do not use winrm if not running (#3520)

freddydk · web-flow · commit 9db0c66690e9 · 2024-04-29T10:15:20.000+02:00
Fixes #3518 Fixes #3519 --------- Co-authored-by: freddydk <freddydk@users.noreply.github.com>
diff --git a/BC.HelperFunctions.ps1 b/BC.HelperFunctions.ps1
@@ -16,8 +16,7 @@ function Get-ContainerHelperConfig {
             "usePsSession" = $true
             "usePwshForBc24" = $true
             "useSslForWinRmSession" = $true
-            "tryWinRmSession" = $isPsCore -or !$isAdministrator
-            "alwaysUseWinRmSession" = $false
+            "useWinRmSession" = "allow"   # allow, always, never
             "addTryCatchToScriptBlock" = $true
             "killPsSessionProcess" = $false
             "useVolumes" = $false
@@ -192,6 +191,17 @@ function Get-ContainerHelperConfig {
             }
         }
 
+        if ($bcContainerHelperConfig.useWinRmSession -ne 'never') {
+            # useWinRmSession should be never if the service isn't running
+            $service = get-service WinRm -erroraction SilentlyContinue
+            if ($service -and $service.Status -ne "Running") {
+                if (!$Silent) {
+                    Write-Host "WinRM service is not running, will not try to use WinRM sessions"
+                }
+                $bcContainerHelperConfig.useWinRmSession = 'never'
+            }
+        }
+
         Export-ModuleMember -Variable bcContainerHelperConfig
     }
     return $bcContainerHelperConfig
diff --git a/BcContainerHelper.psm1 b/BcContainerHelper.psm1
@@ -17,11 +17,13 @@ param(
 if ($isMacOS) {
     throw "BcContainerHelper isn't supported on MacOS"
 }
-elseif ($isLinux) {
-    Write-Host "Running on Linux, PowerShell $($PSVersionTable.PSVersion)"
-}
-else {
-    Write-Host "Running on Windows, PowerShell $($PSVersionTable.PSVersion)"
+elseif (!$silent) {
+    if ($isLinux) {
+        Write-Host "Running on Linux, PowerShell $($PSVersionTable.PSVersion)"
+    }
+    else {
+        Write-Host "Running on Windows, PowerShell $($PSVersionTable.PSVersion)"
+    }
 }
 
 if ($useVolumes -or $isInsideContainer) {
diff --git a/ContainerHandling/Enter-NavContainer.ps1 b/ContainerHandling/Enter-NavContainer.ps1
@@ -19,15 +19,23 @@ function Enter-BcContainer {
 
     Process {
         if ($bcContainerHelperConfig.usePsSession) {
-            $session = Get-BcContainerSession -containerName $containerName -silent
+            try {
+                $session = Get-BcContainerSession -containerName $containerName -silent
+            }
+            catch {
+                $session = $null
+            }
+        }
+        if ($session) {
             Enter-PSSession -Session $session
             if ($session.ComputerType -eq 'Container') {
                 Invoke-Command -Session $session -ScriptBlock {
                     function prompt {"[$env:COMPUTERNAME]: PS5 $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) "}
                 }
             }
-        } else {
-            Write-Host "UsePsSession is false, running Open-BcContainer instead"
+        }
+        else {
+            Write-Host "Could not create a session, running Open-BcContainer instead"
             Open-BcContainer $containerName
         }
     }
diff --git a/ContainerHandling/Get-NavContainerSession.ps1 b/ContainerHandling/Get-NavContainerSession.ps1
@@ -16,8 +16,8 @@ function Get-BcContainerSession {
     [CmdletBinding()]
     Param (
         [string] $containerName = $bcContainerHelperConfig.defaultContainerName,
-        [switch] $tryWinRmSession = $bccontainerHelperConfig.tryWinRmSession,
-        [switch] $alwaysUseWinRmSession = $bccontainerHelperConfig.alwaysUseWinRmSession,
+        [switch] $tryWinRmSession = ($bccontainerHelperConfig.useWinRmSession -ne 'never'),
+        [switch] $alwaysUseWinRmSession = ($bccontainerHelperConfig.useWinRmSession -eq 'always'),
         [switch] $usePwsh = $bccontainerHelperConfig.usePwshForBc24,
         [switch] $silent,
         [switch] $reinit
@@ -60,7 +60,7 @@ function Get-BcContainerSession {
             if ($isInsideContainer) {
                 $session = New-PSSession -Credential $bcContainerHelperConfig.WinRmCredentials -ComputerName $containerName -Authentication Basic -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck)
             }
-            elseif ($isAdministrator -and !$bcContainerHelperConfig.alwaysUseWinRmSession) {
+            elseif ($isAdministrator -and !$alwaysUseWinRmSession) {
                 try {
                     $containerId = Get-BcContainerId -containerName $containerName
                     $session = New-PSSession -ContainerId $containerId -RunAsAdministrator -ErrorAction SilentlyContinue -ConfigurationName $configurationName
@@ -69,12 +69,12 @@ function Get-BcContainerSession {
             }
             if (!$session) {
                 if (!($alwaysUseWinRmSession -or $tryWinRmSession)) {
-                    throw "Unable to create session for container $containerName (alwaysUseWinRmSession and tryWinRmSession are both false)"
+                    throw "Unable to create session for container $containerName (cannot use WinRm)"
 
                 }
                 $useSSL = $bcContainerHelperConfig.useSslForWinRmSession
-                $UUID = (Get-CimInstance win32_ComputerSystemProduct).UUID
-                $credential = New-Object PSCredential -ArgumentList 'winrm', (ConvertTo-SecureString -string $UUID -AsPlainText -force)
+                $winRmPassword = "Bc$((Get-CimInstance win32_ComputerSystemProduct).UUID)!"
+                $credential = New-Object PSCredential -ArgumentList 'winrm', (ConvertTo-SecureString -string $winRmPassword -AsPlainText -force)
                 if ($useSSL) {
                     $sessionOption = New-PSSessionOption -Culture 'en-US' -UICulture 'en-US' -SkipCACheck -SkipCNCheck
                     $Session = New-PSSession -ConnectionUri "https://$($containerName):5986" -Credential $credential -Authentication Basic -SessionOption $sessionOption -ConfigurationName $configurationName
diff --git a/ContainerHandling/New-NavContainer.ps1 b/ContainerHandling/New-NavContainer.ps1
@@ -496,9 +496,11 @@ try {
     if ($isInsideContainer) {
         Write-Host "BcContainerHelper is running inside a Container"
     }
-    Write-Host "UsePsSession is $($bcContainerHelperConfig.UsePsSession)"
-    Write-Host "UsePwshForBc24 is $($bcContainerHelperConfig.UsePwshForBc24)"
     Write-Host "Host is $($os.Caption) - $hostOsVersion"
+    Write-Host "UsePsSession is $($bcContainerHelperConfig.usePsSession)"
+    Write-Host "UsePwshForBc24 is $($bcContainerHelperConfig.usePwshForBc24)"
+    Write-Host "UseWinRmSession is $($bcContainerHelperConfig.useWinRmSession)"
+    Write-Host "UseSslForWinRmSession is $($bcContainerHelperConfig.useSslForWinRmSession)"
 
     $dockerProcess = (Get-Process "dockerd" -ErrorAction Ignore)
     if (!($dockerProcess)) {
@@ -1598,15 +1600,16 @@ if (!$restartingInstance) {
 }
 ') | Add-Content -Path "$myfolder\AdditionalSetup.ps1"
     }
-    else {
-        $UUID = (Get-CimInstance win32_ComputerSystemProduct).UUID
+    elseif ($bcContainerHelperConfig.useWinRmSession -ne 'never') {
+        # UseWinRmSession is allow or always - add winrm configuration to container
+        $winRmPassword = "Bc$((Get-CimInstance win32_ComputerSystemProduct).UUID)!"
         ('
 if (!$restartingInstance) {
     Write-Host "Enable PSRemoting and setup user for winrm"
     Enable-PSRemoting | Out-Null
     Get-PSSessionConfiguration | Out-null
     pwsh.exe -Command "Enable-PSRemoting -WarningAction SilentlyContinue | Out-Null; Get-PSSessionConfiguration | Out-Null"
-    $credential = New-Object PSCredential -ArgumentList "winrm", (ConvertTo-SecureString -string "'+$UUID+'" -AsPlainText -force)
+    $credential = New-Object PSCredential -ArgumentList "winrm", (ConvertTo-SecureString -string "'+$winRmPassword+'" -AsPlainText -force)
     New-LocalUser -AccountNeverExpires -PasswordNeverExpires -FullName $credential.UserName -Name $credential.UserName -Password $credential.Password | Out-Null
     Add-LocalGroupMember -Group administrators -Member $credential.UserName | Out-Null
     winrm set winrm/config/service/Auth ''@{Basic="true"}'' | Out-Null
diff --git a/ContainerHandling/Remove-NavContainer.ps1 b/ContainerHandling/Remove-NavContainer.ps1
@@ -62,7 +62,8 @@ try {
             . (Join-Path $PSScriptRoot "updatehosts.ps1") -hostsFile "c:\windows\system32\drivers\etc\hosts" -theHostname $tenantHostname -theIpAddress ""
         }
 
-        if ($isAdministrator) {
+        if ($isAdministrator -and ($bcContainerHelperConfig.useWinRmSession -ne 'never') -and (-not $bccontainerHelperConfig.useSslForWinRmSession)) {
+            # If not using SSL for WinRm, we need to remove the container from the trusted hosts
             try {
                 [xml]$conf = winrm get winrm/config/client -format:pretty
                 $trustedHosts = $conf.Client.TrustedHosts.Split(',')

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,8 @@ try {`
`62`	`62`	`. (Join-Path $PSScriptRoot "updatehosts.ps1") -hostsFile "c:\windows\system32\drivers\etc\hosts" -theHostname $tenantHostname -theIpAddress ""`
`63`	`63`	`}`
`64`	`64`
`65`		`- if ($isAdministrator) {`
	`65`	`+ if ($isAdministrator -and ($bcContainerHelperConfig.useWinRmSession -ne 'never') -and (-not $bccontainerHelperConfig.useSslForWinRmSession)) {`
	`66`	`+ # If not using SSL for WinRm, we need to remove the container from the trusted hosts`
`66`	`67`	`try {`
`67`	`68`	`[xml]$conf = winrm get winrm/config/client -format:pretty`
`68`	`69`	`$trustedHosts = $conf.Client.TrustedHosts.Split(',')`