Windows Server Containers

John StarksPrincipal Software Engineering Lead, MicrosoftArnaud PorterieSenior Engineering Manager, Docker

Agenda

Porting DockerBy the numbersTechnical detailsMulti-arch images

Demo!TitleTitleTitle

Docker for Windows

What it isWhat it’s notTitle

System architecture

TitleTitleTitle

Docker for WindowsUnderstanding the basics

Docker for WindowsWhat it is

It’s Docker as you know itSame user experience

It’s Windows as you know itComplete environment inside the container

It’s native containersContained processes run on the host system

It’s available for testing

Docker for WindowsWhat it’s not

It’s not virtualizationDocker for Windows will not run Linux images

It’s not a different project / code baseThe existing Docker tree was ported

It’s not quite finishedRequired Windows Server 2016 (current TP4)

System architectureWindows Server Containers internals

System architectureNamespaces

Silo: extension of Windows Job objectSet of processesResource constraintsNew: set of namespaces

New namespace virtualizationRegistryProcess IDs, sessionsObject namespaceFile system

System architectureObject namespace

System-level namespace, hidden from usersC:\Windows maps to \DosDevices\C:\Windows

Contains all device entry points\DosDevices\C:\Registry\Device\Tcp

Added “chroot”, one namespace per container\Containers\foo\DosDevices\C:\Containers\bar\DosDevices\C:

System architectureFilesystem

Windows applications expect NTFS semanticsTransactions, file IDs, USN journal

Building a full union FS with NTFS semantics is hard

Hybrid modelVirtual block device + NTFS partition per containerSymlinks to layers on host FS to keep block devices small

System architectureBase image

Public Windows API delivered via DLLs, not syscalls

Highly dependent on RPC to system services

FROM scratch

Windows images must derive from Windows base imagewindowsservercore – large, nearly full Win32 compatibilitynanoserver – small, fast to boot, software may need porting

Base images are delivered separately from Docker

System architectureHyper-V containers

New in Windows Server 2016 TP4

Docker runs on host

Launches silo in a stateless, lightweight Hyper-V VM

VM invisible to userAppears like a process-based containerdocker run --isolation=hyperv

Use SMB over VMBus to provide layers, volumes

Porting DockerTwo worlds collide

Porting DockerMicrosoft contributions in numbers

319 pull requests(+) 182,315 (-) 12,113

#4 contributor in terms of pull requests#5 contributor in terms of lines of code

Porting DockerTechnical details

Go build tagsIn source: // +build windowsIn the filename: daemon/containers_windows.go

Go interfacesGraph driver (~ image storage)Execution driver

Porting DockerFuture: multi-architecture images

Example: docker pull redisWhat’s my executing OS?Not just Windows, but also ARM, …

Proposal docker/distribution#1068A new image manifest format to support multi-arch

DemoYay!

DemoA hybrid Swarm cluster

DemoA hybrid Swarm cluster

All components speak the Docker APIDocker daemon on Linux hostDocker daemon on Windows hostSwarm master (hosted on the same Linux host)

Deploying to either is just a scheduling decisionUsing Swarm constraints mechanism

Thank you!John Starks

john.starks@microsoft.com

Arnaud Porterie@icecrime

arnaud@docker.com