2

I'm writing a UPS monitoring console application that will automatically shut down the server when the UPS battery reaches a predefined level of charge during a power outage.

I'd like to run this within a container if possible, as NUT (Network UPS Tools) is notoriously difficult to get working on a Windows system. I've configured it once, on bare metal, and I wish not to have to endure that pain a second time, or worse, a third. (But that's another discussion for another day.)

Back to today: how may I send a system shutdown command to the container's host? I've tried simply shutdown /s /t 0, but that shuts down the container. I need to reach the host.

--NOTE TO CLOSE VOTERS--

This question is not off-topic. Note this Q&A, for one example, which currently bears upvotes numbering well over 2,000. There isn't a single programming concept mentioned in the question.

Docker is a tool used by developers. So its subject matter is very relevant on this forum. Run a quick query on the docker tag and you'll see what I mean.

InteXX
  • 6,135
  • 6
  • 43
  • 80
  • @Marged — See my edit. – InteXX Jul 04 '17 at 23:19
  • I read your reasons why this question is a good fit for SO. So my next suggestion is: write a password protected and TLS secured HTML listener that runs the shutdown command when called from the container. – Marged Jul 05 '17 at 04:29
  • @Marged — My thoughts exactly. Would you like to make it an answer so I can accept it? – InteXX Jul 05 '17 at 08:59

2 Answers2

0

psshutdown \\host -u ... -p ... should do the trick, assuming you are able / willing to store credentials with sufficient permissions in the container.

See https://technet.microsoft.com/en-us/sysinternals/psshutdown.aspx for more details and a download link.

Edit: I leave this here for documenting an approach that doesn't work because of changes in the way Windows handles security. Follow InteXXs link provided below, it clearly describes what would be necessary to get psshutdown working again and which security risks this brings.

Marged
  • 10,577
  • 10
  • 57
  • 99
  • 1
    Thanks for the try... as it turns out, `PsTools` utilities require UAC to be turned off on the remote machine when connecting from a non-domain account (even when domain credentials are used). See [here](http://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/) for more information. – InteXX Jul 04 '17 at 23:13
  • Interesting to know. My next approach would be installing SSH and sending the shutdown that way but this is a bit alien – Marged Jul 05 '17 at 04:17
0

An approach that involves a little bit of programming would be to create a small service that sits on the host and waits for incoming connections.

That service could then either execute the shutdown command or call the appropriate Windows API call.

I suggest giving this service a minimal http endpoint with a single URL and protect it with user / password and SSL/TLS.

You would then call this from the container using curl --user user:pass https://host/shutdown

It should be fairly easy to implement this with golang and nssm.

Marged
  • 10,577
  • 10
  • 57
  • 99