Running Sitecore in Docker Containers within an Enterprise Environment

5 min readSep 7, 2021

I have been using Docker Containers for Sitecore v10 in local development environment in the past 12 months. I just want to quickly share some of my experiences, tips and learnings when using an Enterprise Windows 10 laptop, with strict security policy in the organisation.

The intention of this blog post is not to cover the basics, as there are many blog posts and videos in the Sitecore community that have covered all of them already.

Working From Home / Remotely / Anywhere

When COVID-19 pandemic began in 2020, a lot of workforce from the office were forced to send their employees to work from home. This provided some challenges to enterprises to figure out a way to ensure that the security posture for employees working remote are exactly the same as if they were sitting in the office, with their laptops “plugged into” the office network.

VPN software and Man In The Middle (MITM) Traffic Inspection software were deployed to the laptops. In my case, the VPN software of choice is GlobalProtect by Palo Alto Networks, and the MITM software is Zscaler. These software provides a lot of challenges with Docker Containers, especially when the applications within the Docker Containers need to access traffic in the outside world. A simple Invoke-WebRequest or curl command can cause all sorts of issues.

Minimise Internet Traffic, Bypass Inspection to known traffic from Containers

It is very common for Sitecore running inside containers to have various additional tools installed. In my case, the tools that I need are:

NodeJS for Sitecore JSS Integrated Mode in Experience Editor
Coveo for Sitecore Connector
IIS URL Rewrite Module, or any other IIS modules that are not available in windowsservercore container out of the box
A DAM Connector
Any other Sitecore packages that are needed, but not referenced anywhere at all within the ASP.NET Visual Studio solution

I created an asset container above that contains all of the tools above, so that as part of the initial Docker Container build, those tools are layered or installed into the Sitecore containers, rather than reaching out to the Internet to download.

How to create a Docker asset image for your Sitecore Module

Hello all, Today I’m bringing a not so short tutorial about to create a Docker asset image for your Sitecore module…

medium.com

Example of Installing NodeJS for Sitecore JSS Integrated Mode

In my case, Sitecore needs to reach out to Coveo and the DAM. The quickest and most straightforward approach was to work with the IT department, to add the known endpoints so that Zscaler does not inspect those traffic and just bypasses the known endpoints.

Visual Studio Remote Debugging

In Visual Studio 2019, remote debugging into Windows Containers is supported. However, this does not work at all with Zscaler, as Visual Studio instructs the Windows container to download the remote debugger from the Internet and then install that to a folder.

This is an example error message:

Verifying Docker container is running... Running command 'docker inspect cpasitecore_cm_1 --format '{{.State.Status}}''. Determining architecture of Docker container... Running command 'docker exec -i cpasitecore_cm_1 "c:\Windows\System32\cmd.exe" /c mkdir "c:\.vs-debugger"'. Downloading debugger package... Command 'docker exec -i cpasitecore_cm_1 "c:\Windows\System32\curl.exe" -sSL "https://aka.ms/vs/16/release/16.9/debugger/OneCore.Msvsmon.amd64.enu.zip" -w "%{content_type}" -o "c:\.vs-debugger\OneCore.Msvsmon.amd64.enu.zip"' failed with code '0x4d'. curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted. Command 'docker exec -i cpasitecore_cm_1 "c:\Windows\System32\curl.exe" -sSL "https://aka.ms/vs/16/release/OneCore.Msvsmon.amd64.enu.zip" -w "%{content_type}" -o "c:\.vs-debugger\OneCore.Msvsmon.amd64.enu.zip"' failed with code '0x4d'. curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted. Failed to download the debugger in the Docker container.

Copy the URL as specified in the error above, and extract the zip into a folder. Then volume mount that folder into c:\remote_debugger inside the container. Please note that every time a new Visual Studio 2019 Update patch is released, this debugger needs to get an update.
Volume Mounting the remote debugger actually saves a few minutes as the container does not need to download it from the Internet.

Solution Building

The convention with using Docker containers for development, is to ensure that the solution(s) and source code can be built within a Docker Container, rather than relying on the host machine to have all the appropriate build tools installed. Sitecore’s Docker Examples GitHub Repo clearly shows how this can be done.

However, another challenge arises. Zscaler is intercepting the SSL traffic for both Nuget Restore and NPM Install process, which stops it from building within the Docker Containers. After spending a few days on this, I have decided to call it quits, and just build the solutions on the host machine, then layer the final build outputs into the Docker Containers.

Unfortunately, this leads to further complications. A lot of examples, including the Sitecore Demos, builds the solution in a Solution Docker Container. I really need to solve this issue.

Understanding Man-In-The-Middle traffic inspection is key. These type of software rely on the entire certificate chain. By opening any web site in the browser, and clicking on the padlock icon to inspect the Certification Path , it clearly indicates that Zscaler Certificates are part of the SSL Certificate “chain”.

SSL Certificate Path for any web site with Zscaler

It means that the Zscaler certificates must be installed in the Root store, or even Intermediate store of the Windows containers.

Get the set of corporate root certificates, which should be installed in your corporate-configured browser. In Chrome, you can go to Settings, click Show advanced settings, and scroll down to HTTPS/SSL, where you can choose Manage Certificates. My organization has put them in Trusted Root Certification Authorities and named them after the organization, along with the ZScaler certificate. Export each one at a time. Choose Base-64 encoded x.509 (.CER) and simply rename the extension to .pem
Repeat the same step above for Intermediate certificates if required
Install the certificates to the certificate store in the containers. The following is an example based on Docker-Examples

VPN

I am still having issues when connected to VPN, which is automatically connected by default. Unfortunately I have not managed to resolve this issue just yet. When I am connected to VPN, the Docker Containers cannot see each other in the same Docker network. e.g. The CM container cannot communicate with Microsoft SQL Server container.
My only solution at this stage, is to disconnect the VPN connection. Luckily I do not need any connectivity back to the office most of the time so I can get away with it.
Not being connected to the VPN also has some other benefits. I can cast videos / music to my Google Home / Chromecast devices at home, and I can also Print on my printer at home.

Finally

I hope I can provide some insights into the challenges that I have been facing working with Docker Containers in an Enterprise that has a strict security posture, even for the developers. I hope this can help you overcome similar challenges.