Process Isolation for containers in Windows 10


For a few months we have known that Docker for Windows would get support for process isolation under Windows 10. Arend-Jan Kauffmann explained how to use nightly builds from Docker to get the feature early and test it. I of course jumped on this and have been running a nightly build of Docker since December 6th.

A few days ago the feature was released in the edge release of Docker Desktop.

No updates?

I tried to check for updates, but this didn't reveal any new release. I replaced the docker executables with the original files and tried again - still no updates.

I checked the edge release notes: https://docs.docker.com/docker-for-windows/edge-release-notes/ - no updates.

I did some investigation and found that this was probably caused by Docker for Windows being renamed to Docker Desktop and the version numbering schema has changed.

This worked for me!

I decided to uninstall docker and install the edge release from here: https://hub.docker.com/editions/community/docker-ce-desktop-windows

Unfortunately this also didn't go as smooth as expected. I ran into this issue: https://success.docker.com/article/dockerforwin-install-fails-on-installationmanifestjson - but fortunately, I could resolve this by following the resolution in this blog post.

After installing, the About Docker dialog shows that I am running engine 18.09.1, which is the first version supporting the process isolation.

NavContainerHelper support (as of today)

NavContainerHelper 0.4.3.0 or newer will default the isolation mode to process when running Windows 10 1809 and Docker 18.09.1 (or a daily build with support for process isolation) and will display this in the output

Proof

Inspecting the processes on the host and in the container reveals that you indeed are running process isolation:

Recommendation

If you are running Windows 10, I recommend you to update to 1809 and update Docker to the 18.09.1 release.

Running NAV/BC containers in process isolation is a HUGE win over hyperv isolation.

 

Enjoy

Freddy Kristiansen
Technical Evangelist

Comments (10)
  1. Pallea says:

    If you don’t want to use the Desktop version then you can also install it as a service.

    I followed this guide

    https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server

    I got an error when I tried to do the update and had to install it this way instead:

    Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
    Install-Package -Name docker -ProviderName DockerMsftProvider
    Restart-Computer

    Then do the update to get 18.09.1
    Install-Package -Name Docker -ProviderName DockerMsftProvider -Update
    (Notice the errormessage and the foldername that goes wrong with the hash-check).

    cd C:\Users\Administrator\AppData\Local\Temp\3\DockerMsftProvider
    (you have to take a look and test if it is temp\1-2-or-3)
    Start-BitsTransfer -Source https://dockermsft.blob.core.windows.net/dockercontainer/docker-18-09-1.zip -Destination docker-18-09-1.zip
    Get-FileHash -Path docker-18-09-1.zip -Algorithm SHA256
    Install-Package -Name docker -ProviderName DockerMsftProvider -Verbose
    Restart-Computer

    And then it works 🙂

    1. FreddyDK says:

      Thanks.
      I expected that there were different ways around this, which is why i decided to write: This worked for me! 🙂

      /Freddy

  2. Staedter says:

    Thanks for the info.

    Just FYI for me it worked just to go into the Docker settings and clicking on “You are running a stable version. You can switch to another version” on the bottom of the screen and there choosing the edge channel. After that the new build installed without a problem and I am now testing process isolation on my machine.

    So thanks again 🙂

  3. larswestman says:

    I got an autoamtic update of Docker today to version 2.0.0.2 (30215). After an update of nav-containerhelper and recreation of my containers I’m finally in process isolation! 🙂

    The Docker journey has been very long…. First everything was really sweet, then a Windows update later and things got really bad, then struggling with a VM as workaround and now a couple of months later it finally seems as it works as it should in Win10. I really hope it stays this way…. I love the concept of Docker but my feelings has been rather the opposite for quite some time now.

    Thanks for your dedication and hard work Freddy!

    1. FreddyDK says:

      Thanks, yeah the journey on Windows 10 hasn’t been the easiest.
      On Windows Server 2016 things have been stable all along.
      I will have to monitor closely what happens when the bi-annual releases for Windows 10 comes out.

  4. KristofKlein says:

    Hi Freddy!

    I managed to get my machine updated to 1809 and after a small fight with HyperV and Code flow guard (CFG) I managed to get Docker up and running again. So first try of loading the Image with Process Isolation went ….. not so well :/ Well actually I don’t know if or if not. The console shows all fine until it hits the line: Create container xxx from image and a GUID is shown and that’s it. It stayed like this for now almost 1 hour. spinning up with docker run and just the image works fine and is done below 1 minute….
    NavContainerHelper is version 0.4.3.2
    Host is Microsoft Windows 10 Enterprise – ltsc2019
    Docker Client Version is 18.09.1
    Docker Server Version is 18.09.1
    Using image mcr.microsoft.com/businesscentral/onprem:ltsc2019
    Removing C:\ProgramData\NavContainerHelper\Extensions\BConPREM2019
    Creating Nav container BConPREM2019
    Version: 13.3.27233.0-W1
    Platform: 13.0.27183.0
    Generic Tag: 0.0.9.0
    Container OS Version: 10.0.17763.194 (ltsc2019)
    Host OS Version: 10.0.17763.292 (ltsc2019)

    any Idea what is causing this?

    med venlig hilsen
    Kristof

    1. FreddyDK says:

      You should file issues with NavContainerHelper here: https://github.com/Microsoft/navcontainerhelper/issues – sometimes it can take time between I see comments on blog posts…
      Please open an issue there and include the remaining of the display.
      You can also do docker logs bconprem2019 in another cmd prompt and include that output.

      Thanks

      1. looks like i ran into the same issue as Tobias: https://github.com/moby/moby/issues/38306 so never mind 🙂 Looks liky my journey with docker lasts a bit longer before calling it successful 😉

  5. Great post. So the container executes using the same version of the kernel, if security patches are applied to the host, does the executing container (running against the same kernel) also benefit from the security patches? Or do the containers need to be re-built with the security updates?

    1. FreddyDK says:

      Containers benefits from security updates on the host, but will also need updates themselves sometimes.
      We try to rebuild images for this every 3 months or so.

Comments are closed.

Skip to main content