windows server and docker - the internals behind bringing docker and containers to windows by taylor...
TRANSCRIPT
![Page 1: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/1.jpg)
Windows Server and Docker The Internals Behind Bringing Docker and Containers to Windows
John Starks &Taylor BrownPrincipal Leads in Windows
![Page 2: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/2.jpg)
BasicsArchitecturePorting Docker
Agenda
Shallow diveNamespacesFile systemBase images
Hyper-V ContainersTwo great thingsBetter together
![Page 3: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/3.jpg)
Back to basics
![Page 4: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/4.jpg)
Docker on Windows• Not “Docker for Windows”
• Integration coming• Port of Docker Engine (not a fork)
• Same remote API, same tools work on top (Compose, Swarm, etc.)• Built on new native container technology in Windows
• Runs on Windows Server 2016 and on the latest Windows 10• Runs Windows Server containers on Windows hosts
• Doesn't run Linux containers• Available to try now
• http://aka.ms/containers
![Page 5: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/5.jpg)
Demo!
![Page 6: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/6.jpg)
How?• New system-level container capabilities in Windows
• Namespaces• Resource controls• Union file system
• Adapted Docker to Windows• Adapted Windows to Docker
![Page 7: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/7.jpg)
Architecture In Linux
containerd + runc
Docker Engine
REST Interface
libcontainerd graphlibnetwork plugins
Operating System
Control Groupscgroups
NamespacesPid, net, ipc, mnt, uts
Layer CapabilitiesUnion Filesystems AUFS,
btrfs, vfs, zfs*, DeviceMapper
Other OS Functionality
Docker Client DockerRegistryDocker Compose Docker Swarm
![Page 8: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/8.jpg)
Architecture In Windows
Docker Engine
REST Interface
libcontainerd graphlibnetwork plugins
Operating System
Control GroupsJob objects
NamespacesObject Namespace,
Process Table, Networking
Layer CapabilitiesRegistry, Union like
filesystem extensions
Other OS Functionality
Compute Service
Docker Client DockerRegistryDocker Compose Docker Swarm
![Page 9: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/9.jpg)
Compute Service• Public interface to containers• Replaces containerd on Windows• Manages running containers• Abstracts low-level capabilities• Language bindings available
• C#: https://github.com/Microsoft/ dotnet-computevirtualization
• Go: https://github.com/Microsoft/hcsshim
![Page 10: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/10.jpg)
ArchitectureWindows Server Containers
![Page 11: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/11.jpg)
Windows Kernel
Host User Mode
Container Management
Windows Server Containers
Compute Services
Docker Engine
Windows Server Container
System Processes
Application Processes
System Processes
Session Manager
Local Security Authority
Event Manager…
Etc…
Job Object Net Interface
StorageRegistry
Windows Server Container
System Processes
Application Processes
Job Object Net Interface
StorageRegistry
![Page 12: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/12.jpg)
Container contents• Public Windows API delivered via DLLs, not syscalls• Lots of interdependencies
• Highly dependent on system services running• RPC calls hidden in Win32 APIs
• Automatically starts smss• init equivalent• Launches a variety of system services
• No “FROM scratch”
![Page 13: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/13.jpg)
Base images• Distributed by Microsoft• Two options
• windowsservercore: large (huge?), highly compatible• nanoserver: small, fast, smaller API surface
• docker pull coming soon!• microsoft/windowsservercore• microsoft/nanoserver
![Page 14: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/14.jpg)
Demo!
![Page 15: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/15.jpg)
Namespaces• Silo: extension to Windows Job object
• Set of processes• Resource controls• New: set of namespaces
• New namespace virtualization• Registry• Process IDs, sessions• Object namespace• File system• Network compartments
![Page 16: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/16.jpg)
Object namespace• System-level namespace, hidden from users
• C:\Windows maps to \DosDevices\C:\Windows• Contains all device entry points
• \DosDevices\C:• \Registry• \Device\Tcp
• Silo can "chroot" to different object root• \Silos\foo\DosDevices\C:• \Silos\bar\DosDevices\C:
![Page 17: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/17.jpg)
Demo!
![Page 18: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/18.jpg)
File system• Windows applications expect NTFS semantics
• Transactions, file IDs, USN journal• Building a full union FS with NTFS semantics is hard• Hybrid model
• Virtual block device + NTFS partition per container• Symlinks to layers on host FS to keep block devices small
![Page 19: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/19.jpg)
Registry… Windows Registry• Basically a simple file system• Built a true union FS• Saves cloning a full set of registry hives per container
![Page 20: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/20.jpg)
ArchitectureHyper-V Containers
![Page 21: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/21.jpg)
Hyper-V Containers• Some workloads need more isolation
• Hostile multi-tenancy• Regulated workloads
• Solution: transparently run each container in a VM!• (Mostly) invisible to both Docker and the user
• docker run --isolation=hyperv• Hyper-V Containers are the default on Windows 10
• Images are the same
![Page 22: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/22.jpg)
Windows Kernel
Host User Mode
Container Management
Windows Server Containers
Compute Services
Docker Engine
Windows Server Container
System Processes
Application Processes
System Processes
Session Manager
Local Security Authority
Event Manager…
Etc…
Job Object Net Interface
StorageRegistry
Windows Server Container
System Processes
Application Processes
Job Object Net Interface
StorageRegistry
![Page 23: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/23.jpg)
Hyper-V ContainersHost User Mode Virtual Machine
Specifically Optimized To Run a Container
Container Management
Windows Kernel
Compute Services
Docker Engine
System Processes
Session Manager
Local Security Authority
Event Manager…
Etc…
Hyper-V Hypervisor
Hyper-V Container
Windows Kernel
Guest Compute Service
Windows Server Container
System Processes
Application Processes
Job Object Net Interface
StorageRegistry
Basic System
Processes
![Page 24: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/24.jpg)
Making it work• Small, stateless “utility VM”
• Smallest Windows yet?• Writes not persisted
• Storage attached via SMB• VMBus transport• File cache sharing
• Networking attached via virtual NIC
![Page 25: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/25.jpg)
Cloning• Launching the utility VM takes time and memory• Do it once, freeze the result• Fork the VM for each new instance
• Eliminates startup time• Shares memory
![Page 26: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/26.jpg)
Demo!
![Page 27: Windows Server and Docker - The Internals Behind Bringing Docker and Containers to Windows by Taylor Brown and John Starks](https://reader036.vdocuments.net/reader036/viewer/2022081512/587430be1a28ab72188b7855/html5/thumbnails/27.jpg)
Thank you!