The Internals Behind Bringing Docker and Containers to Windows

Find Session: http://sched.co/70OD

Basics

  • Docker ON Windows, Not "Docker for Windows"
  • Docker engine on Windows, more like a port, not a fork.
  • Same API, same tools (compose, swarm, ect.)
  • Built on new native container technology in Windows.
  • Does not run Linux, runs Windows Server containers on Windows hosts.
  • http://aka.ms/containers

How?

  • New system level container capabilities
  • Namespaces, Resource Controls, Union file systems
  • Adapt Docker to Windows
    • Sounds Kinda scary...
  • Adapted Windows to Docker
    • Not the Microsoft way. "Our way isn't right." Good Job!

Architecture in Linux

Compute Service

  • New public interface for Windows
  • Replaces containerd (Linux interface for Docker)
  • Docker services show in task manager, along with the container that is running it.

Compute

  • Container contents delivered via DLL, not says calls
  • Lots of interdependencies
    • Highly dependent on Windows Services running
    • RPC calls hidden in Win32 API
  • Automatically starts ends
    • init equivalent
  • No "FROM scratch image"

Base images from Microsoft

  • Distributed by Microsoft, not Docker repository
  • Two options
    • windowsservercore: large, highly compatible (9GB)
    • nanoserver: small, fast, smaller API surface (600mb)
    • Removed GUI, fax server (LOL)

Docker pull Microsoft/windowsservercore

Docker pull Microsoft/nanoserver

Namespaces

  • Silo: extension to Windows Job object
    • Set of Processes
    • Resource controls
    • New: set of namespaces
  • New namespace virtualization
    • Registry
    • Process IDs, sessions
    • Object namespace
    • File system
    • network compartments

Windows has a root? A / () like Linux.

  • C:\Windows maps to \DosDevices\C:\Windows
  • \Registry
  • \Device\tcp
  • Accessable using objdir /GLOBALS??
    • nanoserver is stripped from these \ entries (20 from ~120)
  • Silo can "chroot" to a \ directory.

File System

  • Full NTFS file system per container.
  • Hybrid virtual block device + NTFS
  • Symlinks to layers on host FS to keep block devices small

Registry

  • Basically a true file system
  • Built a true Union FS
  • Saves cloning a full set of registry hives per container

Hyper-V Containers

  • Some workloads need more isolation, mostly used in VMs instead
    • Hostile multi-tenancy
    • Regulated workloads
  • Solution: run each container in a VM
    • docker run --isolation=hyperv
    • Hyper-V containers are the default on Windows 10 (Not Windows Server)
      • Because Windows Server cannot share kernel with Windows 10
    • Images are identical, the container has no idea
  • Storage attached with SMB
  • Clonable, freeze the VM state and fork it when Docker is used. hyperv container