Windows Server Containers

John StarksPrincipal Software Engineering Lead, Microsoft

Arnaud PorterieSenior Engineering Manager, Docker

Docker for WindowsSystem architecturePorting DockerDemos!

Agenda

Docker for WindowsUnderstanding the basics

Docker for Windows

4

What it is

It’s Docker as you know itSame user experience

It’s Windows as you know itComplete environment inside the container

It’s native containers Contained processes run on the host system

It’s available for testing

Docker for Windows

5

What it’s not

It’s not virtualizationDocker for Windows will not run Linux images

It’s not a different project / code base The existing Docker tree was ported

It’s not quite finishedRequired Windows Server 2016 (currently TP3)

System architectureWindows Server Containers internals

System architecture

7

Basics

Abstraction layer between Docker and kernel execdriver -> hcsshim -> vmcompute -> ???Internals generally not exposed

Shared kernelResource controls Namespaces

System architecture

8

Namespaces

Silo: extension of Windows Job object Set of processes Resource constraints New: set of namespaces

New namespace virtualizationRegistryProcess IDs, sessionsObject namespaceFile system

System architecture

9

Object namespace

System-level namespace, hidden from users C:\Windows maps to \Global??\C:\Windows

Contains all device entry points\Global??\C: \Registry \Device\Tcp

Added “chroot”, one namespace per container \Containers\foo\Global??\C: \Containers\bar\Global??\C:

System architecture

10

Filesystem

Windows applications expect NTFS semantics Transactions, file IDs, USN journal

Building a full union FS with NTFS semantics is hard

Hybrid model Virtual block device + NTFS partition per containerSymlinks to layers on host FS to keep block devices small

System architecture

11

Base image

Public Windows API delivered via DLLs, not syscalls

Highly dependent on RPC to system services

FROM scratch

Windows images must derive from Windows base image windowsservercore – large, nearly full Win32 compatibilitynanoserver – small, fast to boot, software may need porting

Base images are delivered separately from Docker

System architecture

12

Hyper-V containers

New in Windows Server 2016 TP4

Docker runs on host

Launches silo in a stateless, lightweight Hyper-V VM

VM invisible to userAppears like a process-based containerdocker run --isolation=hyperv

Use SMB over VMBus to provide layers, volumes

Porting DockerTwo worlds collide

Porting Docker

14

Microsoft contributions in numbers

319 pull requests(+) 182,315 (-) 12,113

#4 contributor in terms of pull requests #5 contributor in terms of lines of code

Porting Docker

15

Technical details

Go build tagsIn source: // +build windows In the filename: daemon/containers_windows.go

Go interfaces Graph driver (~ image storage) Execution driver

Porting Docker

16

Future: multi-architecture images

Example: docker pull redis What’s my executing OS?Not just Windows, but also ARM, …

Proposal: docker/distribution#1068A new image manifest format to support multi-arch

Demo 1Yay!

Demo 2A hybrid Swarm cluster

Demo

19

A hybrid Swarm cluster

Demo

20

A hybrid Swarm cluster

All components speak the Docker API Docker daemon on Linux hostDocker daemon on Windows hostSwarm master (hosted on the same Linux host)

Deploying to either is just a scheduling decisionUsing Swarm constraints mechanism

Thank you!John Starksjohn.starks@microsoft.com

Arnaud Porterie@icecrime

arnaud@docker.com