Introducing Docker for Windows Server 2016

Today, Microsoft is announcing general availability of Windows Server 2016 at the Ignite conference in Atlanta. For Windows developers and IT-pros, the most exciting new Windows feature is containers, and containers on Windows Server 2016 are powered by Docker.

This blog post details the technical innovations that went into making Docker containers run natively on Windows and attempts to explain the significance of the achievement. See the companion blog posts on how to build your first Windows container and the post detailing Docker Inc. and Microsoft’s commercial partnership to support Docker on Windows.

The first version of Docker was released in 2013, and in the 3 years since launch, Docker has completely transformed how Linux developers and ops build, ship and run apps. With Docker Engine and containers now available natively on Windows, developers and IT-pros can begin the same transformation for Windows-based apps and infrastructure and start reaping the same benefits: better security, more agility, and improved portability and freedom to move on-prem apps to the cloud.

For developers and IT-pros that build and maintain heterogenous deployments with both Linux and Windows infrastructure, Docker on Windows holds even greater significance: The Docker platform now represents a single set of tools, APIs and image formats for managing both Linux and Windows apps. As Linux and Windows apps and servers are dockerized, developers and IT-pros can bridge the operating system divide with shared Docker terminology and interfaces for managing and evolving complex microservices deployments both on-prem and in the cloud.

Running Containers on Windows Server

Docker running containers on Windows is the result of a two-year collaboration between Microsoft that involved the Windows kernel growing containerization primitives, Docker and Microsoft collaborating on porting the Docker Engine and CLI to Windows to take advantage of those new primitives and Docker adding multi-arch image support to Docker Hub.

The result is that the awesome power of docker run to quickly start a fresh and fully isolated container is now available natively on Windows:

PC C:\> docker run -ti microsoft/windowsservercore powershell
Windows PowerShell

Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\>

The kernel containerization features are available in all versions of Windows Server 2016, and are also on Windows 10 systems with the Anniversary Update, and the Windows-native Docker daemon runs on both Windows Server 2016 and Windows 10 (although only containers based on Windows Server build and run on Windows 10).

docker run on Windows comes with the same semantics as on Linux: Full process isolation and sandboxed filesystem (and Windows Registry!) with support for layering changes. Each container sees a clean Windows system and cannot interfere with other processes (containerized or not) on the system.

For example, two dockerized apps using different Internet Information Services (IIS) versions and different .NET frameworks can co-exist merrily on the same system. They can even write to their respective filesystems and registries without affecting each other.

With containerization, Windows IT-pros get most of the isolation and release-artifact-stability benefits of VMs, without the resource overhead and lost agility inherent in hardware virtualization.

Similar to how containers on Linux can run with different security profiles, containers on Windows run in one of two isolation modes:

  1. Windows Server Containers use the same shared-kernel process-isolation paradigm known from Linux. Since containers run as normal (but isolated) processes, startup is fast and resource overhead is minimal.
  2. With Hyper-V isolation, container processes run inside a very minimal hypervisor created during container start. This yields potentially better isolation at the cost of slower startup and some resource overhead.

Isolation can be set with a simple switch passed to docker run:

docker run --isolation=hyperv microsoft/nanoserver

As long as the underlying host supports the requested isolation mode, any Windows container image can be run as either a hyper-v or server container and a container host can run both side by side. Container processes are oblivious to the isolation mode they run in, and the Docker control API is the same for both modes.

This makes isolation mode not generally a developer concern and developers should use the default or what’s convenient on their system. Isolation mode does give IT-pros options when choosing how to deploy containerized apps in production.

Also note that, while Hyper-V is the runtime technology powering hyper-v isolation, hyper-v isolated containers are not Hyper-V VMs and cannot be managed with classic Hyper-V tools.

For readers interested in details of how containers are implemented on Windows, John Starks’ black belt session at DockerCon ‘16 is a great introduction.

Screenshot (14).png

Building Windows Container Images

Thanks to layering improvements to the Windows Registry and filesystem, docker build and Dockerfiles are fully supported for creating Windows Docker images. Below is an example Windows Dockerfile that Stefan Scherer has proposed for the Node.js official Docker library image. It can be built on Windows with docker build:

FROM microsoft/windowsservercore
ENV NPM_CONFIG_LOGLEVEL info
ENV NODE_VERSION 4.5.0
ENV NODE_SHA256 16aab15b29e79746d1bae708f6a5dbed8ef3c87426a9408f7261163d0cda0f56
RUN powershell -Command \
    $ErrorActionPreference = 'Stop' ; \
    (New-Object System.Net.WebClient).DownloadFile('https://nodejs.org/dist/v%NODE_VERSION%/node-v%NODE_VERSION%-win-x64.zip', 'node.zip') ; \
    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $env:NODE_SHA256) {exit 1} ; \
    Expand-Archive node.zip -DestinationPath C:\ ; \
    Rename-Item 'C:\node-v%NODE_VERSION%-win-x64' 'C:\nodejs' ; \
    New-Item '%APPDATA%\npm' ; \
    $env:PATH = 'C:\nodejs;%APPDATA%\npm;' + $env:PATH ; \
    [Environment]::SetEnvironmentVariable('PATH', $env:PATH, [EnvironmentVariableTarget]::Machine) ; \
    Remove-Item -Path node.zip
CMD [ "node.exe" ]

Note how PowerShell is used to install and setup zip files and exes: Windows containers run Windows executables compiled for Windows APIs. To build and run a Windows container, a Windows system is required. While the Docker tools, control APIs and image formats are the same on Windows and Linux, a Docker Windows container won’t run on a Linux system and vice-versa.

Also note that the starting layer is microsoft/windowsservercore. Starting FROM scratch is not an option when creating Windows container images. Instead, images are based on either microsoft/windowsservercore or microsoft/nanoserver.

The Windows Server Core image comes with a mostly complete userland with the processes and DLLs found on a standard Windows Server Core install. With the exception of GUI apps and apps requiring Windows Remote Desktop, most apps that run on Windows Server can be dockerized to run in an image based on microsoft/windowsservercore with minimal effort. Examples include Microsoft SQL Server, Apache, Internet Information Services (IIS) and the full .NET framework.

This flexibility comes at the cost of some bulk: The microsoft/windowsservercore image takes up 10GB. Thanks to Docker’s highly efficient image layering, this is not a big problem in practice. Any given Docker host only needs to pull the base layer once, and any images pulled or built on that system simply reuse the base layer.

The other base layer option is Nano Server, a new and very minimal Windows version with a pared-down Windows API. Lots of software already runs on Nano Server, including IIS, the new .NET Core framework, Node.js and Go. And the Nano Server base image is an order of magnitude smaller than Windows Server Core, meaning it has less dependencies and surface area to keep updated. Nano Server is an exciting development, not only as a base for minimal containers that build and boot quickly, but also as a Minimalist Operating System that makes for a great container host OS running just the Docker daemon and containers, and nothing else.

With the choice of Windows Server Core and Nano Server, developers and IT-pros can opt to lift-and-shift existing Windows-based apps into Server Core containers or adopt Nano Server for greenfield development or incrementally as part of breaking monolithic apps into microservices components.

Docker is working with Microsoft and the community to build container images based on both Windows Server Core and Nano Server. Golang, Python and Mongo are available as official Docker images (more are on their way), and Microsoft also maintains a set of very popular sample images.

Summary

Today’s announcement of Docker Engine building, running and managing containers on Windows is the fruit of years of labor by teams at both Microsoft and Docker and by the Docker community. We’re incredibly proud of the work we’ve done with Microsoft to bring the benefits of containerization to Windows developers and IT-pros, and we’re excited about the prospect of getting Windows and Linux technologists building, shipping and running apps together with a common set of tools and APIs.

Here are some resources to help you get started


Introducing Docker for Windows Server 2016


42 Responses to “Introducing Docker for Windows Server 2016”

  1. chris

    Still not seeing a benefit to using containers in windows. Web code runs in app pools (containers), apps run in user spaces (contained per user). What will this give me? Definitely not CM.

    Reply
    • cris

      I suppose is not a benefit, is another option to run containers for companies that use Windows infrastructure or Windows lovers (like me, LOL).

      Reply
  2. Chris-MirrorImage

    One reason you might be seeing any benefit is , you don't have a valid use cases that demands these capabilities.

    There are tons of Windows Server customer , that don't want to use Linux ,but want to run Docker natively on Windows Server

    For you don't need Ferrari F2002 to go and buy milk. But you do need Ferrari F2002 if you are a Race care driver.

    So for you , if you are running you running your code on app pools (containers), apps run in user spaces (contained per user) you will not need Containers. But if you are building Microservices , running DCOs , you do need this feature…

    Reply
  3. Bibhas Sarkar

    Is there a possibility we will have a container with full desktop experience and have capabilities of running app as RemoteApp?

    We do have requirements to spawn some application as required for support, however the application is desktop app, so this is good but not there yet for us.

    Reply
    • guilherme

      good question..

      what about using a remote desktop connection ?

      Reply
    • Michael Friis

      Containers cannot currently run the full desktop experience nor can you remote desktop into them. Containers are currently targeted at running server-side apps like databases, web sites and APIs.

      Reply
  4. Carles

    On your post this is mentioned:

    > The kernel containerization features are available in all versions of Windows Server 2016.

    But I'm getting this:

    PS C:\Program Files\docker> .\dockerd.exe
    Error starting daemon: The docker daemon requires build 14393 or later of Windows Server 2016 or Windows 10

    Reply
  5. mihai

    Can i build a normal .NET Wpf app using a container ?

    Reply
  6. Maxime Beaudry

    If I have a windows 10 development machine, is it possible to build a mixed windows / linux docker swarm running on this machine? My idea was to init a swarm with my MobyLinuxVM and then join my windows 10 machine. Here is how I did it… and the error that I got:

    # Install docker for windows (beta channel)
    # Ensure it is in "linux containers" mode by right
    # click on the docker icon in the tray.
    PS C:\WINDOWS\system32> docker swarm init
    Swarm initialized: current node (8ywlajafyoulxwargemphdkae) is now a manager.

    To add a worker to this swarm, run the following command:

    docker swarm join \
    –token SWMTKN-1-657we3qumbxc4eul3i74ocukqa1ssyp40540r00byzqs09p5uh-473hiko7smkh1w7qvnw5ajvgi \
    192.168.65.2:2377

    To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

    # Switch to Windows Containers from the system tray
    PS C:\WINDOWS\system32> docker swarm join –token SWMTKN-1-657we3qumbxc4eul3i74ocukqa1ssyp40540r00byzqs09p5uh-473hiko7smkh1w7qvnw5ajvgi 192.168.65.2:2377
    Error response from daemon: Timeout was reached before node was joined. The attempt to join the swarm will continue in the background. Use the "docker info" command to see the current swarm status of your node.

    Note that I am using version 1.12.2-cs2-ws-beta of docker.

    Reply
  7. Karen

    This isn't working for me. I'm using linux so I want to create a docker container based off of windows so I can use a windows specific program.
    When I run:
    sudo docker run -ti microsoft/windowsservercore powershell Windows PowerShell
    Unable to find image 'microsoft/windowsservercore:latest' locally
    Error response from daemon: manifest invalid: manifest invalid

    Can I fix this?
    Am I misunderstanding the purpose of the image?

    Reply
    • B D

      I believe you are misunderstanding how containers work. The underlying premise of them is that they are a layer on the OS used to contain (and constrain) a deployment. So they still share the underlying OS kernel.

      If you want to run Windows images in a container but only have a Linux OS you will first need to deploy a Windows 2016 (or Windows 10) to a VM in your linux environment. Then you can install docker on that windows VM and spin up any windows based containers from there.

      See https://blog.docker.com/2016/09/build-your-first-docker-windows-server-container/ to guide you once you have a windows 2016 VM running.

      Reply
      • Derek

        I don't understand this comment. The "Getting started with Docker for Windows" clearly shows an example of running Ubuntu in a container on Windows. If containers were just "a layer on the OS" this would not be possible.

        Reply
        • ILGUIZ LATYPOV

          The docker site refers to using its originally Linux-only idea in Windows by running a Linux image boot2docker.iso and using a Windows tool docker.exe to set up containers within that Linux instance. (The docker.exe tool has a prominent feature "docker ssh" to get into a shell prompt of the Linux instance).

          I just realized that even entire Linux OS images supposedly carrying their separate kernel images do not run those images but instead call into the docker instance's Linux kernel. A quick search online confirmed this, http://stackoverflow.com/questions/32841982/how-can-docker-run-distros-with-different-kernels

          This blog article announces implementation of containers using a Windows kernel. This will allow running separate copies of same services against separate filesystem roots.

          Reply
  8. Nathan Brown

    I regularly use VMware Workstation so I can't have my computer configured for Hyper-V all the time. Restarting just to switch modes sucks.

    I've found that running docker in isolation=process mode works fine for Windows 10 Pro (anniversary edition).

    > docker run –isolation=process -it microsoft/nanoserver cmd

    For some reason setting the default exec-opt to isolation mode and make it the default is blocked. I hope that the Windows team will support using the more normal, lightweight, process mode for Docker instead of continuing to rely on Hyper-V.

    Reply
    • Michael Friis

      I get this if I try:

      docker run –isolation=process -ti microsoft/windowsservercore powershell
      C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: Windows client operating systems only support Hyper-V containers.

      Maybe they added the block

      Reply
  9. Tom

    So i am getting the following error when running:

    Install-Package -Name docker -ProviderName DockerMsftProvider -Force

    Install-Package : KB3176936 or later is required for docker to work

    I have run windows updates, installed All updates. Rebooted, Even managed to find the stand alone MSU update for KB3176936.

    Been pulling my hair out all day!! Server 2016 Technical Preview Build 14300

    Reply
    • Dave

      Tom,

      Use the RTM Eval build of Server 2016.

      https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016

      Reply
      • Radu

        I am using that windows version and I'm seeing the exact same msg.

        Reply
      • Jody

        I'm using RTM, 10.0.14393, and having this same issue.

        Reply
      • Christian

        Hi Dave,

        i have tried it with the Eval build and have the same problem.
        Install-Package : KB3176936 or later is required for docker to work

        First try with 14393.0.160715-1616.RS1_RELEASE_SERVER_EVAL_X64FRE_EN-US

        Sec. try with 14393.0.160911-2111.RS1_REFRESH_SERVERESSENTIALS_OEM_X64FRE_EN-US

        This are both version from your link.

        Reply
        • K Sarath Kumar

          Run sconfig, then choose option 6 and then A and A to install all updates. This works for Server 2016 in no-desktop installs as well as with the UI.

          Reply
    • Cody Owens

      Anyone figure this out? I'm still stuck as well using the RTM version.

      Reply
      • Tommy Hamilton

        I was having the same issue and it appears to be tied to our use of an internal update server. Go to Windows update and select check online for updates, you should get the CU for 2016 (KB3206632) and that will make it work for you.

        Running sconfig or running other updates didn't work because the people who handle the SUS server didn't add those to the published updates list yet.

        Reply
  10. Jon Singh

    Will Docker Containers work on a Server 2016 Virtual Machine or do we need to install Server 2016 on a physical machine?

    Reply
  11. Christian

    it works after you install the updates

    Reply
  12. Sayantan Mondal

    We have multiple apps on legacy windows servers 2000 and 2003 .If we dockerize some of the apps (asp ,.net) will it be feasible to move them to windows 2016 and run them on container ecosystem.

    Reply
  13. Ted Mielczarek

    It's great to see the progress on this! Are there any plans to support GUI desktop apps in any way in the future? We (Mozilla) would love to be able to use docker for our Windows CI like we are using it for our Linux CI, but we build and ship PGO builds, which means we need to run the browser as part of the build. We don't need an actual interactive GUI, we'd just need the browser to be able to run. If there was minimal support for some sort of null display that would probably be sufficient.

    Reply
    • Michael Friis

      This would be a request for Microsoft (and I know they get it a lot).

      For Chrome, at least, that now works in headless mode allowing some browser CI to run in containers.

      Reply
  14. Alexandr Marchenko

    Wondering is there a way to have both Windows Containers and Docker for Windows on same machine working together? So I will be able to somehow tell docker client to which docker engine I'm talking right now.

    Reply
  15. Praparn Lungpoonlap

    I would like to ask about "Docker Datacenter for Windows 2016" is it still on beta or GA already ?

    Reply
  16. Serge

    Hi
    Really love Docker for Windows Server 2016. But why are there no updates? Nothing with Docker 1.13 for Windows Server 2016? Need it!

    Reply
  17. John

    Check out the report I done on Docker in Windows Server 2016 at http://tuttutboom.com/docker-configuration-windows-server-2016/

    Reply

Leave a Reply to Praparn Lungpoonlap

Click here to cancel reply.

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.