The Windows Server 2016 Containers feature enables Windows Server 2016 to run applications in “containers”. Let’s take a look at what this feature is.
There are plenty of guides on the Internet for how to set up containers on Windows. The purpose here is not so much to provide the instructions, as to see and understand how the new Containers feature is implemented.
Step 1: Build a standard Windows server. It can be a physical or virtual server.
Step 2: Install the Containers feature.
This creates a new service: the Hyper-V Host Compute Service. Note that several Hyper-V components are already installed by default in the server OS, without adding the Hyper-V role explicitly. The Containers feature extends the default Hyper-V services.
The Hyper-V Host Compute service is the one that will partition access to the Windows kernel by different containers.
Next, install the PowerShell module for Docker. There are two steps to obtain the module:
- Add the Microsoft Nuget module
- Add the PowerShell Docker module.
Nuget is the Microsoft package manager for open source .NET packages:
-
Install-PackageProvider -Name NuGet -Force
Then the PowerShell module for Docker:
-
Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Next, we need to add the Docker components. Docker is a third party application that manages containers, on Linux and now on Windows. Microsoft provides the API (in the Hyper-V Host Compute Service) and Docker provides the application that uses the API to run containers. The documentation for Docker comes from Docker, not from Microsoft. The command to install the Docker package is:
-
Install-Package -Name docker -ProviderName DockerMsftProvider
I have broken these out as separate steps for clarity. If you install the PowerShell Docker module you will be prompted first for Nuget. The Docker package (last step above) will also add the Containers feature, if you have not already done it.
Docker is installed as a service (daemon) and a client to operate the service.
The Docker installation has these two executables.
The file dockerd.exe is the Docker service.
The file docker.exe is the client. Like a lot of open source tools, Docker is managed at the command line. You can run the docker client executable in the Command Prompt.
The Containers feature also creates an internal network where the containers will run by default. This consists of:
- A Hyper-V virtual switch
- A subnet used for the virtual network (always 172.17.nnn.0/20)
- A virtual NIC on the host server that is presented to the virtual switch
- Two new rules in the Windows firewall.
By default the Containers feature sets up a NAT switch. A Windows component, WinNAT, maps ports on the host to IP addresses and ports on the container network.
Here is the virtual switch:
And the NAT component:
The host NIC on this virtual switch:
The Hyper-V Virtual Ethernet Adapter shown in the normal Network and Sharing Centre:
You can create other types of virtual switches later.
The installation also creates two default firewall rules:
The Inter- Container Communication (ICC) default rule allows anything from the virtual container network:
and RDP:
It is not obvious why the Containers feature creates a firewall rule for RDP. It does not enable RDP on the host. And the containers do not support RDP.
In summary:
- The Windows Containers feature is enabled as an extension of the default Hyper-V services.
- The Hyper-V Host Compute Service allows containers to run processes on the Windows kernel. The Hyper-V Host Network Service creates the internal logical networks for the containers.
- There is no need to install the Hyper-V role itself, unless you want to run containers in a VM (called Hyper-V Isolation Mode).
- Docker is a third party application that uses the Windows Containers feature to create and run containers.
- The Docker package installs the Docker components on top of the Windows Containers feature.
- The Docker package installation also creates a virtual network for containers. This has a Hyper-V virtual switch with NAT networking, and a Hyper-V virtual NIC on the host attached to the switch.
So far, we have installed the Containers feature and the Docker components. We still can’t do anything until we obtain an image to create containers from.