In this lab we will perform configuration management of a container by patching and updating the container image used for application deployment.

DevOps MPP Course Source

Working with Containers


  • completion of the earlier container lab Working with Containers
  • A Visual Studio Team Services account
  • You require a Build agent; there are several options in VSTS. However, in this exercise we will deploy a container to the build agent and view the output so we require containers to be available on the virtual machine and thus nested virtualization capability. For this exercise you have two options, the steps in the lab will be based on the Azure virtual machine scenario, but you can choose either one.
    • An Azure Virtual machine
      • This will require an Azure Subscription; you can view the Azure setup section, at the start of this document, for details on how to set up a free Azure subscription.
      • We would recommend you use the image Windows Server 2016 Datacenter – with Containers
      • You will also need to follow the steps below to install and configure the build agent.
    • A local Windows 10 environment
      • The steps for installing and configuring the build agent can be performed on the Windows 10 client as well as the Azure virtual machine.
  • An Azure Container Registry
    • You will need to Azure Container registry that you set up earlier in Exercise 4 earlier in this document.
    • This requires an Azure subscription. It can be set up using the free Azure subscription being used for the Azure virtual machine above.
  • You will need the Dockerfile and Index.html that you created in the earlier lab Working with Containers
  • You will also need the IIS image < iiscntr1 > that you created in the earlier lab Working with Containers

Lab Tasks:

  • Patching a Container Image

Estimated Lab Time:

  • approx. 30 minutes

Task 1: Patching a Container Image

It is possible, and sometimes preferable and easier to use the VS2017 agent available in VSTS, however we will be deploying a container to the build agent and as such, we will configure a dedicated machine. We will use an Azure virtual machine. However, it is possible to also use your local environment, if you have a Windows 10 machine.

In general, building on a local machine and verifying your work when checking in files before, committing to a master branch can be very useful and efficient.

To enable your build agent perform the following three sections.

1) Create an Azure Virtual machine to use as the build agent

We need to create an Azure Virtual machine that will act as our VSTS build agent, if you haven’t already done you can do so now.

- Create an Azure IaaS virtual machine using the following settings
  - Image = **Windows Server 2016 Datacenter – with Containers** (we use this as nested virtualization is required to be able to deploy containers to the build agent)
  - Name=**WS2016CntrsBA (or something like that)**
  - VM disk type = **HDD**
  - Username = **< any user name >**
  - Password = **< any qualifying password >**
  - Subscription = **< Your Azure subscription >**
  - Resource Group = **ws2016cntrsBA_rg (or something like that)**
  - Location = **< your nearest data center location >**
  - Size = **DS1_V2**
  - Settings = **accept the remaining default settings and deploy the virtual machine**
- Wait for the virtual machine to deploy, and once it is complete sign in and verify the docker commands run successfully.
- You may also optionally install Visual Studio 2017 Community Edition. This is a free edition. This is not strictly required to be the build agent, but if you encounter issues, it may assist with troubleshooting.

2) Create a Personal Access Token (PAT)

We need to create a PAT for our build agent to be able to access the VSTS account and project.

  - In your VSTS project, click on your account icon in the top right i.e. and select Security
  - In the Personal access tokens window click Add and enter the following details
  - Description: < some description i.e. PAT for local build agent)
  - Expires: < default >
  - Accounts: < default value >
  - Authorized Scopes: All scopes

Copy the highlighted Token now and pastes it somewhere you can access it. It should look something like the below


If you close the window before you copy the token, you will need to repeat steps 1 -3 here to obtain a new token.

3) Install and configure the agent.

We now need to download and configure the agent on the local machine. The following steps can be carried out on your build agent.

1. Access your VSTS account from within the build agent, i.e. the azure virtual machine. This just makes it easier to directly install and configure the build agent on the build agent directly.

2. In VSTS, open your build definition by going to your project i.e. Cntr1Proj (or whatever you have called it) and click Builds, then click on the Settings icon in the top ribbon and select Agent queues.

3. Click Download Agent, and in the Get agent dialogue, click Download and save the agent to the default location. Leave the Get agent dialogue open, as you will copy the commands you need to run from here.

4. Open PowerShell as an administrator and go to the root of the drive using the command cd\

5. Return to the Get agent window, copy the first command listed and paste it into PowerShell and run it i.e. 

    Mkdir agent ; cd agent
    This just creates a folder C:\agent and enters that folder

6. Copy the second command in the Get agent dialogue and paste it into PowerShell, it should look something like this

    Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$HOME\Downloads\", "$PWD")

    Ensure you copy the command from the window and not this document, as the file version will change over time and the get agent dialogue command will have the latest version.`

7. Open a command prompt window, go to the folder C:\Agent and run the command

8. Enter the following values when prompted
    - Connect:
      - Enter server URL: https://<your VSTS account>
      - Enter authentication type (press enter for PAT): < press Enter >
      - Enter personal access token: < Paste the value you obtained in the Crate a Personal Access token section earlier i.e. it should look something like 4avrb33twjq3f5wlqbkx7jzimmzt6h7ktyybbdojtu32x7yd3t2q >

    - Register Agent:
      - Enter agent pool (press enter for default): <Accept default by pressing Enter >
      - Enter agent name (press enter for <your machine name>): <Accept default by pressing Enter >
      - Enter work folder (press enter for _work) ><Accept default by pressing Enter >
      - Enter run agent as service? (Y/N) (press enter for N) > Y
      - Enter User account to use for the service (press enter for NT AUTHORITY\NETWORK SERVICE): <Enter the value NT Authority\SYSTEM >

    Note: If you use the default account, i.e. the NT Authority\Network Service account, it will not have sufficient Log on as Service permissions to successfully complete the VSTS build tasks and you will receive an error when you go to build. You could also modify the service account settings for VSTS Agent <accountname>.<machinename> in the Services.msc, and modifying the Log on as a Service setting there.

    - You should receive several successful messages as it installs and configures the agent settings.

9. In VSTS, go to the **Agent queues** again and then the **Default**.

10. View the **Agents for the pool Default** and verify your machine is listed and has a State of Online. This can also be accessed via the **Settings** icon > **Agent queues**

11. Click on **Manage Pools and under **All Pools** go to **Default**

12. Ensure your build agent is listed and Enabled, with a **State of Online**. This can also be accessed via the S**ettings** icon > **Agent Pools**

13. Spend a moment to click around the various options and settings available in the agent pool.


In this lab you completed the following tasks:

  • Patching a Container Image