Sponsored: Introduction to Docker Images on Windows Server
Docker Images are the transportable component of containers and provide a template that describes what each container looks like. There are two base Docker images provided by Microsoft, Windows Server 2016 Core and Nano, which can be used as a starting point for your containers.
Windows Server Docker images are larger than their Linux counterparts because, unlike Linux, which can start with a single process, Windows is a highly-integrated system that has dependencies even for performing basic tasks. For example, running just one service will require other services to be started because of OS dependencies.
Docker and Union Filesystem
Docker images are based on read-only layers that either add or replace the layers below, and do not change or have “state.” The layers in an image are stacked to form what will be the container’s root file system. The base layer might contain barebones Windows Nano Server, and then an additional layer could comprise the files required for the IIS server role, and then another layer contains files for a web application, and so on. Only when the container is run does Docker add a read-write layer to the image.
An additional read-only layer is added to the image if changes made while the container is running are committed. Otherwise, all changes are lost when the container is stopped. Docker manages layers using a union filesystem, which combines file system branches to form a coherent image that containers can use.
NTFS + Union Filesystem
To enable Docker support in Windows Server, Microsoft needed a solution that retained all the features of NTFS expected by Win32 apps while adding union file system support. To solve this problem, each container in Windows uses a virtual disk that has full NTFS file system support, but the files on the disk are just symbolic links (reparse points) that reference back to the host OS file system. As files are added or modified, they are written — or “persisted” — on the virtual disk. The Windows Registry, not to be confused with the Docker Registry, is, in fact, a simple file system, so Microsoft built a true union file system.
When a layer is committed, a new image is created based on the changes made to the image in the running container. As layers are committed, metadata can be added, such as author and commit message, to provide information about what the layer contains and who made the changes. Layers can be committed from running containers using [docker commit], or images built using Dockerfiles and the [docker build] command, which is essentially a set of instructions for building a Docker image.
Data doesn’t persist in containers, so volumes can be added that read/write directly to a partition on the host OS, bypassing the union filesystem. Data volumes are useful for persistent or shared data and persist even when containers are deleted.
If you’d like to learn more about deploying containers in Windows, try out Microsoft’s free, hands-on lab Build your first container using Docker on Hyper‑V, where you’ll be guided through the process of installing Windows Containers, Hyper-V, and Docker on Windows Server, and how to deploy and isolate containers.