Microsoft Secures the Windows Docker Container
Microsoft continues its work on creating a home for Docker on Windows. Thursday’s release of Windows Server 2016 release candidate 4 (RC 4) introduces a new kind of Docker Windows container, secured within the company’s virtualization machine, Hyper-VM.
Hyper-V containers use the same image format as the Docker containers that run on Windows — which the company introduced in preview form earlier this year — but they offer the greater isolation provided by a virtual machine.
Although the Microsoft first announced the idea of Hyper-V Containers a year ago, “This is the first time the world gets to play with them,” said Taylor Brown, principal programming management lead at Microsoft.
Hyper-V Containers can be controlled using the many of the same commands used for regular Windows Containers. You use the same Docker command to spin up a Hyper-V container as you would for a regular Microsoft Docker container, adding only an isolation flag.
Currently, all Docker Compose commands work equally across both platforms, and a prototype of Swarm for Windows is being tested as well, noted Patrick Chanezon, Docker technical staff member.
What about performance? After all, one big advantage that containers enjoy over traditional virtual machines is that they can be created much more quickly, as they share the server’s kernel, rather than boot their own.
Indeed, Hyper-V Containers do take a few seconds longer to create, Brown admitted. And he added that Hyper-V Containers take up more room in memory, compared to their un-virtualized counterparts, so fewer of them can be packed onto a single server.
But this is the cost for greater security. By design, Hyper-V containers offer a much smaller attack surface. If a vulnerability is found in the Windows kernel, for instance, a malicious user couldn’t break free from the Hyper-V container to exploit the failing on the host server.
“The worst they could do would be to crash that virtual machine. They couldn’t get out of that container boundary,” Brown said.
No libc for Windows
The effort to cross-compile the Linux-based Docker, written in Go, to Windows was a collaborative effort, involving both Microsoft, Docker and third-party contributors, Brown said.
In fact, over the past year, Microsoft has actually become one of the largest contributors to Docker. Of the 319 pull requests in the past year, Microsoft was the fifth largest contributor, in terms of lines of code, according to Docker.
Keep in mind that Windows Docker containers offer Windows system calls, not Linux system calls. Like the Linux Docker container, the Windows container shares the host OS kernel, except the kernel is Windows, not Linux.
“When you are in a Windows container, it feels like a Windows environment. It is a Windows environment,” said Docker engineer Arnaud Porterie, during a talk on Windows Containers at the Dockercon EU conference, held this week in Barcelona.
Despite the shared Docker codebase, there are a number of architectural differences between Windows-based Docker and Linux-based Docker containers, noted Microsoft engineer John Starks, who also presented at the Dockercon EU Windows container talk.
For one, while a Linux-based Docker container spawns only a single process on the host system, a Microsoft Container will spawn several.
This isn’t true for the Hyper-V Containers, however, because they have their own lightweight kernel in the hypervisor, rather than share the host’s kernel. As a result, “It looks like a container from a Docker point of view, but you won’t see its processes on the host,” Starks said.
Also, Linux calls rely on a handful of shared libraries such as libc. In contrast, Windows relies on a boarder set of DLLs (Dynamic Link Libraries), many of which are intertwined together to provide services. As a result, each Windows container actually runs several process on the host OS, rather than just one.
Hostile multitenancy for the win
So Linux-based Docker containers won’t be able to run natively on Windows machines, or vice versa. But both will be able to be controlled by the same Docker management software, allowing developers to mix the best components from Windows and Linux into a single application, Brown said.
And a fully isolated container could appeal to a number of enterprise users who have held back from using the technology for various security and industry compliance concerns.
Microsoft Azure itself will use the secured containers to more efficiently offer multi-tenant hosted services, such as the Azure Machine Learning (ML) Service.
“We can completely isolate the customers’ scripts from each other at a much higher density than we could do if we spun up a full VM for each of them,” Brown said.
The fully production ready Hyper-V Container technology will arrive with the full commercial release of Windows Server 2016, presumably out sometime next year. Both the full Windows Server 2016 and the slimmed down Nano version will run the containers.
Hyper-V Containers will also be supported on Microsoft’s Azure container service as well, once Microsoft updates its hypervisor.
Docker is a sponsor of The New Stack.
Feature Image: Docker Technical Staff Patrick Chanezon, flanked by Microsoft Azure Architect John Gossman (Left) and Microsoft principal programming manager Taylor Brown, at Dockercon EU 2015.