Jaa


Process Isolation for containers in Windows 10

For a few months we have known that Docker for Windows would get support for process isolation under Windows 10. Arend-Jan Kauffmann explained how to use nightly builds from Docker to get the feature early and test it. I of course jumped on this and have been running a nightly build of Docker since December 6th.

A few days ago the feature was released in the edge release of Docker Desktop.

No updates?

I tried to check for updates, but this didn't reveal any new release. I replaced the docker executables with the original files and tried again - still no updates.

I checked the edge release notes: https://docs.docker.com/docker-for-windows/edge-release-notes/ - no updates.

I did some investigation and found that this was probably caused by Docker for Windows being renamed to Docker Desktop and the version numbering schema has changed.

This worked for me!

I decided to uninstall docker and install the edge release from here: https://hub.docker.com/editions/community/docker-ce-desktop-windows

Unfortunately this also didn't go as smooth as expected. I ran into this issue: https://success.docker.com/article/dockerforwin-install-fails-on-installationmanifestjson - but fortunately, I could resolve this by following the resolution in this blog post.

After installing, the About Docker dialog shows that I am running engine 18.09.1, which is the first version supporting the process isolation.

NavContainerHelper support (as of today)

NavContainerHelper 0.4.3.0 or newer will default the isolation mode to process when running Windows 10 1809 and Docker 18.09.1 (or a daily build with support for process isolation) and will display this in the output

Proof

Inspecting the processes on the host and in the container reveals that you indeed are running process isolation:

Recommendation

If you are running Windows 10, I recommend you to update to 1809 and update Docker to the 18.09.1 release.

Running NAV/BC containers in process isolation is a HUGE win over hyperv isolation.

 

Enjoy

Freddy Kristiansen
Technical Evangelist

Comments

  • Anonymous
    January 13, 2019
    The comment has been removed
    • Anonymous
      January 16, 2019
      Thanks.I expected that there were different ways around this, which is why i decided to write: This worked for me! :-)/Freddy
  • Anonymous
    January 14, 2019
    Thanks for the info. Just FYI for me it worked just to go into the Docker settings and clicking on "You are running a stable version. You can switch to another version" on the bottom of the screen and there choosing the edge channel. After that the new build installed without a problem and I am now testing process isolation on my machine.So thanks again :)
  • Anonymous
    January 15, 2019
    I got an autoamtic update of Docker today to version 2.0.0.2 (30215). After an update of nav-containerhelper and recreation of my containers I'm finally in process isolation! :-)The Docker journey has been very long.... First everything was really sweet, then a Windows update later and things got really bad, then struggling with a VM as workaround and now a couple of months later it finally seems as it works as it should in Win10. I really hope it stays this way.... I love the concept of Docker but my feelings has been rather the opposite for quite some time now.Thanks for your dedication and hard work Freddy!
    • Anonymous
      January 16, 2019
      Thanks, yeah the journey on Windows 10 hasn't been the easiest.On Windows Server 2016 things have been stable all along.I will have to monitor closely what happens when the bi-annual releases for Windows 10 comes out.
  • Anonymous
    January 30, 2019
    The comment has been removed
    • Anonymous
      January 31, 2019
      You should file issues with NavContainerHelper here: https://github.com/Microsoft/navcontainerhelper/issues - sometimes it can take time between I see comments on blog posts...Please open an issue there and include the remaining of the display.You can also do docker logs bconprem2019 in another cmd prompt and include that output.Thanks
      • Anonymous
        February 15, 2019
        looks like i ran into the same issue as Tobias: https://github.com/moby/moby/issues/38306 so never mind :) Looks liky my journey with docker lasts a bit longer before calling it successful ;)
  • Anonymous
    February 28, 2019
    Great post. So the container executes using the same version of the kernel, if security patches are applied to the host, does the executing container (running against the same kernel) also benefit from the security patches? Or do the containers need to be re-built with the security updates?
    • Anonymous
      March 01, 2019
      Containers benefits from security updates on the host, but will also need updates themselves sometimes.We try to rebuild images for this every 3 months or so.