Windows Server 2016 to Contain the Commercial Docker Engine

In a widely anticipated announcement Monday, Microsoft Executive Vice President Scott Guthrie told a packed keynote session at the company’s Ignite conference in Atlanta that all copies of Windows Server 2016 — made available for general evaluation Monday, and for general release before the end of October — will include a commercially supported Docker Engine as a no-cost option.
“This makes it incredibly easy for developers and IT administrators to leverage container-based deployments using Windows Server 2016,” said Guthrie. And he followed up with a statement that makes the server operating system’s new place in Microsoft’s cloud-centric universe quite clear: “We think of Windows Server 2016 in many ways as the edge of our Azure cloud. One of the things we recommend you think about is Azure as the edge of all your on-premises servers.”
Azure is becoming Microsoft’s infrastructure layer. Windows Server becomes a tool of Azure, for executing Windows workloads. There will be Linux workloads as well, and last November’s partnership agreement with Red Hat places Red Hat Enterprise Linux (RHEL) in the forefront as Azure’s Linux of choice. In an agreement announced Monday, in a similar vein as with Red Hat last November, Docker, Inc. is enabling Microsoft to become its customer point-of-contact for supporting Docker Engine in Windows Server.
That’s an extraordinary step forward, whose importance cannot be understated. Historically, enterprises’ principal objections to open source software has been that it lacks the same level and caliber of support as commercial software. Red Hat’s partnership with Microsoft is paying extraordinary dividends, having been expanded yet again last month to enable government customers to merge their Red Hat and Microsoft subscriptions. Perhaps a similar partnership will bring similar benefits to Docker, Inc.
Major customers tend to look very favorably upon partnerships whose benefits extend directly to them — most notably, in terms of support. Up to now, Windows data centers have had little reason or incentive to begin experimenting with Windows containers. Now they not only have a good excuse, but a safety net.
One of Two Whales in This Ocean
During a general session Monday, Docker CEO Ben Golub took the stage briefly to confirm his company had also been working in direct collaboration with Microsoft on polishing Docker Datacenter for use with Windows.
“Docker offers a management tool which is also being used now by thousands of large and small organizations alike,” said Golub. “That makes it possible to take this notion of container and apply it to the software supply chain, so that you’re able to manage the entire process, from building code, to it being tested, it being scanned, put into production, upgraded, moving from one host to another, etc. We’ve collaborated on that as well, and you can try it in Azure and you can try it on-prem, it doesn’t matter.”
Monday’s joint announcement from the two companies attests to their pledge to work together to promote Docker Datacenter in this context, which Docker, Inc. Chief Operating Officer Scott Johnston confirmed in a company blog post. That promotion avoids the use of phrases like “preferred” or “default,” shows Microsoft containing its existing promotion with Mesosphere — which gives DC/OS a prime location in the Azure Marketplace. Indeed, during a handful of demos at Ignite Monday, DC/OS still appeared in that location, and product managers remained happy to mention it.
Nevertheless, today’s agreement gives Docker a kind of advantage it could never have attained in the open source arena of Linux: access to Windows data centers, providing a path for operations to move from the WS2016 upgrade to Docker Engine to Docker Datacenter. Besides DC/OS, there’s no real competition yet in the emerging Windows container orchestration space, and Microsoft has thus far refrained from claiming that space for itself.
Microsoft Corporate Vice President Jason Zander (pictured at top, left), who introduced Golub onstage, re-familiarized attendees with the purpose of containerization and Docker’s role in that market. It’s already been a year-and-a-half since last year’s Ignite when Microsoft’s Azure Chief Technology Officer Mark Russinovich introduced the concepts of Docker containers, which was greeted with awe and astonishment. Today’s attendees did greet today’s news with applause, though this time they sounded more eager to move forward with the launch already.
Extending VM Shielding to Containers
This time, Zander centered on the key architectural difference between the two modes of containers that Windows Server will support — one that is purely based on Docker, the other engineered for Microsoft’s Hyper-V hypervisor. There are actually several nuanced differences, but genuine efforts to summarize them often result in unintended slumber. Zander found the one that counts.
“Whereas regular containers can have a shared kernel, if you’re doing multi-hosted tenanting where [you’ve] got multiple customers, they really shouldn’t be doing that,” said Zander. “That’s potentially a security risk. So Hyper-V containers allow me to take that same container technology, but I can deploy them with the isolation of a VM. We actually use this type of technology for things like Azure Machine Learning and Azure Automation, where once again, we’re executing lots of jobs for multiple tenants, but we want that security and we want that isolation.”
Ever since Docker first advanced containerization from the cgroups model in Linux, security engineers and software developers alike have pointed out the potential dangers of opening up containers to collateral attack, on account of sharing a potentially exposed Linux kernel. That theoretical potential appeared much more exploitable from the standpoint of Windows — an OS environment where leverage has already proven itself the most dangerous tool of all.
Microsoft has been working to circumvent such exploits before they begin, by enabling trust modules at the hardware level to produce and manage the keys necessary to encrypt and decrypt Hyper-V virtual machines. This Shielded VM technology, as Microsoft calls it, is being extended to Hyper-V containers, with the architectural tradeoff of having to include a base image of the system kernel (in this case, Nano Server). Each Hyper-V container includes a Windows container, bundled with a non-shared kernel.
This morning’s keynotes and general sessions surprisingly provided no demos of Docker container technology in action, although breakout sessions later in the week promise hands-on analysis. Azure Stack, Microsoft’s Windows-based alternative to OpenStack based on its Azure infrastructure, had been anticipated for general release Monday as well, though Enterprise Cloud Group Technical Fellow Jeffrey Snover explained to attendees that Technical Preview 2 of Azure Stack is being released Monday instead. General availability of Azure Stack is still expected before the end of the year.
Docker and Red Hat are sponsors of The New Stack.