Managing Windows Containers with DockerELS PUTZEYS

Containers - Introduction▪ Computing is based on a set of physical resources• Processor

• Memory

• Disk

• Network

▪ Physical resources became more and more powerful• Applications will use only a fraction of resources from physical machine

▪ Virtual resources• Simulate underlying physical hardware

• Allow multiple applications to run concurrently

Containers - Introduction▪ Virtualization• Virtual machines

• Virtual memory

• Containers

▪ Containers• Perception of fully isolated and independent OS

• Local disk

▪ Clean copy of OS files

• Memory

▪ Appears to hold only files and data from fresh OS

Containers versus Virtual Machines▪ Virtual Machines• For complete isolation, every VM has its own copies of

▪ OS files

▪ Libraries

▪ Application code

• Full in-memory instance of OS

• Limits number of application instances (VMs) that can run on host

Containers versus Virtual Machines▪ Containers• Share host OS

▪ Kernel – libraries

• No need to boot OS, load libraries, use memory for OS files

• Only need memory and disk space for application to run

▪ Feels like dedicated OS

▪ App starts in seconds

▪ Many more instances can run on same host

Container Benefits▪ Namespace isolation• Host assigns virtualized namespace to container

▪ Restricted view

▪ Container can only access files in namespace

▪ Container cannot see or interact with apps not part of the container

▪ OS files, directories, running services• Shared between containers

▪ Efficiency

• Distinct copies are made

▪ When container makes change to a file or service

Container Benefits▪ Resource governance• Control how much of host resources container can use

▪ CPU

▪ RAM

▪ Network bandwidth

• Container gets resources it expects

• Container cannot impact performance of other containers

Container Benefits▪ Instant startup• OS virtualization

▪ Reliable execution• Namespace isolation

• Resource governance

▪ Usage scenarios• Application development and testing

▪ Containerized apps will work the same on any system

• Cloud scenarios

▪ Instant-start

▪ Small footprint

▪ More applications on 1 machine compared to VMs

Container Types▪ Windows Server Containers

▪ Hyper-V Containers

Windows Server Containers▪ Share OS with the host and each other• May not provide enough isolation

▪ Dependency on host OS version and patch level

▪ OS must trust applications hosted on it

▪ All applications must trust each other

Hyper-V Containers▪ Have their own copy of Windows kernel

▪ Have memory assigned directly to them

▪ Hyper-V is used for CPU, memory and IO isolation• Same level of isolation as for VMs

▪ Can be deployed with same packages as Windows containers

▪ Uses Windows containers running inside a VM• Kernel isolation

• Separation of host patch/version level

• Slower startup times

▪ Great for multi-tenancy scenarios

Windows versus Hyper-V Containers▪ Application is containerized using Windows containers

▪ At deployment time, you pick the level of isolation by choosing a • Windows container

• Hyper-V container

Container Fundamentals▪ Container Host• Physical or virtual computer configured with Windows Container feature

• Can run one or more Windows containers

▪ Container OS Image• Containers are deployed from images

• OS image is first layer in potentially many image layers that make up a container

• Provides the OS environment

• Is immutable

▪ Sandbox• All write actions to a container are captured in a ‘sandbox’ layer

▪ File system modifications

▪ Registry modifications

▪ Software installations

Container Fundamentals▪ Container Image• Capture the container state

• Convert the sandbox into a new container image

• Layer on top of container OS image

• New containers can be created based on this image

▪ Container Repository• Local repository on container host that stores all images and their dependencies

▪ Container Management Technology• Docker

• PowerShell

▪ New module that can be used as alternative to the docker cmd-line interface

▪ In development

Container Fundamentals

Windows Container OS Images▪ Windows Server 2016 has 2 container OS Images• Windows Server Core

• Nano Server

Deploy Container Host▪ Install Windows Server 2016

▪ Configure nested virtualization• Enable nested virtualization

▪ Set-VMProcessor -VMName ContainerHost -ExposeVirtualizationExtensions $true

• Host must have at least 4 GB RAM and disable dynamic memory

▪ Set-VMMemory -VMName ContainerHost -DynamicMemoryEnabled $false -StartupBytes 4GB

• Configure MAC address spoofing

▪ Get-VMNetworkAdapter -VMName CHost | Set-VMNetworkAdapter -MacAddressSpoofing On

▪ Enable Hyper-V role• Install-WindowsFeature Hyper-V

• Restart-Computer

Deploy Container Host▪ Install Docker • Docker Daemon and CLI do not ship with Windows

• Must be installed separately

▪ Install Docker with OneGet PowerShell module• Installs containers feature

• Installs docker

• Creates virtual switch (NAT mode)

• Starts docker service

Install Docker▪ PowerShell• Install-Module –Name DockerMsftProvider –Repository PSGallery –Force

• Install-Package –Name docker –ProviderName DockerMsftProvider

• Restart-Computer –Force

Container Images▪ Install container OS images• Search for images in Docker hub

▪ docker search

▪ docker search microsoft

• Download and install a container image

▪ docker pull Microsoft/windowsservercore

▪ docker pull Microsoft/nanoserver

• Verify that images were installed

▪ docker images

Create and Start a Container▪ Download IIS image from docker hub• docker pull microsoft/iis

▪ Create and start container based on Server Core image in interactive mode – start cmd• docker run --name iisbase -it microsoft/windowsservercore cmd

▪ Create and start container based on IIS image in the background – map port 80 – keep the container running• docker run -d -p 80:80 microsoft/iis ping -t localhost

▪ Get list of running containers• docker ps

Stop or Remove a Container▪ Docker• Stop a container / stop all running containers

▪ docker stop iisbase

▪ docker stop (docker ps –q)

• Remove a container / remove all containers

▪ docker rm iisbase

▪ docker rm (docker ps –a –q)

Hyper-V Container▪ Create Hyper-V container• Docker

▪ docker run -it --isolation=hyperv nanoserver cmd

Container Images▪ Used to deploy containers

▪ Can include• Operating system

• Applications

• All application dependencies

▪ Can be stored in container registry for later use

▪ Can be deployed on any Windows container host

▪ Can be used as base for new images

Container Images▪ Docker• List Images

▪ docker images

• Install base OS Images

▪ docker search

▪ docker pull microsoft/nanoserver

• Create new image

▪ docker commit <containername> <imagename>

▪ docker build –t user/dockerfile c:\Build

• Remove image

▪ docker rmi <imagename>

Container Images▪ Docker Hub• Registry that contains pre-built images that can be downloaded to a container host

• List of images available from Docker Hub

▪ docker search *

• Download image from Docker Hub

▪ docker pull microsoft/aspnet

Container Networking▪ Each container has a virtual network adapter• Connected to a virtual switch

• Forwards inbound and outbound traffic for container

▪Types of network configuration• Network Address Translation (NAT) Mode

• Transparent Mode

• L2 Bridge Mode

• L2 Tunnel Mode

NAT Networking Mode▪ Network address translation• Internal network switch with type of NAT

• Container host has external IP address

• All containers get internal IP address

• External port of host must be mapped to internal port of container

NAT Networking Mode▪ Host configuration• NAT network is automatically created by Docker daemon

• List networks

▪ docker network ls

• Create NAT network

▪ docker network create -d nat mynatnet [--subnet=<string[]>] [--gateway=<string[]>]

▪ Container configuration• Create container connected to NAT switch

▪ docker run -it --net=mynatnet windowsservercore cmd

NAT Networking Mode▪ Port mapping• Mapping between port 80 of the host and port 80 of the container with IP address

172.16.0.2

▪ docker run -it --name=DemoNat -p 80:80 windowsservercore cmd

▪ Container application is accessible through IP address of container host and external port

Transparent Networking Mode▪ Transparent Networking• External network switch

• Each container receives IP address from DHCP server

• Each container is accessible

• No port mapping table required

Transparent Networking Mode▪ Host configuration• Create virtual switch connected to physical or virtual network adapter

▪ docker network create -d transparent mytransparentnet

• Enable MAC address spoofing (if container host is VM)

▪ Get-VMNetworkAdapter -VMName DemoVM | Set-VMNetworkAdapter -MacAddressSpoofing On

▪ Container configuration• Create container connected to external switch

▪ docker run -it --net=mytransparentnet windowsservercore cmd

Thanks to our event sponsors

Silver

Gold