Sponsored: Introduction to Docker Images on Windows Server
Docker Images are the transportable component of containers and provide a template that describes what each container looks like. There are two base Docker images provided by Microsoft, Windows Server 2016 Core and Nano, which can be used as a starting point for your containers.
Windows Server Docker images are larger than their Linux counterparts because, unlike Linux, which can start with a single process, Windows is a highly-integrated system that has dependencies even for performing basic tasks. For example, running just one service will require other services to be started because of OS dependencies.
Docker and Union Filesystem
Docker images are based on read-only layers that either add or replace the layers below, and do not change or have “state.” The layers in an image are stacked to form what will be the container’s root file system. The base layer might contain barebones Windows Nano Server, and then an additional layer could comprise the files required for the IIS server role, and then another layer contains files for a web application, and so on. Only when the container is run does Docker add a read-write layer to the image.
An additional read-only layer is added to the image if changes made while the container is running are committed. Otherwise, all changes are lost when the container is stopped. Docker manages layers using a union filesystem, which combines file system branches to form a coherent image that containers can use.
NTFS + Union Filesystem
To enable Docker support in Windows Server, Microsoft needed a solution that retained all the features of NTFS expected by Win32 apps while adding union file system support. To solve this problem, each container in Windows uses a virtual disk that has full NTFS file system support, but the files on the disk are just symbolic links (reparse points) that reference back to the host OS file system. As files are added or modified, they are written — or “persisted” — on the virtual disk. The Windows Registry, not to be confused with the Docker Registry, is, in fact, a simple file system, so Microsoft built a true union file system.
When a layer is committed, a new image is created based on the changes made to the image in the running container. As layers are committed, metadata can be added, such as author and commit message, to provide information about what the layer contains and who made the changes. Layers can be committed from running containers using [docker commit], or images built using Dockerfiles and the [docker build] command, which is essentially a set of instructions for building a Docker image.
Data doesn’t persist in containers, so volumes can be added that read/write directly to a partition on the host OS, bypassing the union filesystem. Data volumes are useful for persistent or shared data and persist even when containers are deleted.
If you’d like to learn more about deploying containers in Windows, try out Microsoft’s free, hands-on lab Build your first container using Docker on Hyper‑V, where you’ll be guided through the process of installing Windows Containers, Hyper-V, and Docker on Windows Server, and how to deploy and isolate containers.
More in Windows Server
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Microsoft to Disable SMB1 File-Sharing Protocol By Default on Windows 11
Apr 20, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Support for Windows Server 2012 R2 and 2016
Apr 14, 2022 | Rabia Noureen
Microsoft Lets Windows Server Admins Opt-In for Automatic .NET Updates
Apr 13, 2022 | Rabia Noureen
Most popular on petri