will be accessed via the container’s network stack.
Integrating Active Directory
In a normal environment consisting of server OS instances, it is common to join those
instances to Active Directory. This introduces a small amount of overhead during the
provisioning process and creates objects in the Active Directory. Because containers
can be created and torn down frequently, it does not make sense to join instances to
the Active Directory. The ability to authenticate securely, however, is still critical for
container instances.
The solution works by utilizing default accounts within the container image for
services and tasks (for example, the LocalSystem, Network Service account). A
credential specification is then created that contains the domain account to be used as
the default service account and used when starting the container. Now in the
container instance when the service starts and tries to access remote services, it will
use the credential specification instead of the local account used by the service within
the container instance.
The credentials are not stored in the image itself. Therefore, the container can be
moved between environments without having to rebuild, since the environment-
specific credentials are external to the container instance and are bound at runtime.
Working with Image Registries
A registry provides capabilities around the discovery of images, their storage, and the
ability to distribute them. There are two types of registries, as mentioned earlier in
this chapter.
The first type of registry is Docker Hub, which is a cloud-hosted service provided by
Docker, Inc. that can contain both public and private content in addition to supporting
automated build support. To use Docker Hub, you sign up for an account and it is then
possible to publish things publicly and privately.
The second type of registry is the Docker Trusted Registry, which runs on-premises
(or in a cloud instance private to your organization) and is utilized only by your
organization. This registry is not available through the general Internet and thus does
not require Internet connectivity. It is managed through a web-based management
console and can integrate with Active Directory and LDAP to enable granular control
of who can access the registry. When using a trusted registry, the registry name or IP
is specified as part of the pull request (for example, docker pull 10.7.173.56/iis will
pull the IIS image from my trusted repository at 10.7.173.56).
When a Docker pull is performed, it will first check local repositories. If an image
cannot be found and if the client has access, it will try to check for the image in a
public repository.
Patching and Updating