The Internals Behind Bringing Docker and Containers to Windows
Find Session: http://sched.co/70OD
- Docker ON Windows, Not "Docker for Windows"
- Docker engine on Windows, more like a port, not a fork.
- Same API, same tools (compose, swarm, ect.)
- Built on new native container technology in Windows.
- Does not run Linux, runs Windows Server containers on Windows hosts.
- New system level container capabilities
- Namespaces, Resource Controls, Union file systems
- Adapt Docker to Windows
- Sounds Kinda scary...
- Adapted Windows to Docker
- Not the Microsoft way. "Our way isn't right." Good Job!
- New public interface for Windows
- Replaces containerd (Linux interface for Docker)
- Docker services show in task manager, along with the container that is running it.
- Container contents delivered via DLL, not says calls
- Lots of interdependencies
- Highly dependent on Windows Services running
- RPC calls hidden in Win32 API
- Automatically starts ends
- init equivalent
- No "FROM scratch image"
Base images from Microsoft
- Distributed by Microsoft, not Docker repository
- Two options
- windowsservercore: large, highly compatible (9GB)
- nanoserver: small, fast, smaller API surface (600mb)
- Removed GUI, fax server (LOL)
Docker pull Microsoft/windowsservercore
Docker pull Microsoft/nanoserver
- Silo: extension to Windows Job object
- Set of Processes
- Resource controls
- New: set of namespaces
- New namespace virtualization
- Process IDs, sessions
- Object namespace
- File system
- network compartments
Windows has a root? A / () like Linux.
- C:\Windows maps to \DosDevices\C:\Windows
- Accessable using
- nanoserver is stripped from these \ entries (20 from ~120)
- Silo can "chroot" to a \ directory.
- Full NTFS file system per container.
- Hybrid virtual block device + NTFS
- Symlinks to layers on host FS to keep block devices small
- Basically a true file system
- Built a true Union FS
- Saves cloning a full set of registry hives per container
- Some workloads need more isolation, mostly used in VMs instead
- Hostile multi-tenancy
- Regulated workloads
- Solution: run each container in a VM
- docker run --isolation=hyperv
- Hyper-V containers are the default on Windows 10 (Not Windows Server)
- Because Windows Server cannot share kernel with Windows 10
- Images are identical, the container has no idea
- Storage attached with SMB
- Clonable, freeze the VM state and fork it when Docker is used.