$DISTRO_NAME</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">Flags</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">DWord</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">State</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">DWord</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">New-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$RegKey</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">Version</span><span class="w"> </span><span class="nt">-PropertyType</span><span class="w"> </span><span class="nx">DWord</span><span class="w"> </span><span class="nt">-Value</span><span class="w"> </span><span class="nx">2</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="c">#Run the build script</span><span class="w"> </span><span class="nf">wsl</span><span class="w"> </span><span class="nt">-d</span><span class="w"> </span><span class="nv">$DISTRO_NAME</span><span class="w"> </span><span class="nx">/bin/sh</span><span class="w"> </span><span class="nx">/mnt/e/Temp/TDLib/build.sh</span><span class="w"> </span><span class="c">#Unregister the distribution</span><span class="w"> </span><span class="nf">wsl</span><span class="w"> </span><span class="nt">--unregister</span><span class="w"> </span><span class="nv">$DISTRO_NAME</span><span class="w"> </span><span class="c">#Pause</span><span class="w"> </span><span class="nf">Read-Host</span><span class="w"> </span><span class="nt">-Prompt</span><span class="w"> </span><span class="s2">"Press Enter key to continue"</span><span class="w"> </span></code></pre></div> <h2> Just testing </h2> <p>To make sure above script works as expected instead of running the build script (line 25 above) I can swap it with<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="kd">wsl</span> <span class="na">-d </span>$DISTRO_NAME <span class="na">/bin/sh -c </span><span class="s2">"date &amp;&amp; cat /etc/*-release"</span> </code></pre></div> <p>Result is<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>ComputerName : PC123 Path : E:\Temp\TDLib\VM\ext4.vhdx VhdFormat : VHDX VhdType : Differencing FileSize : 6291456 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 1048576 ParentPath : E:\WSL2\Alpine-BuildBase\ext4.vhdx DiskIdentifier : A96ADE57-4838-48EA-97A9-DE02790ADCB4 FragmentationPercentage : Alignment : 1 Attached : False DiskNumber : IsPMEMCompatible : False AddressAbstractionType : None Number : Property : {} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{4 e9ced54-7d28-48d2-92de-1df93ddc55a9} PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss PSChildName : {4e9ced54-7d28-48d2-92de-1df93ddc55a9} PSDrive : HKCU PSProvider : Microsoft.PowerShell.Core\Registry PSIsContainer : True SubKeyCount : 0 View : Default Handle : Microsoft.Win32.SafeHandles.SafeRegistryHandle ValueCount : 0 Name : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{4e9ced54-7d28-48d2-92de-1df93ddc55a9} Fri Aug 7 15:27:17 UTC 2020 3.12.0 NAME="Alpine Linux" ID=alpine VERSION_ID=3.12.0 PRETTY_NAME="Alpine Linux v3.12" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/" Unregistering... Press Enter key to continue: </code></pre></div> <h2> Conclusion </h2> <p>I'm not sure if this has a practical value. Maybe in scenarios where it is easier to have a single file virtual disk rather than a docker container stored in some registry. But it was an interesting concept to explore. Let me know if you find it useful.</p> wsl Miro Fri, 07 Aug 2020 15:55:29 +0000 https://dev.to/milolav/manually-installing-wsl2-distributions-41b4 https://dev.to/milolav/manually-installing-wsl2-distributions-41b4 <p>There are a few different ways of installing Linux distributions for WSL. The easiest, using Microsoft Store, or using tools like <a href="https://github.com/DDoSolitary/LxRunOffline">LxRunOffline</a> or <a href="https://github.com/yuk7/wsldl">wsldl</a>. But distribution can be installed manually as well.</p> <p>WSL command line allows to export distribution to a tar file, or to import from a tar file as a new distribution.</p> <p>Let's say I have Ubuntu installed from Microsoft Store, if I list them from a command line I will get something like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --list --all -v NAME STATE VERSION * Ubuntu-20.04 Stopped 2 </code></pre></div> <p>And if I export it:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --export Ubuntu-20.04 E:\WSL2\ubuntu.tar </code></pre></div> <p>I will get a tar file containing a root filesystem of my Ubuntu distribution. And I can import that as a new distribution:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --import Ubuntu-Copy E:\WSL2\Ubuntu-Copy E:\WSL2\ubuntu.tar </code></pre></div> <p>This will create a folder <code>Ubuntu-Copy</code> folder in the <code>E:\WSL2</code> and the <code>ext4.vhdx</code> file in that folder. Virtual hard disk is an ext4 partitioned disk containing the contents of the tar file. Listing distributions now shows two of them.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --list --all -v NAME STATE VERSION * Ubuntu-20.04 Stopped 2 Ubuntu-Copy Stopped 2 </code></pre></div> <p>If I start the second distribution, I will be logged in as a root account:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl -d Ubuntu-Copy root@PC123:/mnt/e/Temp# </code></pre></div> <p>Ok, so if import works for the exported root filesystem, will it work for any root filesystem? And the answer is Yes!</p> <p>For example, if I download <code>alpine-minirootfs-3.12.0-x86_64.tar.gz</code> from <a href="https://alpinelinux.org/downloads/">https://alpinelinux.org/downloads/</a> I can import it like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --import Alpine-3.12 E:\WSL2\Alpine-3.12 E:\WSL2\alpine-minirootfs-3.12.0-x86_64.tar.gz </code></pre></div> <p>It even works with tar.gz files, not just .tar files. In fact, Alpine distribution available in Microsoft Store does exactly that. Downloads this file and installs it. Source for the launcher is available here: <a href="https://github.com/agowa338/WSL-DistroLauncher-Alpine">https://github.com/agowa338/WSL-DistroLauncher-Alpine</a></p> <p>Similar to the reference implementation of the launcher (<a href="https://github.com/microsoft/WSL-DistroLauncher">WSL-DistroLauncher</a>) it allows user creation on start-up and it has some additional fixes. See the <a href="https://github.com/agowa338/WSL-DistroLauncher-Alpine/blob/master/DistroLauncher/DistroSpecial.h">DistroSpecial.h</a> file.</p> <p>After distribution is complete I can manually create user, the same way launcher does<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl -d Alpine-3.12 /usr/sbin/adduser -g '' -D user1 Changing password for user1 New password: Retype password: passwd: password for user1 changed by root </code></pre></div> <p>And then logging in like<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl -d Alpine-3.12 -u user1 PC123:/mnt/e/Temp$ </code></pre></div> <p>In a nutshell this is it. A new distribution is manually installed.</p> <p><strong>Important thing to note</strong>:<br> By unregistering the distribution like <code>wsl --unregister Ubuntu-20.04</code> it will <strong>delete the associated <code>ext4.vhdx</code> file.</strong> Make sure to backup any important data form the virtual hard disk before unregistering.</p> <h2> Start-up scripts </h2> <p>Instead manually creating users and setting everything up, I can write all commands in a text file and execute them.</p> <p>For example, a dummy <code>init</code> file that displays current date and release name<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>date cat /etc/*-release </code></pre></div> <p>Start like<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>E:\Temp&gt; wsl -d Debian-10-Slim &lt; init </code></pre></div> <p>And the result is<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Fri Aug 6 23:08:29 BST 2020 PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" </code></pre></div> <p>Or run that file directly as a shell script from a know location<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl -d Alpine-3.12 /bin/sh /mnt/e/Temp/init Fri Aug 6 22:17:05 UTC 2020 3.12.0 NAME="Alpine Linux" ID=alpine VERSION_ID=3.12.0 PRETTY_NAME="Alpine Linux v3.12" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/" </code></pre></div> <h2> Registry keys </h2> <p>When distribution is installed its settings are stored in the registry <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{GUID}</code> </p> <p>Guid is, as far as I can tell, randomly generated for every distribution installation</p> <p>For example, official installation of Ubuntu creates similar to the following:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{2506e37c-8479-4433-9ea8-7549090aa5bf}] "State"=dword:00000001 "DistributionName"="Ubuntu-20.04" "Version"=dword:00000002 "BasePath"="C:\\Users\\User\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc\\LocalState" "Flags"=dword:0000000f "DefaultUid"=dword:000003e8 "PackageFamilyName"="CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc" "KernelCommandLine"="BOOT_IMAGE=/kernel init=/init" "DefaultEnvironment"=hex(7):&lt;snipped&gt; </code></pre></div> <p>Which means that virtual hard disk is stored in the <code>C:\Users\User\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu20.04onWindows_79rhkp1fndgsc\LocalState</code> folder and default Uid is 1000 (0x3e8).</p> <p>Looking at the Alpine distribution:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{b9a51057-c168-4798-a89e-483c97278f3c}] "State"=dword:00000001 "DistributionName"="Alpine-3.12" "Version"=dword:00000002 "BasePath"="\\\\?\\E:\\WSL2\\Alpine-3.12" "Flags"=dword:0000000f "DefaultUid"=dword:00000000 </code></pre></div> <p>it omits some settings, but <code>BasePath</code> points to a folder containing <code>ext4.vhdx</code> file and <code>DefaultUid</code> is the Uid of the user when starting the distribution without the <code>-u &lt;user&gt;</code> option.</p> <p>Moving a distribution to a different location requires just to move the <code>ext4.vhdx</code> to a new folder and update the <code>BasePath</code> value. Similarly, changing a default user requires an update to the <code>DefaultUid</code> value.</p> <p>To "restore" a missing distribution, copy a registry key, update the <code>DistributionName</code>, <code>BasePath</code>, and <code>DefaultUid</code> values, and it is ready to go. Or import an empty tar file (created like <code>tar -zvcf empty.tar.gz -T /dev/null</code>) and swap out the resulting empty ext4.vhdx with the real one.</p> <h2> Other distributions </h2> <p>Following the examples from the <a href="https://github.com/yuk7/wsldl">wsldl</a> project, a simple way of installing different linux distributions is to take root filesystem used to make docker images. For example <a href="https://github.com/debuerreotype/docker-debian-artifacts/blob/dist-amd64/buster/slim/Dockerfile">Dockerfile for Debian Buster Slim</a> says <code>ADD rootfs.tar.xz /</code>. I can download the <a href="https://github.com/debuerreotype/docker-debian-artifacts/blob/dist-amd64/buster/slim/rootfs.tar.xz">rootfs.tar.xz</a>, unpack it since WSL doesn't recognize tar.xz file format, import it and run it like:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; wsl --import Debian-10-Slim E:\WSL2\Debian-10-Slim E:\WSL2\debian-buster-slim-20200803-rootfs.tar PS E:\Temp&gt; wsl -d Debian-10-Slim root@PC123:/mnt/e/Temp# </code></pre></div> <h2> Official <code>install.tar.gz</code> </h2> <p>When installing Ubuntu or Debian Linux distribution from the Microsoft Store root filesystem is downloaded as a part of Store App installation. This means that initial filesystem tar, <code>install.tar.gz</code> can be found in the <code>C:\Program Files\WindowsApps \CanonicalGroupLimited.Ubuntu20.04onWindows_2004.2020.424.0_x64__79rhkp1fndgsc\</code> folder, for the Ubuntu 20.04 installation. </p> <p>For a different version, folder name in the <code>C:\Program Files\WindowsApps</code> will be different, but it should contain <code>install.tar.gz</code> file.</p> <p>And that file can be imported as a new distribution in the same way as mentioned above.</p> <h2> Differencing disks </h2> <p>Since WSL2 is using vhdx disks, I was wondering can I use differencing disks. And the answer is again Yes.</p> <p>Having 5 instances of Ubuntu will take about 5GB of space immediately. Base vhdx is about 1GB. But, by leveraging differencing disks, I can have one base disk, and 5 smaller, differencing disks.</p> <p>First stop all distributions with <code>wsl --shutdown</code>, then move existing <code>ext4.vhdx</code> to a new folder (one level up in my case), and create a differencing disk with the <code>ext4.vhdx</code> name.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\WSL2\Ubuntu-20.04&gt; New-VHD -ParentPath ..\base.vhdx -Path ext4.vhdx -Differencing -BlockSizeBytes 1048576 </code></pre></div> <p>When creating virtual hard disks for linux, <strong>make sure that you use 1MB block size</strong>. Default block size of 32MB will result in fairly large vhdx file once it starts to get filled.</p> <p>Only article where I found this recommendation is <a href="https://www.altaro.com/hyper-v/understanding-working-vhdx-files/">Understanding and Working with VHD(X) Files</a></p> <blockquote> <p>For Linux systems, there is a soft recommendation to use a 1 megabyte block size</p> </blockquote> <p>By examining <code>ext4.vhdx</code> created by the installation, details also show 1MB block size<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\WSL2\Ubuntu-Copy&gt; Get-VHD .\ext4.vhdx | Format-List ComputerName : PC123 Path : E:\WSL2\Ubuntu-Copy\ext4.vhdx VhdFormat : VHDX VhdType : Dynamic FileSize : 1164967936 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 1048576 ParentPath : DiskIdentifier : A96ADE57-4838-48EA-97A9-DE02790ADCB4 FragmentationPercentage : 53 Alignment : 1 Attached : False DiskNumber : IsPMEMCompatible : False AddressAbstractionType : None Number : </code></pre></div> <h3> BlockSize effect on a dynamic disk file size </h3> <p>A little digression. Comparing a file size for vhdx with 1MB block size vs default 32MB block size.</p> <p>I've created two vhdx files:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; New-VHD -Path .\256_default.vhdx -SizeBytes 256GB Path : E:\Temp\256_default.vhdx VhdFormat : VHDX VhdType : Dynamic FileSize : 4194304 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 33554432 </code></pre></div> <p>and<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; New-VHD -Path .\256_1mb.vhdx -SizeBytes 256GB -BlockSizeBytes 1MB Path : E:\Temp\256_1mb.vhdx VhdFormat : VHDX VhdType : Dynamic FileSize : 6291456 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 1048576 </code></pre></div> <p>Initial sizes were 4MB and 6MB.</p> <p>Attached them to a Hyper-V VM, booted the <code>alpine-virt-3.12.0-x86_64.iso</code> .</p> <p>Then I ran <code>mkfs.ext4 /dev/sda</code> and <code>mkfs.ext4 /dev/sdb</code> and shut down the VM.</p> <p>Resulting files are<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; Get-VHD .\256_default.vhdx | Format-List Path : E:\Temp\256_default.vhdx VhdFormat : VHDX VhdType : Dynamic FileSize : 4869586944 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 33554432 </code></pre></div> <p>and<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>PS E:\Temp&gt; Get-VHD .\256_1mb.vhdx | Format-List Path : E:\Temp\256_1mb.vhdx VhdFormat : VHDX VhdType : Dynamic FileSize : 162529280 Size : 274877906944 MinimumSize : LogicalSectorSize : 512 PhysicalSectorSize : 4096 BlockSize : 1048576 </code></pre></div> <p>As you can see, after making the ext4 filesystem on a 256GB dynamic disk, the one with a 32MB block size grew to <strong>4,53GB</strong> while while the one with the 1MB block size grew to just 155MB.</p> <h2> The end </h2> <p>Anyway, WSL2 seems interesting enough 😁</p> wsl Miro Sat, 25 Jul 2020 17:25:09 +0000 https://dev.to/milolav/socket-activation-of-containers-using-traefik-s-forwardauth-4hmo https://dev.to/milolav/socket-activation-of-containers-using-traefik-s-forwardauth-4hmo <p>This is just an idea of mixing &amp; matching a few services to get something like socket activation for docker containers.</p> <p>Let's say there is a web hook which isn't triggered very often and it is created as a docker container. There is no point of running the container all the time just for an occasional calls to a web hook. But there is a problem how to start a container when needed, when a request is sent for that hook. Of course I could have something like OpenFaaS but that seems like a overkill for an intermittent process. In addition, OpenFaaS doesn't support mounting volumes by design so if I want to receive a file, confirm that it is received, process it in the background and store it somewhere on a filesystem, it requires an additional effort.</p> <p>I'm already using <a href="https://traefik.io">Traefik</a> as a reverse proxy and <a href="https://github.com/adnanh/webhook">webhook</a> for some scenarios and I wanted to see if I could use that to achieve something similar to socket activation.</p> <p>Traefik doesn't have "execute this shell script" middleware, but it does have <a href="https://docs.traefik.io/middlewares/forwardauth/">ForwardAuth</a> middleware. It sends the request to the AuthServer and if the response code is 2XX access is granted ad original request is performed.</p> <p>So my idea was: <em>If I use webhook as an "AuthServer" with a hook being a shell script that starts a container, could this work?</em></p> <p>As it turns out, <strong>it does work</strong>.</p> <h2> The setup </h2> <p>Instead of an actual container doing some work, this example will just be starting simple nginx container, and stopping it after 20 seconds.</p> <p>In a proper setup, instead of a nginx there would be a real container doing real processing and after processing is complete it would exit gracefully. Instead of blindly running a container, and stopping it after 20 seconds, there would be check in place whether the container is already running etc. Pretty much everything that OpenFaaS Gateway module does. But this is just a general idea.</p> <p>First I have a docker container which has webhook and docker-cli installed, built as:<br> </p> <div class="highlight"><pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> golang:alpine3.11 AS build</span> <span class="k">WORKDIR</span><span class="s"> /go/src/github.com/adnanh/webhook</span> <span class="k">ENV</span><span class="s"> WEBHOOK_VERSION 2.7.0</span> <span class="k">RUN </span>apk add <span class="nt">--update</span> <span class="nt">-t</span> build-deps curl libc-dev gcc libgcc <span class="se">\ </span> <span class="o">&amp;&amp;</span> curl <span class="nt">-sSL</span> https://github.com/adnanh/webhook/archive/<span class="k">${</span><span class="nv">WEBHOOK_VERSION</span><span class="k">}</span>.tar.gz <span class="se">\ </span> | <span class="nb">tar</span> <span class="nt">-xz</span> <span class="nt">-C</span> /go/src/github.com/adnanh/webhook <span class="nt">--strip</span> 1 <span class="se">\ </span> <span class="o">&amp;&amp;</span> go get <span class="nt">-d</span> <span class="se">\ </span> <span class="o">&amp;&amp;</span> go build <span class="nt">-o</span> /usr/local/bin/webhook <span class="k">FROM</span><span class="s"> alpine</span> <span class="k">COPY</span><span class="s"> --from=build /usr/local/bin/webhook /usr/local/bin/</span> <span class="k">RUN </span>apk update <span class="se">\ </span> <span class="o">&amp;&amp;</span> apk add <span class="nt">--no-cache</span> docker-cli <span class="k">WORKDIR</span><span class="s"> /etc/webhook</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/usr/local/bin/webhook"]</span> </code></pre></div> <p>That container has configuration mounted as <code>/etc/webhook/hooks.json</code>:<br> </p> <div class="highlight"><pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"start-nginx1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"execute-command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/webhook/scripts/nginx1"</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre></div> <p>A shell script that will be executed, which starts a container (mounted as <code>/etc/webhook/scripts/nginx1</code>)<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="nb">set</span> <span class="nt">-e</span> docker run <span class="nt">-d</span> <span class="nt">--name</span> nginx1 <span class="nt">--network</span> skynet nginx:alpine <span class="nb">sleep </span>5 <span class="nb">nohup</span> /etc/webhook/scripts/nginx1-remove <span class="o">&gt;</span>&amp; /dev/null &amp; </code></pre></div> <p>And a shell script that will stop the container after 20 seconds<br> (mounted as <code>/etc/webhook/scripts/nginx1-remove</code>)<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">sleep </span>20 <span class="o">&amp;&amp;</span> docker stop nginx1 <span class="o">&amp;&amp;</span> docker <span class="nb">rm </span>nginx1 </code></pre></div> <p>With that in place, let's call this container <code>activator</code> and start it like:<br> </p> <div class="highlight"><pre class="highlight shell"><code>docker run <span class="nt">-d</span> <span class="nt">--name</span><span class="o">=</span>activator <span class="se">\</span> <span class="nt">-v</span> /srv/activator:/etc/webhook <span class="se">\</span> <span class="nt">-v</span> /var/run/docker.sock:/var/run/docker.sock:ro <span class="se">\</span> <span class="nt">--network</span> skynet <span class="se">\</span> <span class="nb">test</span>/activator <span class="nt">-hooks</span><span class="o">=</span>/etc/webhook/hooks.json <span class="nt">-verbose</span> <span class="nt">-hotreload</span> </code></pre></div> <p>For Traefik, configuration (dynamic part) is:<br> </p> <div class="highlight"><pre class="highlight toml"><code><span class="nn">[http.routers]</span> <span class="nn">[http.routers.nginx1-http]</span> <span class="py">entryPoints</span> <span class="p">=</span> <span class="nn">["web"]</span> <span class="py">rule</span> <span class="p">=</span> <span class="s">"Host(</span><span class="se">\"</span><span class="s">nginx1.myservers.local</span><span class="se">\"</span><span class="s">)"</span> <span class="py">middlewares</span> <span class="p">=</span> <span class="nn">["auth-run"]</span> <span class="py">service</span> <span class="p">=</span> <span class="s">"nginx1"</span> <span class="nn">[http.middlewares]</span> <span class="nn">[http.middlewares.auth-run.forwardAuth]</span> <span class="py">address</span> <span class="p">=</span> <span class="s">"http://activator:9000/hooks/nginx1"</span> <span class="nn">[[http.services.nginx1.loadBalancer.servers]]</span> <span class="py">url</span> <span class="p">=</span> <span class="s">"http://nginx1/"</span> </code></pre></div> <h2> The execution </h2> <p>With all of the above set, and given that dns entries are correct and all containers are on the same network once the <a href="http://nginx1.myservers.local">http://nginx1.myservers.local</a> is opened in a browser, the following will happen:</p> <ol> <li>Browser will send a request to the Traefik</li> <li>Traefik will, as a part of the authorization, call the nginx1 hook</li> <li>Webhook will run a shell script</li> <li>Shell script will start docker container and start remove script detached</li> <li>If starting a shell script was successful, webhook will return code 200 to Traefik</li> <li>Traefik will accept that as a authorization confirmation and pass the request to the, now running, nginx1 container</li> <li>Nginx will respond with a welcome page</li> <li>Welcome page (from nginx) will be displayed in a browser</li> <li>After 20 seconds, nginx1 container will be removed</li> <li>It works!</li> </ol> <p>In a scenario where something wrong happens with a script (for example, a subsequent request within the 20sec period will fail to start a container with the same name while it is already running), webhook will not return 200, Traefik's authentication sequence will fail and browser will get unauthorized error.</p> <p>In a way this is exploiting ForwardAuth middleware for something totally different, but it does the trick.</p> <h2> The application </h2> <p>Where I see this idea fit is for intermittent web hooks that do some processing in the background. For example, when a web hook is triggered, response is sent right away (confirmation that data is received), while the processing continues in the background, and once complete, container can shut down.</p> docker traefik webhook Miro Sat, 25 Jul 2020 14:42:44 +0000 https://dev.to/milolav/reload-cron-jobs-in-an-alpine-linux-container-486b https://dev.to/milolav/reload-cron-jobs-in-an-alpine-linux-container-486b <p>TL;DR</p> <blockquote> <p>After updating <code>/etc/crontabs/root</code> , putting an empty <code>cron.update</code> file in the <code>/etc/crontabs</code> will update directory's last modification, cron daemon will reload jobs from the files in the <code>/etc/crontabs</code> and <code>cron.update</code> file will be deleted.</p> </blockquote> <h3> A bit more about why and how </h3> <p>In a situation where container's crontabs directory (<code>/etc/crontabs</code>) is mounted from a host, just editing file that container sees as a <code>/etc/crontabs/root</code> file outside of a container will not trigger a cron daemon to reload jobs.</p> <p>Looking at the <a href="https://git.busybox.net/busybox/tree/miscutils/crond.c">busybox source code</a>, there is a comment saying </p> <blockquote> <p>The file 'cron.update' is checked to determine new cron jobs. The directory is rescanned once an hour to deal with any screwups.</p> </blockquote> <p>Additionally, the code is checking if the <code>/etc/crontabs</code> directory's last modification time changed which triggers a job update. To update last modification time of a directory, something should be added, removed or renamed inside that directory (excluding subdirectories). For example, adding a random file put into the <code>/etc/crontabs</code> will update last modification time which will trigger reloading jobs in the next cycle (the next minute). This is good, since container doesn't have to be restarted for new jobs to take effect. The downside is a lack of feedback that this really happened.</p> <p>So, instead of a random file, a file named <code>cron.update</code> can be used to get a confirmation that jobs have been reloaded. File is used by crontab to notify cron daemon that a cron file has been updated and a cron daemon will delete <code>cron.update</code> once it reloads the jobs, meaning that if the file is gone, jobs are reloaded. Crontab writes the changed file name into the <code>cron.update</code> file, but since adding a file updates directory's last modification time, an empty file will do the trick.</p> docker alpine cron Miro Mon, 13 Apr 2020 20:03:55 +0000 https://dev.to/milolav/quickly-create-a-self-signed-certificate-for-a-custom-domain-3e7k https://dev.to/milolav/quickly-create-a-self-signed-certificate-for-a-custom-domain-3e7k <p>I often find myself needing a simple self signed certificate that is either for a wildcard domain or that cover multiple domain names. And then, even when I have openssl somewhere the questions are "do I have the config file?", "do I really need to fill in all those distinguished name values?", "where do I put additional domains", etc.</p> <p>So to make my life simpler I made a small batch script that takes domain names as arguments, creates configuration file and instructs openssl to create a self signed certificate for those domains.</p> <h2> Example usage </h2> <p>Requesting certificates like:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>E:\Temp&gt; self-signed-cert mydomain.local *.mydomain.local </code></pre></div> <p>will generate one certificate with 2 domain names (<code>mydomain.local</code> and <code>*.mydomain.local</code>) and will produce the following files:</p> <ol> <li>mydomain.local.conf - configuration file for openssl</li> <li>mydomain.local.key - private key</li> <li>mydomain.local.crt - certificate</li> <li>mydomain.local.pfx - a pkcs#12 file with both certificate and private key</li> </ol> <p>Content of the generated <code>mydomain.local.conf</code> file:<br> </p> <div class="highlight"><pre class="highlight ini"><code><span class="nn">[req]</span> <span class="py">default_bits</span> <span class="p">=</span> <span class="s">2048</span> <span class="py">prompt</span> <span class="p">=</span> <span class="s">no</span> <span class="py">default_md</span> <span class="p">=</span> <span class="s">sha256</span> <span class="py">distinguished_name</span> <span class="p">=</span> <span class="s">req_distinguished_name</span> <span class="py">x509_extensions</span> <span class="p">=</span> <span class="s">v3_req</span> <span class="nn">[req_distinguished_name]</span> <span class="py">CN</span> <span class="p">=</span> <span class="s">mydomain.local</span> <span class="nn">[v3_req]</span> <span class="py">subjectAltName</span> <span class="p">=</span> <span class="s">@san</span> <span class="nn">[san]</span> <span class="py">DNS.1</span> <span class="p">=</span> <span class="s">mydomain.local</span> <span class="py">DNS.2</span> <span class="p">=</span> <span class="s">*.mydomain.local</span> </code></pre></div> <p>And the generated certificate looks like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Certificate: Data: Version: 3 (0x2) Serial Number: fc:55:a1:88:a5:68:67:0c Signature Algorithm: sha256WithRSAEncryption Issuer: CN = mydomain.local Validity Not Before: Apr 13 12:12:57 2020 GMT Not After : Apr 11 12:12:57 2030 GMT Subject: CN = mydomain.local Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:cb:d9:5c:bb:df:23:1e:69:5d:b2:45:06:d8:1f: d9:d1:4a:37:07:ab:c7:86:77:e0:2f:88:36:dc:f4: &lt;...&gt; 7d:70:b6:23:aa:9a:bc:57:83:c9:f8:13:3f:9f:b4: 01:54:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:mydomain.local, DNS:*.mydomain.local Signature Algorithm: sha256WithRSAEncryption b0:7b:4c:2c:f6:5e:40:2b:9d:9d:71:b1:d3:f8:0b:44:84:50: d1:ea:b0:91:fb:61:7d:d8:f8:d9:ca:5d:c8:b2:bf:d4:5d:75: &lt;...&gt; 5c:73:66:d1:52:10:11:2b:68:85:da:8a:16:3d:82:4f:0c:c5: 50:a5:85:81:4f:06:27:33 </code></pre></div> <h2> Batch file explained </h2> <div class="highlight"><pre class="highlight batchfile"><code><span class="k">if</span> <span class="o">[</span><span class="err">%</span><span class="m">1</span><span class="o">]==[]</span> <span class="o">(</span> <span class="nb">echo</span> <span class="kd">Usage</span>: <span class="err">%</span><span class="m">0</span> <span class="se">^&lt;</span><span class="kd">domain_name</span><span class="se">^&gt;</span> <span class="o">[</span><span class="kd">additional_domain</span><span class="o">]</span> <span class="o">[</span><span class="kd">additional_domain</span><span class="o">]</span> ... <span class="k">exit</span> <span class="na">/b </span><span class="m">1</span> <span class="o">)</span> </code></pre></div> <p>Just making sure that there is at least one argument<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="k">if</span> <span class="o">[</span><span class="err">%</span><span class="m">2</span><span class="o">]==[]</span> <span class="o">(</span><span class="kd">set</span> <span class="kd">addsan</span><span class="o">=)</span> <span class="k">else</span> <span class="o">(</span><span class="kd">set</span> <span class="kd">addsan</span><span class="o">=</span><span class="m">1</span><span class="o">)</span> </code></pre></div> <p>Checking if it is a single domain name or multiple domain name<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="kd">set</span> <span class="kd">fn</span><span class="o">=</span><span class="err">%</span><span class="o">~</span><span class="m">1</span> <span class="k">if</span> <span class="o">[</span><span class="vm">%fn</span>:<span class="o">~</span><span class="m">0</span><span class="o">,</span><span class="m">2</span><span class="err">%</span><span class="o">]</span> <span class="o">==</span> <span class="o">[*</span>.<span class="o">]</span> <span class="kd">set</span> <span class="kd">fn</span><span class="o">=</span>_wildcard.<span class="vm">%fn</span>:<span class="o">~</span><span class="m">2</span><span class="err">%</span> </code></pre></div> <p>Setting a file name for configuration and certificates. If the (first) domain name in the list is a wildcard domain, replace the asterisk character with "wildcard" word. Otherwise just take the domain name. So requesting a <code>*.mydomain.local</code> certificates will generate <code>wildcard.mydomain.local</code> files, while requesting <code>web1.mydomain.local</code> certificate will generate <code>web1.mydomain.local</code> files.</p> <p><code>%~1</code> - removing surrounding quotes around first argument. E.g. if the first argument is <code>"something with spaces"</code>, the <code>%~1</code> will remove the quotes.<br> <code>%fn:~0,2%</code> - substring, first two characters of the <code>fn</code> variable<br> <code>%fn:~2%</code> - substring, everything after 2nd character<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="nb">echo</span> <span class="o">[</span><span class="kd">req</span><span class="o">]&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="kd">default_bits</span> <span class="o">=</span> <span class="m">2048</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="nb">prompt</span> <span class="o">=</span> <span class="kd">no</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="kd">default_md</span> <span class="o">=</span> <span class="kd">sha256</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="kd">distinguished_name</span> <span class="o">=</span> <span class="kd">req_distinguished_name</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="k">if</span> <span class="o">[</span><span class="nv">%addsan%</span><span class="o">]</span> <span class="o">==</span> <span class="o">[</span><span class="m">1</span><span class="o">]</span> <span class="nb">echo</span> <span class="kd">x509_extensions</span> <span class="o">=</span> <span class="kd">v3_req</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span>.&gt;&gt;<span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="o">[</span><span class="kd">req_distinguished_name</span><span class="o">]&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="kd">CN</span> <span class="o">=</span> <span class="err">%</span><span class="o">~</span><span class="m">1</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span>.&gt;&gt;<span class="nv">%fn%</span>.conf </code></pre></div> <p>Making the openssl configuration, named <code>%fn%.conf</code>.<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="k">if</span> <span class="ow">not</span> <span class="o">[</span><span class="nv">%addsan%</span><span class="o">]</span> <span class="o">==</span> <span class="o">[</span><span class="m">1</span><span class="o">]</span> <span class="k">goto</span> <span class="nl">:makecert</span> </code></pre></div> <p>Skip additional configuration if there is only one domain<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="nb">echo</span> <span class="o">[</span><span class="kd">v3_req</span><span class="o">]&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="kd">subjectAltName</span> <span class="o">=</span> @san&gt;&gt;<span class="nv">%fn%</span>.conf <span class="nb">echo</span>.&gt;&gt;<span class="nv">%fn%</span>.conf <span class="nb">echo</span> <span class="o">[</span><span class="kd">san</span><span class="o">]&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="kd">set</span> <span class="na">/a </span><span class="kd">sanid</span> <span class="o">=</span> <span class="m">0</span> </code></pre></div> <p>Additional configuration sections for multiple domain names.<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="nl">:sanloop</span> <span class="kd">set</span> <span class="na">/a </span><span class="kd">sanid</span><span class="o">+=</span><span class="m">1</span> <span class="nb">echo</span> <span class="kd">DNS</span>.<span class="nv">%sanid%</span> <span class="o">=</span> <span class="err">%</span><span class="o">~</span><span class="m">1</span><span class="o">&gt;&gt;</span><span class="nv">%fn%</span>.conf <span class="nb">shift</span> <span class="k">if</span> <span class="o">[</span><span class="err">%</span><span class="o">~</span><span class="m">1</span><span class="o">]==[]</span> <span class="k">goto</span> <span class="nl">:makecert</span> <span class="k">goto</span> <span class="nl">:sanloop</span> </code></pre></div> <p>Looping through the arguments. <br> <code>set /a sanid+=1</code> - increment counter so that each DNS entry has it's own number<br> <code>shift</code> - shift arguments so that %2 becomes %1, %3 becomes %2, etc<br> <code>if [%~1]==[] goto :makecert</code> - once there are no more arguments, break the loop<br> </p> <div class="highlight"><pre class="highlight batchfile"><code><span class="nl">:makecert</span> <span class="kd">openssl</span> <span class="kd">req</span> <span class="na">-new -x</span><span class="m">509</span> <span class="na">-nodes -days </span><span class="m">3650</span> <span class="na">-sha</span><span class="m">256</span> <span class="na">-newkey </span><span class="kd">rsa</span>:4096 <span class="na">-keyout </span><span class="nv">%fn%</span>.key <span class="na">-out </span><span class="nv">%fn%</span>.crt <span class="na">-config </span><span class="nv">%fn%</span>.conf <span class="kd">openssl</span> <span class="kd">pkcs12</span> <span class="na">-export -out </span><span class="nv">%fn%</span>.pfx <span class="na">-inkey </span><span class="nv">%fn%</span>.key <span class="na">-in </span><span class="nv">%fn%</span>.crt <span class="na">-name </span><span class="nv">%friendly%</span> <span class="na">-passout </span><span class="kd">pass</span>: </code></pre></div> <p>Finally, the openssl call. Frist create a new self signed certificate which is valid for 10 years, and then export it to pkcs#12 pfx file with an empty password.</p> <p>Make sure that openssl is somewhere in PATH.</p> <h2> self-signed-cert.cmd </h2> <div class="ltag_gist-liquid-tag"> </div> openssl batch Miro Thu, 09 Apr 2020 21:00:29 +0000 https://dev.to/milolav/simple-docker-http-socket-certificates-cf7 https://dev.to/milolav/simple-docker-http-socket-certificates-cf7 <p>I have a couple of Docker servers and I wanted to be able to manage them remotely. Reading about it, adding <code>-H tcp://0.0.0.0:2375</code> argument when starting docker daemon was simple enough solution but it also came with a warning that it is not secure.</p> <p>In addition, there is a <a href="https://docs.docker.com/engine/security/https/">Protect the Docker daemon socket</a> guide which covers how to expose http socket in a secure manner but it is also marked as an "Advanced topic" so I decided to make a simple shell script out of it.</p> <p>Tested on a clean Debian 10 after Docker installation. Full <code>docker-certs.sh</code> is at the bottom of the post.</p> <h2> Usage </h2> <div class="highlight"><pre class="highlight plaintext"><code>docker-cert.sh [options] OPTIONS: --all Same as --ca --server --client --service combined, default behaviour --ca Creates only self-signed Root CA --server Creates a server certificate, requires CA to be created first --client Creates a client certificate with a default name, requires CA to be created first --client=Name Creates a client certificate with provided name, requires CA to be created first --service Updates /lib/systemd/system/docker.service with socket listener and tls verification Note: all files will be created in /etc/docker/certs dir </code></pre></div> <p>Running it without any options like <code>sudo docker-cert.sh</code> will execute default behaviour, same as with the <code>--all</code> option. Script will do the following:</p> <ol> <li>Check if <code>/etc/docker/certs</code> directory exists, create if not</li> <li>Create a self-signed root CA with a common name <code>Docker ($FQDN) CA</code>. FQDN is <code>hostname</code> plus the first suffix from <code>/etc/resolv.conf</code> search line, or just hostname if search line is not found.</li> <li>Create a server certificate with a common name <code>Docker ($FQDN) Server</code>, signed by the root CA</li> <li>Create a client certificate with a common name <code>Docker ($FQDN) Client</code>, signed by the root CA</li> <li>Update <code>/lib/systemd/system/docker.service</code> to append socket listener and certificates to the start command. Like the following: </li> </ol> <div class="highlight"><pre class="highlight plaintext"><code>-H tcp://0.0.0.0:2376 --tlsverify --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server.pem --tlskey=/etc/docker/certs/server.key </code></pre></div> <ol> <li>Reloading systemctl daemon, <code>systemctl daemon-reload</code> </li> <li>Restart docker service, <code>systemctl restart docker</code> </li> </ol> <p>There are checks in place so if a file that is to be created already exist, script will exit. In the same way if <code>docker.service</code> contains <code>-H tcp://</code> in the <code>ExecStart</code> line, script will exit.</p> <h3> Additional clients </h3> <p>Additional clients can be created afterwards by running <code>sudo docker-cert.sh --client=Another</code> which will create <code>client_another.key</code> and <code>client_another.pem</code> files, and common name will be <code>Docker ($FQDN) Client Another</code></p> <h2> Accessing remotely from Windows </h2> <p>Once certificates are created and docker daemon is running, it is time to test connectivity from a client windows machine. Tutorial suggests<br> </p> <div class="highlight"><pre class="highlight shell"><code>docker <span class="nt">--tlsverify</span> <span class="nt">--tlscacert</span><span class="o">=</span>ca.pem <span class="nt">--tlscert</span><span class="o">=</span>cert.pem <span class="nt">--tlskey</span><span class="o">=</span>key.pem <span class="se">\</span> <span class="nt">-H</span><span class="o">=</span><span class="nv">$HOST</span>:2376 </code></pre></div> <p>or setting environment variables like DOCKER_HOST or DOCKER_CERT_PATH for a directory where certificates are stored.</p> <p>First approach looks cumbersome to type every time, and second approach doesn't work for multiple servers with different certificates.</p> <h3> Batch file </h3> <p>I opted to create a small batch file to interact with docker.</p> <p>Let's say that my docker server is named <code>dock1</code>, domain suffix is <code>local</code>. I've created certificates using the script so I have <code>Docker (dock1.local) Server</code> certificate.</p> <p>After that I copied <code>ca.pem</code>, <code>client.key</code>, <code>client.pem</code> from server to my windows machine into the <code>%USERPROFILE%\.docker\dock1</code> folder.</p> <p>Created a batch file named <code>dock1.bat</code> with the following content:<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="err">@</span><span class="nf">echo</span><span class="w"> </span><span class="nx">off</span><span class="w"> </span><span class="nf">set</span><span class="w"> </span><span class="nx">DATADIR</span><span class="o">=%</span><span class="nf">USERPROFILE</span><span class="o">%</span><span class="nx">\.docker\</span><span class="o">%</span><span class="nx">~n0</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="nf">exist</span><span class="w"> </span><span class="s2">"%DATADIR%\host.var"</span><span class="w"> </span><span class="p">(</span><span class="nf">set</span><span class="w"> </span><span class="nx">/p</span><span class="w"> </span><span class="nx">DOCKERHOST</span><span class="o">=</span><span class="err">&lt;</span><span class="s2">"%DATADIR%\host.var"</span><span class="p">)</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">(</span><span class="nf">set</span><span class="w"> </span><span class="nx">DOCKERHOST</span><span class="o">=%</span><span class="nf">~n0</span><span class="p">)</span><span class="w"> </span><span class="nf">docker</span><span class="w"> </span><span class="nt">--tlsverify</span><span class="w"> </span><span class="nt">--tlscacert</span><span class="o">=</span><span class="s2">"%DATADIR%\ca.pem"</span><span class="w"> </span><span class="nt">--tlscert</span><span class="o">=</span><span class="s2">"%DATADIR%\client.pem"</span><span class="w"> </span><span class="nt">--tlskey</span><span class="o">=</span><span class="s2">"%DATADIR%\client.key"</span><span class="w"> </span><span class="nt">-H</span><span class="o">=%</span><span class="nf">DOCKERHOST</span><span class="o">%</span><span class="p">:</span><span class="nx">2376</span><span class="w"> </span><span class="o">%*</span><span class="w"> </span></code></pre></div> <p>and put that batch file somewhere in the PATH.</p> <p>(broken into multiple lines for readability):<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nf">set</span><span class="w"> </span><span class="nx">DATADIR</span><span class="o">=%</span><span class="nf">USERPROFILE</span><span class="o">%</span><span class="nx">\.docker\</span><span class="o">%</span><span class="nx">~n0</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="nf">exist</span><span class="w"> </span><span class="s2">"%DATADIR%\host.var"</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="nf">set</span><span class="w"> </span><span class="nx">/p</span><span class="w"> </span><span class="nx">DOCKERHOST</span><span class="o">=</span><span class="err">&lt;</span><span class="s2">"%DATADIR%\host.var"</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="nf">set</span><span class="w"> </span><span class="nx">DOCKERHOST</span><span class="o">=%</span><span class="nf">~n0</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="nf">docker</span><span class="w"> </span><span class="nt">--tlsverify</span><span class="w"> </span><span class="nt">--tlscacert</span><span class="o">=</span><span class="s2">"%DATADIR%\ca.pem"</span><span class="w"> </span><span class="nt">--tlscert</span><span class="o">=</span><span class="s2">"%DATADIR%\client.pem"</span><span class="w"> </span><span class="nt">--tlskey</span><span class="o">=</span><span class="s2">"%DATADIR%\client.key"</span><span class="w"> </span><span class="nt">-H</span><span class="o">=%</span><span class="nf">DOCKERHOST</span><span class="o">%</span><span class="p">:</span><span class="nx">2376</span><span class="w"> </span><span class="o">%*</span><span class="w"> </span></code></pre></div> <p>So when I run <code>dock1 info</code> from the command line that translates into the following command (broken into multiple lines for readability):<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nf">docker</span><span class="w"> </span><span class="nt">--tlsverify</span><span class="w"> </span><span class="nt">--tlscacert</span><span class="o">=</span><span class="s2">"C:\Users\user\ca.pem"</span><span class="w"> </span><span class="nt">--tlscert</span><span class="o">=</span><span class="s2">"C:\Users\user\client.pem"</span><span class="w"> </span><span class="nt">--tlskey</span><span class="o">=</span><span class="s2">"C:\Users\user\client.key"</span><span class="w"> </span><span class="nt">-H</span><span class="o">=</span><span class="nf">dock1:2376</span><span class="w"> </span><span class="nx">info</span><span class="w"> </span></code></pre></div> <p>and running it displays docker system-wide information.</p> <p>It works for all docker commands, like<code>dock1 images</code>, <code>dock1 ps</code>, <code>dock1 run ....</code> etc.</p> <h3> More fun with batch file </h3> <p>Ok, so the batch file above has some additional lines and variables. Let me explain them:</p> <p><code>%~n0</code> - this is the name of the file without extension. So if have file named <code>dock1.bat</code> it will have <code>dock1</code> value. If I name it <code>dock365.bat</code> it will have <code>dock365</code> value.</p> <p><code>set DATADIR=%USERPROFILE%\.docker\%~n0</code> - I'm using it to set the path where certificates are stored to a folder named the same as the batch file within my user profile &gt; .docker folder.</p> <p><code>if exist "%DATADIR%\host.var" (set /p DOCKERHOST=&lt;"%DATADIR%\host.var") else (set DOCKERHOST=%~n0)</code> - if hostname of docker server is different from the batch file name, this allows me to put real hostname into the file which will be read into the variable.<br> So if <code>host.var</code> file does not exist, <code>%DOCKERHOST%</code> variable will contain name of the batch file without extension (<code>dock1</code> for example). But if I want to access docker using <code>dock1.local</code> hostname, I can put <code>dock1.local</code> into the <code>host.var</code> file and then the <code>%DOCKERHOST%</code> variable will contain <code>dock1.local</code> value.</p> <p><code>set /p DOCKERHOST=&lt;"%DATADIR%\host.var"</code> - set variable to a value being read from the input file.</p> <p><code>%*</code> - passing all arguments that batch file received.</p> <p>What this batch script allows me is to have one txt file, let's name it <code>docker_batch.txt</code>, instead of the batch file. And then a symbolic link for each docker server I have. Created like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>mklink dock1.bat docker_batch.txt mklink dock365.bat docker_batch.txt </code></pre></div> <p>Pretty cool. </p> <h2> docker-certs.sh </h2> <div class="ltag_gist-liquid-tag"> </div> docker security Miro Thu, 09 Apr 2020 18:26:28 +0000 https://dev.to/milolav/sed-update-line-that-starts-with-but-does-not-contain-m46 https://dev.to/milolav/sed-update-line-that-starts-with-but-does-not-contain-m46 <p>I wanted to update my docker.service file to include tls certificates in the start command. The idea was to search for the line that starts with <code>ExecStart=</code> but also not to change anything if that line already contains tcp header <code>-H tcp://</code>. It turned out to be a bit more complicated than expected.</p> <h2> Result </h2> <div class="highlight"><pre class="highlight shell"><code><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'\|^ExecStart=.*-H tcp://|! s|^ExecStart=.*|\0 -H tcp://0.0.0.0:2376 --tlsverify --tlscacert='</span><span class="nv">$PWD</span><span class="s1">'/ca.pem --tlscert='</span><span class="nv">$PWD</span><span class="s1">'/server.pem --tlskey='</span><span class="nv">$PWD</span><span class="s1">'/server.key|'</span> /lib/systemd/system/docker.service </code></pre></div> <p>Broken in multiple lines for readability<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'\|^ExecStart=.*-H tcp://|! s|^ExecStart=.*|\0 -H tcp://0.0.0.0:2376 --tlsverify --tlscacert='</span><span class="nv">$PWD</span><span class="s1">'/ca.pem --tlscert='</span><span class="nv">$PWD</span><span class="s1">'/server.pem --tlskey='</span><span class="nv">$PWD</span><span class="s1">'/server.key|'</span> /lib/systemd/system/docker.service </code></pre></div> <p>In a nutshell, it excludes all lines that start with <code>ExecStart=</code> and contain <code>-H tcp://</code> and out of remaining lines, if a line starts with <code>ExecStart=</code>, it appends additional arguments to the end of the line.</p> <h2> Explanation </h2> <p><code>sed -i</code> means that we will change a file in place.</p> <p><code>\|A|! s|S|R|</code> - using pipes instead of slashes makes it easier when dealing with paths. Note that syntax starts with a backslash when using special delimiters with addresses (<code>A</code> part).<br> Using standard slashes would be like <code>/A/! s/S/R/</code>, without leading backslash.</p> <p><code>\|^ExecStart=.*-H tcp://|!</code> - using the addresses in sed, exclude lines that start with <code>ExecStart=</code> and have <code>-H tcp://</code> down the line.</p> <p><code>s|^ExecStart=.*|\0 -H tcp://0.0.0.0:2376 ...</code> - search for a line that starts with <code>ExecStart=</code> and grab the rest of the line using <code>.*</code> . In the replace part, <code>\0</code> will hold the complete line match and the rest is additional text that is appended to the line.</p> <p><code>/lib/systemd/system/docker.service</code> - file that is being edited</p> <h2> Conclusion </h2> <p>For a single line change, a file can be checked if the update is actually required before updating it, and then the exclusion part is not needed at all. But if there are more lines that require similar update this could do the trick.</p> bash sed Miro Fri, 17 Jan 2020 16:38:32 +0000 https://dev.to/milolav/installing-windows-on-vhd-to-use-with-hyper-v-1j8e https://dev.to/milolav/installing-windows-on-vhd-to-use-with-hyper-v-1j8e <p>One PowerShell script that I've been using for a long time to prepare disk and install Windows for Hyper-V VMs. Since Microsoft released Windows Sandbox I'm not using it as often because sandbox starts faster and for simple application testing that's good enough. But every now and then I need a full VM and here you can find the script I'm using.</p> <p>It takes a few of minutes to complete and then a few more minutes for windows setup to complete the first boot. Compared that to manual installation, faster and compared to Hyper-V "Install an OS from a bootable CD/DVD" it's more flexible.</p> <p>It does the following:</p> <ol> <li>Mounting Installation ISO file</li> <li>Presenting a menu to choose edition to install</li> <li>Creating virtual hard disk</li> <li>Installing windows using DISM tool</li> <li>Setting up boot configuration</li> <li>Copying unattend.xml</li> <li>Cleaning up</li> </ol> <h2> Example Usage </h2> <div class="highlight"><pre class="highlight powershell"><code><span class="o">.</span><span class="nf">\Prepare-VirtualWinVhd.ps1</span><span class="w"> </span><span class="nt">-VhdFile</span><span class="w"> </span><span class="s2">"TestWin.vhdx"</span><span class="w"> </span><span class="nt">-WinIso</span><span class="w"> </span><span class="s2">"en_windows_10_multi-edition_version_1709_updated_dec_2017_x64_dvd_100406711.iso"</span><span class="w"> </span><span class="nt">-WinEdition</span><span class="w"> </span><span class="s2">"Windows 10 Enterprise"</span><span class="w"> </span><span class="nt">-VhdSize</span><span class="w"> </span><span class="mi">60</span><span class="nf">GB</span><span class="w"> </span><span class="nt">-EfiLetter</span><span class="w"> </span><span class="nx">R</span><span class="w"> </span><span class="nt">-VirtualWinLetter</span><span class="w"> </span><span class="nf">W</span><span class="w"> </span><span class="nt">-UnattendFile</span><span class="w"> </span><span class="s2">".\unattend.xml"</span><span class="w"> </span></code></pre></div> <h2> Script explained </h2> <p>Some defaults for the script. Installing Windows 10 Enterprise on a 40GB VHD. We will be using drive letter R for Efi partition and W for Windows partition. <strong>Make sure to pick letters are not assigned on your current windows installation</strong>. In addition to the installation, the unattend.xml file will also be copied to the VHD.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="kr">param</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="nv">$WinIso</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="nv">$VhdFile</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="nv">$WinEdition</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"Windows 10 Enterprise"</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">long</span><span class="p">]</span><span class="nv">$VhdSize</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">40</span><span class="nf">GB</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">char</span><span class="p">]</span><span class="nv">$EfiLetter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'R'</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">char</span><span class="p">]</span><span class="nv">$VirtualWinLetter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'W'</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="nv">$UnattendFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"unattend.xml"</span><span class="w"> </span><span class="p">)</span><span class="w"> </span></code></pre></div> <p>In the very beginning of the script we are setting <code>$ErrorActionPreference</code> to <code>Stop</code> so that it stops on any error. In addition we need to make sure that script is run with elevated privileges. Both DISM and Diskpart require elevated privileges:<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="bp">$Error</span><span class="nf">ActionPreference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'Stop'</span><span class="w"> </span><span class="kr">if</span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="p">[</span><span class="kt">bool</span><span class="p">]([</span><span class="no">Security.Principal.</span><span class="kt">WindowsIdentity</span><span class="p">]::</span><span class="nf">GetCurrent</span><span class="p">()</span><span class="o">.</span><span class="nf">Groups</span><span class="w"> </span><span class="o">-contains</span><span class="w"> </span><span class="s1">'S-1-5-32-544'</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Error</span><span class="w"> </span><span class="s2">"Script must be started as an Administrator"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <h3> Mounting Installation ISO file </h3> <p>Mounting iso file using <code>Mount-DiskImage</code>, and getting the drive letter of mounted image<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nv">$WinIso</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">Resolve-Path</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="nf">Write-Progress</span><span class="w"> </span><span class="s2">"Mounting </span><span class="nv">$WinIso</span><span class="s2"> ..."</span><span class="w"> </span><span class="nv">$MountResult</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">Mount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="nt">-StorageType</span><span class="w"> </span><span class="nx">ISO</span><span class="w"> </span><span class="nt">-PassThru</span><span class="w"> </span><span class="nv">$DriveLetter</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="nv">$MountResult</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Get-Volume</span><span class="p">)</span><span class="o">.</span><span class="nf">DriveLetter</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="nv">$DriveLetter</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Error</span><span class="w"> </span><span class="s2">"ISO file not loaded correctly"</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="nf">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">return</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nf">Write-Progress</span><span class="w"> </span><span class="s2">"Mounting </span><span class="nv">$WinIso</span><span class="s2"> ... Done"</span><span class="w"> </span></code></pre></div> <h3> Presenting a menu to choose edition to install </h3> <p>Once iso is mounted, we are using dism tool to enumerate all windows editions stored in install.wim file.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nv">$WimFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$DriveLetter</span><span class="si">)</span><span class="s2">:\sources\install.wim"</span><span class="w"> </span><span class="nf">Write-Host</span><span class="w"> </span><span class="s2">"Inspecting </span><span class="nv">$WimFile</span><span class="s2">"</span><span class="w"> </span><span class="nv">$WimOutput</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">dism</span><span class="w"> </span><span class="nx">/get-wiminfo</span><span class="w"> </span><span class="nx">/wimfile:</span><span class="se">`"</span><span class="nv">$WimFile</span><span class="se">`"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-String</span><span class="w"> </span></code></pre></div> <p>Output of <code>dism /get-wiminfo</code> command looks like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>C:\WINDOWS\system32&gt;dism /get-wiminfo /wimfile:f:\sources\install.wim Deployment Image Servicing and Management tool Version: 10.0.18362.1 Details for image : f:\sources\install.wim Index : 1 Name : Windows 10 Education Description : Windows 10 Education Size : 14.780.927.379 bytes Index : 2 Name : Windows 10 Education N Description : Windows 10 Education N Size : 13.958.508.090 bytes Index : 3 Name : Windows 10 Enterprise Description : Windows 10 Enterprise Size : 14.781.260.269 bytes ... </code></pre></div> <p>So parsing it with regex we want to extract Index and Name<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nv">$WimInfo</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$WimOutput</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Select-String</span><span class="w"> </span><span class="s2">"(?smi)Index : (?&lt;Id&gt;\d+).*?Name : (?&lt;Name&gt;[^</span><span class="se">`r`n</span><span class="s2">]+)"</span><span class="w"> </span><span class="nt">-AllMatches</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="nv">$WimInfo</span><span class="o">.</span><span class="nf">Matches</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Error</span><span class="w"> </span><span class="s2">"Images not found in install.wim</span><span class="se">`r`n</span><span class="nv">$WimOutput</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="nf">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">return</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>And build the menu selecting the Edition that was passed to the script as a parameter just to make things easier. In addition we are checking that selected value is valid.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nv">$Items</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@{</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$Menu</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="nv">$DefaultIndex</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nv">$WimInfo</span><span class="o">.</span><span class="nf">Matches</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$Items</span><span class="o">.</span><span class="nf">Add</span><span class="p">([</span><span class="kt">int</span><span class="p">]</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Id"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="p">,</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Name"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="p">)</span><span class="w"> </span><span class="nv">$Menu</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Id"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s2">") "</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Name"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s2">"</span><span class="se">`r`n</span><span class="s2">"</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Name"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="nv">$WinEdition</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$DefaultIndex</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="kt">int</span><span class="p">]</span><span class="bp">$_</span><span class="o">.</span><span class="nf">Groups</span><span class="p">[</span><span class="s2">"Id"</span><span class="p">]</span><span class="o">.</span><span class="nf">Value</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nf">Write-Output</span><span class="w"> </span><span class="nv">$Menu</span><span class="w"> </span><span class="kr">do</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">try</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$false</span><span class="w"> </span><span class="nv">$WimIdx</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(([</span><span class="kt">int</span><span class="p">]</span><span class="nv">$val</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">Read-Host</span><span class="w"> </span><span class="s2">"Please select version [</span><span class="nv">$DefaultIndex</span><span class="s2">]"</span><span class="p">)</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">""</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$DefaultIndex</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$val</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="nv">$Items</span><span class="o">.</span><span class="nf">ContainsKey</span><span class="p">(</span><span class="nv">$WimIdx</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">catch</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$err</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$true</span><span class="p">;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">while</span><span class="w"> </span><span class="p">(</span><span class="nv">$err</span><span class="p">)</span><span class="w"> </span><span class="nf">Write-Output</span><span class="w"> </span><span class="nv">$Items</span><span class="p">[</span><span class="nv">$WimIdx</span><span class="p">]</span><span class="w"> </span></code></pre></div> <p>It will present a menu like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>1) Windows 10 Education 2) Windows 10 Education N 3) Windows 10 Enterprise 4) Windows 10 Enterprise N 5) Windows 10 Pro 6) Windows 10 Pro N 7) Windows 10 Pro Education 8) Windows 10 Pro Education N 9) Windows 10 Pro for Workstations 10) Windows 10 Pro N for Workstations Please select version [3]: </code></pre></div> <h3> Creating virtual hard disk </h3> <p>Now that we know what we want to install, it is time to prepare disk for installation. First we ensure that <code>$VhdFile</code> is full path, expanding it as needed, and that the file does not exists. If filename was not given as a parameter we are using Windows edition name.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="kr">If</span><span class="w"> </span><span class="p">(</span><span class="o">!</span><span class="nv">$VhdFile</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$ExecutionContext</span><span class="o">.</span><span class="nf">SessionState</span><span class="o">.</span><span class="nf">Path</span><span class="o">.</span><span class="nf">GetUnresolvedProviderPathFromPSPath</span><span class="p">(</span><span class="nv">$Items</span><span class="p">[</span><span class="nv">$WimIdx</span><span class="p">]</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s2">".vhdx"</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="kr">else</span><span class="p">{</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$ExecutionContext</span><span class="o">.</span><span class="nf">SessionState</span><span class="o">.</span><span class="nf">Path</span><span class="o">.</span><span class="nf">GetUnresolvedProviderPathFromPSPath</span><span class="p">(</span><span class="nv">$VhdFile</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nf">Test-Path</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Error</span><span class="w"> </span><span class="s2">"Vhd file '</span><span class="nv">$VhdFile</span><span class="s2">' allready exists."</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="nf">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">return</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>Then we create a new VHD using New-VHD command, mount it and get the disk number used in diskpart.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nv">$disk</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">New-VHD</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="nv">$VhdSize</span><span class="w"> </span><span class="nf">Mount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="nv">$disknumber</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="nf">Get-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Get-Disk</span><span class="p">)</span><span class="o">.</span><span class="nf">Number</span><span class="w"> </span></code></pre></div> <p>Additionally just as an precaution, make sure that disk number is not 0 which is usually main system disk<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$disknumber</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Error</span><span class="w"> </span><span class="s2">"Unexpected disk number"</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="nf">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="nf">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Continue</span><span class="w"> </span><span class="kr">return</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>To partition disk we are using a list of commands piped to diskpart. In addition we are assigning known letters to both EFI partition to configure boot record, and to partition for windows installation (future C drive)<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="sh">@" select disk </span><span class="nv">$DiskNumber</span><span class="sh"> convert gpt select partition 1 delete partition override create partition primary size=300 format quick fs=ntfs create partition efi size=100 format quick fs=fat32 assign letter="</span><span class="nv">$EfiLetter</span><span class="sh">" create partition msr size=128 create partition primary format quick fs=ntfs assign letter="</span><span class="nv">$VirtualWinLetter</span><span class="sh">" exit "@</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">diskpart</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span></code></pre></div> <h3> Installing windows using DISM tool </h3> <p>Once the disk is ready we can apply image (install Windows) using dism tool. Since we are using all those variables it makes sense to build command line as a string and run it using <code>Invoke-Expression</code><br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nf">Invoke-Expression</span><span class="w"> </span><span class="s2">"dism /apply-image /imagefile:</span><span class="se">`"</span><span class="nv">$WimFile</span><span class="se">`"</span><span class="s2"> /index:</span><span class="nv">$WimIdx</span><span class="s2"> /applydir:</span><span class="si">$(</span><span class="nv">$VirtualWinLetter</span><span class="si">)</span><span class="s2">:\"</span><span class="w"> </span></code></pre></div> <h3> Setting up boot configuration </h3> <p>And then we make disk bootable<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="nf">Invoke-Expression</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$VirtualWinLetter</span><span class="si">)</span><span class="s2">:\windows\system32\bcdboot </span><span class="si">$(</span><span class="nv">$VirtualWinLetter</span><span class="si">)</span><span class="s2">:\windows /f uefi /s </span><span class="si">$(</span><span class="nv">$EfiLetter</span><span class="si">)</span><span class="s2">:"</span><span class="w"> </span><span class="nf">Invoke-Expression</span><span class="w"> </span><span class="s2">"bcdedit /store </span><span class="si">$(</span><span class="nv">$EfiLetter</span><span class="si">)</span><span class="s2">:\EFI\Microsoft\Boot\BCD"</span><span class="w"> </span></code></pre></div> <h3> Copying unattend.xml </h3> <p>If there was unatted.xml file set, make sure to copy it so Windows can be configured on the first boot.<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="kr">if</span><span class="p">(</span><span class="nv">$UnattendFile</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nf">Write-Host</span><span class="w"> </span><span class="s2">"Copying unattended.xml"</span><span class="w"> </span><span class="nf">New-Item</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="s2">"directory"</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$VirtualWinLetter</span><span class="si">)</span><span class="s2">:\Windows\Panther\"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">Copy-Item</span><span class="w"> </span><span class="nv">$UnattendFile</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$VirtualWinLetter</span><span class="si">)</span><span class="s2">:\Windows\Panther\unattend.xml"</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <h3> Cleaning up </h3> <p>In the end we just remove all assigned letters and unmount everything<br> </p> <div class="highlight"><pre class="highlight powershell"><code><span class="sh">@" select disk </span><span class="nv">$disknumber</span><span class="sh"> select partition 2 remove letter="</span><span class="nv">$EfiLetter</span><span class="sh">" select partition 4 remove letter="</span><span class="nv">$VirtualWinLetter</span><span class="sh">" exit "@</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">diskpart</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$VhdFile</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span><span class="nx">Dismount-DiskImage</span><span class="w"> </span><span class="nt">-ImagePath</span><span class="w"> </span><span class="nv">$WinIso</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">Out-Null</span><span class="w"> </span></code></pre></div> <h2> Unattend.xml </h2> <p>Simple unattend.xml that just sets user (name <code>user</code>, password <code>login</code>) and skips all installation questions. There are many more options to set. You can find more from Microsoft <a href="https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs">Answer files (unattend.xml)</a> or use online tool <a href="https://www.windowsafg.com/">Windows Answer File Generator</a><br> </p> <div class="highlight"><pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="utf-8"?&gt;</span> <span class="nt">&lt;unattend</span> <span class="na">xmlns=</span><span class="s">"urn:schemas-microsoft-com:unattend"</span><span class="nt">&gt;</span> <span class="nt">&lt;settings</span> <span class="na">pass=</span><span class="s">"oobeSystem"</span><span class="nt">&gt;</span> <span class="nt">&lt;component</span> <span class="na">name=</span><span class="s">"Microsoft-Windows-Shell-Setup"</span> <span class="na">processorArchitecture=</span><span class="s">"amd64"</span> <span class="na">publicKeyToken=</span><span class="s">"31bf3856ad364e35"</span> <span class="na">language=</span><span class="s">"neutral"</span> <span class="na">versionScope=</span><span class="s">"nonSxS"</span> <span class="na">xmlns:wcm=</span><span class="s">"http://schemas.microsoft.com/WMIConfig/2002/State"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span><span class="nt">&gt;</span> <span class="nt">&lt;AutoLogon&gt;</span> <span class="nt">&lt;Password&gt;</span> <span class="nt">&lt;Value&gt;</span>login<span class="nt">&lt;/Value&gt;</span> <span class="nt">&lt;PlainText&gt;</span>true<span class="nt">&lt;/PlainText&gt;</span> <span class="nt">&lt;/Password&gt;</span> <span class="nt">&lt;Enabled&gt;</span>true<span class="nt">&lt;/Enabled&gt;</span> <span class="nt">&lt;Username&gt;</span>user<span class="nt">&lt;/Username&gt;</span> <span class="nt">&lt;/AutoLogon&gt;</span> <span class="nt">&lt;OOBE&gt;</span> <span class="nt">&lt;HideEULAPage&gt;</span>true<span class="nt">&lt;/HideEULAPage&gt;</span> <span class="nt">&lt;HideOEMRegistrationScreen&gt;</span>true<span class="nt">&lt;/HideOEMRegistrationScreen&gt;</span> <span class="nt">&lt;HideOnlineAccountScreens&gt;</span>true<span class="nt">&lt;/HideOnlineAccountScreens&gt;</span> <span class="nt">&lt;HideWirelessSetupInOOBE&gt;</span>true<span class="nt">&lt;/HideWirelessSetupInOOBE&gt;</span> <span class="nt">&lt;NetworkLocation&gt;</span>Home<span class="nt">&lt;/NetworkLocation&gt;</span> <span class="nt">&lt;SkipUserOOBE&gt;</span>true<span class="nt">&lt;/SkipUserOOBE&gt;</span> <span class="nt">&lt;SkipMachineOOBE&gt;</span>true<span class="nt">&lt;/SkipMachineOOBE&gt;</span> <span class="nt">&lt;ProtectYourPC&gt;</span>1<span class="nt">&lt;/ProtectYourPC&gt;</span> <span class="nt">&lt;/OOBE&gt;</span> <span class="nt">&lt;UserAccounts&gt;</span> <span class="nt">&lt;LocalAccounts&gt;</span> <span class="nt">&lt;LocalAccount</span> <span class="na">wcm:action=</span><span class="s">"add"</span><span class="nt">&gt;</span> <span class="nt">&lt;Password&gt;</span> <span class="nt">&lt;Value&gt;</span>login<span class="nt">&lt;/Value&gt;</span> <span class="nt">&lt;PlainText&gt;</span>true<span class="nt">&lt;/PlainText&gt;</span> <span class="nt">&lt;/Password&gt;</span> <span class="nt">&lt;Description&gt;&lt;/Description&gt;</span> <span class="nt">&lt;DisplayName&gt;</span>user<span class="nt">&lt;/DisplayName&gt;</span> <span class="nt">&lt;Group&gt;</span>Administrators<span class="nt">&lt;/Group&gt;</span> <span class="nt">&lt;Name&gt;</span>user<span class="nt">&lt;/Name&gt;</span> <span class="nt">&lt;/LocalAccount&gt;</span> <span class="nt">&lt;/LocalAccounts&gt;</span> <span class="nt">&lt;/UserAccounts&gt;</span> <span class="nt">&lt;RegisteredOrganization&gt;&lt;/RegisteredOrganization&gt;</span> <span class="nt">&lt;RegisteredOwner&gt;&lt;/RegisteredOwner&gt;</span> <span class="nt">&lt;DisableAutoDaylightTimeSet&gt;</span>false<span class="nt">&lt;/DisableAutoDaylightTimeSet&gt;</span> <span class="nt">&lt;TimeZone&gt;</span>GMT Standard Time<span class="nt">&lt;/TimeZone&gt;</span> <span class="nt">&lt;/component&gt;</span> <span class="nt">&lt;/settings&gt;</span> <span class="nt">&lt;/unattend&gt;</span> </code></pre></div> <h2> Final script </h2> <div class="ltag_gist-liquid-tag"> </div> powershell vhd Miro Sun, 12 Jan 2020 19:30:21 +0000 https://dev.to/milolav/downloading-gal-as-individual-vcards-using-owa-5aoi https://dev.to/milolav/downloading-gal-as-individual-vcards-using-owa-5aoi <p>Some time ago, a friend asked me about syncing Exchanges's GAL (Global Address List) with a mobile phone. So I started looking into Exchange Web Services, but as it turns out I need GAL id in order to query it. And to get it I need either more privileged access to Office 365 tenant or snoop OWA's traffic as described in the article: <a href="https://gsexdev.blogspot.com/2013/05/using-ews-findpeople-operation-in.html">https://gsexdev.blogspot.com/2013/05/using-ews-findpeople-operation-in.html</a></p> <p>Looking at the network log in a browser I figured that I could effectively do everything within a browser ran from Puppeteer and send it to Radicale CardDAV server.</p> <p>But as it turned out, one required field, "Pager", was not present in Exchange's Persona object. So good old "copy everything from GAL into Contacts" worked, at least for one-off sync, and this idea was abandoned.</p> <p>Here is JavaScript PoC that can be used to download GAL as vCard files. Bear in mind that it doesn't have any error handling and might not work in every browser. It works in Chrome. Generated vCards are not 100% by specification since I'm serializing whole persona object into it, but I haven't had any issue opening it in Windows (People app), Outlook or on iOS/Android phones.</p> <p>Before posting this I just cleaned up code a bit and replaced XHR with fetch. </p> <p>How to use in 5 steps:</p> <ol> <li>Open <a href="https://outlook.office365.com/people/">https://outlook.office365.com/people/</a> in a browser and sign in with your O365 account</li> <li>Open browser's console</li> <li>Paste this script</li> <li>Run one of the functions, suggestion is to test with OwaGalExtractor.downloadGal(null, 5)</li> <li>Look at a bunch of file being downloaded (chrome might ask you to allow multiple file download) </li> </ol> <div class="ltag_gist-liquid-tag"> </div> javascript owa gal vcard Miro Sat, 11 Jan 2020 00:06:13 +0000 https://dev.to/milolav/making-dynamics-365-ce-reports-available-in-uci-on-ios-devices-25km https://dev.to/milolav/making-dynamics-365-ce-reports-available-in-uci-on-ios-devices-25km <p>Some time ago, working on a Dynamics 365 CE project, I wanted to display reports within the app on an iOS device. Originally posted in May 2019 (<a href="https://gist.github.com/milolav/14fc9a27e0d3ebc8f15ae992dff9f182">https://gist.github.com/milolav/14fc9a27e0d3ebc8f15ae992dff9f182</a>)<br> but looks like dev.to is a better place to share ideas, so here goes...</p> <p>At the time of writing, Microsoft does not officially support running reports in an app on iOS / Android / Windows devices in the Unified Interface (UCI), but as it turns out, it's actually possible to display a report within the app using SiteMap entries pointing to Web Resources.</p> <p>Reports are just another url in Dynamics and it seems the only reason why is that not working in the app is because every time you click on a item in the reports view it opens it in a new window. </p> <h2> First Idea </h2> <p>The first idea was just to use url of specific report, put it into Site Map like:</p> <blockquote> <p>/crmreports/viewer/viewer.aspx?action=filter&amp;helpID=User Summary.rdl&amp;id={e5838060-8866-e911-a819-000d3ab29ccc}&amp;appid=3ef28a1b-5666-e911-a9c5-000d3ab78b73</p> </blockquote> <p>The problem is that menu items with this url do not show in the menu.</p> <h2> Web Resource to the rescue </h2> <p>Second idea was just to create a simple web resource and put in the following code:<br> </p> <div class="highlight"><pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"/crmreports/viewer/viewer.aspx?action=filter&amp;helpID=User Summary.rdl&amp;id={e5838060-8866-e911-a819-000d3ab29ccc}"</span> <span class="na">style=</span><span class="s">"height: 100%; width: 100%;"</span> <span class="na">frameborder=</span><span class="s">"0"</span><span class="nt">&gt;&lt;/iframe&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre></div> <p><strong>And that worked!</strong></p> <p>Since it is not preferable to to have a separate web resource for every report next challenge was to pass data to that web resource. Microsoft provides sample on how to pass data to web resources outlined here:</p> <p><a href="https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-pass-multiple-values-web-resource-through-data-parameter">https://docs.microsoft.com/en-us/dynamics365/customer-engagement/developer/sample-pass-multiple-values-web-resource-through-data-parameter</a></p> <p>What's more interesting, passing data parameter also works in the Site Map. Not through the visual editor in Dynamics, but it does work by directly editing the SiteMap XML or using SiteMap Editor in XRMToolBox. Just adding data parameter after the web resource name like:</p> <blockquote> <p>$webresource:new_reportwrapper.html?data=mydatavalue1</p> </blockquote> <p>Which means that report guid value can be passed like this:</p> <blockquote> <p>$webresource:new_reportwrapper.html?data=e5838060-8866-e911-a819-000d3ab29ccc</p> </blockquote> <p>And the only thing left is to make use of passed value.</p> <h2> Code </h2> <p>Web Resource:<br> </p> <div class="highlight"><pre class="highlight html"><code><span class="nt">&lt;html&gt;&lt;body</span> <span class="na">style=</span><span class="s">"background: white; position: absolute; margin: 0.5em; top: 0; left: 0; right: 0; bottom: 0;"</span><span class="nt">&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">function</span> <span class="nx">loadReport</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span> <span class="o">!=</span> <span class="dl">""</span><span class="p">)</span> <span class="p">{</span> <span class="nx">params</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nx">substr</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">&amp;</span><span class="dl">"</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="nx">p</span> <span class="k">in</span> <span class="nx">params</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">kv</span> <span class="o">=</span> <span class="nx">params</span><span class="p">[</span><span class="nx">p</span><span class="p">].</span><span class="nx">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\+</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">).</span><span class="nx">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">=</span><span class="dl">"</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="nx">kv</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">toLowerCase</span><span class="p">()</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">data</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">guid</span> <span class="o">=</span> <span class="nx">kv</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">var</span> <span class="nx">url</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">/crmreports/viewer/viewer.aspx?id=</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">guid</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">report</span><span class="dl">"</span><span class="p">).</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msg</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Report parameters not set!</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nb">document</span><span class="p">.</span><span class="nx">onreadystatechange</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">==</span> <span class="dl">"</span><span class="s2">complete</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">report</span><span class="dl">"</span><span class="p">).</span><span class="nx">onload</span> <span class="o">=</span> <span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">loading_overlay</span><span class="dl">"</span><span class="p">).</span><span class="nx">style</span><span class="p">.</span><span class="nx">display</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">none</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> <span class="nx">loadReport</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;iframe</span> <span class="na">id=</span><span class="s">"report"</span> <span class="na">src=</span><span class="s">""</span> <span class="na">style=</span><span class="s">"height: 100%; width: 100%;"</span> <span class="na">frameborder=</span><span class="s">"0"</span><span class="nt">&gt;&lt;/iframe&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"loading_overlay"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"background: none repeat scroll 0 0 black; position: fixed; display: block; opacity: 0.5; left: 0; top: 0; height: 100%; width: 100%;"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;p</span> <span class="na">id=</span><span class="s">"msg"</span> <span class="na">style=</span><span class="s">"position: absolute; top: 50%; left: 50%; transform: translateX(-50%) translateY(-50%);"</span><span class="nt">&gt;</span>LOADING ...<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre></div> <p>Site Map item:<br> </p> <div class="highlight"><pre class="highlight xml"><code><span class="nt">&lt;SubArea</span> <span class="na">Id=</span><span class="s">"tempId_636927761987954911"</span> <span class="na">Url=</span><span class="s">"$webresource:new_reportwrapper.html?data=e5838060-8866-e911-a819-000d3ab29ccc"</span> <span class="na">Title=</span><span class="s">"User Summary Report"</span> <span class="na">AvailableOffline=</span><span class="s">"false"</span> <span class="na">PassParams=</span><span class="s">"false"</span> <span class="na">Client=</span><span class="s">"All"</span> <span class="na">Sku=</span><span class="s">"All"</span> <span class="nt">/&gt;</span> </code></pre></div> <h2> Final result </h2> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vkUjv6ep--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://i.postimg.cc/mDVQs0w6/ipad-report.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vkUjv6ep--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://i.postimg.cc/mDVQs0w6/ipad-report.gif" alt="ipad report"></a></p> <h2> Additional stuff </h2> <p>This approach can also be used for getting diag tool inside the app by creating a web resource with the following code and linking that in the site map.<br> </p> <div class="highlight"><pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"/tools/diagnostics/diag.aspx"</span> <span class="na">style=</span><span class="s">"height: 100%; width: 100%;"</span> <span class="na">frameborder=</span><span class="s">"0"</span><span class="nt">&gt;&lt;/iframe&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre></div> <p>Which allows you to access it from within the app rather than typing or pasting this in a browser.</p> dynamics365 reports Miro Sat, 11 Jan 2020 00:06:00 +0000 https://dev.to/milolav/tracking-service-updates-for-ms-dynamics-365-ce-in-calendar-8ih https://dev.to/milolav/tracking-service-updates-for-ms-dynamics-365-ce-in-calendar-8ih <p>Another script from a couple of months ago</p> <blockquote> <p>With Microsoft pushing "Service Update XX" almost every week it became hard to track down when particular update is going to be released.</p> <p>Powershell script uses application registered in AAD with privileges to read messages from Office 365 Communication API and access D365 to create appointments. Appointments are set category and subcategory to identify unique messages without customizations. Recipients of the appointment are defined as a list of activity parties.</p> </blockquote> <div class="ltag_gist-liquid-tag"> </div> powershell dynamics365