Hyper-V|Security|Windows Server

Sponsored: Securing Windows Containers with Hyper-V


In Understanding Windows Containers on the Petri IT Knowledgebase, I introduced you to containers and Docker images, and how as a lightweight virtualization solution, containers share a kernel with the host OS and other containers. Using namespace isolation, resource control, and process isolation technologies, Windows restricts the files, network ports, and running processes each container can access, providing isolation between containers and the host OS.

But because of the shared kernel in user mode, even with process isolation technologies in place, a malicious user could break out of a container if they uncovered a design fault in the implementation of containers or an unpatched OS vulnerability.

Hyper-V Containers

If all the code running on a host is trusted, then the isolation provided by Windows Containers is likely to be adequate. But if we don’t trust the code, then Hyper-V Containers provide the same level of isolation as virtual machines (VMs), but with many of the benefits of standard containers.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Windows Server 2016 solves these security challenges by providing the option to place containers into Hyper-V partitions. Simply put, Hyper-V Containers are Windows Containers running in a VM, providing the kernel isolation and host separation that’s missing with standard container technology. The process for managing Hyper-V Containers, and associated images, is the same as with Windows Containers, but with the option to add the extra isolation provided by Hyper-V at deployment time.

Not only does this extra isolation provide better security, but also completely abstracts the container from the underlying host OS, so you don’t have to worry about patches or updates to the host breaking apps running in containers. Hyper-V Containers boot quickly like Windows Containers, but have more overhead because of the additional isolation provided.

And because Hyper-V Containers are Windows Containers running in a hypervisor child partition, the same images and management toolset can be used to manage both types of containers. There’s no need to convert Windows Container images for use with Hyper-V Containers, or vice versa. Windows Server 2016 supports nested virtualization, so even if the host OS is a Hyper-V VM, you can still deploy Hyper-V Containers.

If you’d like to learn more about deploying Windows and Hyper-V Containers in Windows Server 2016, try out Microsoft’s free hands-on lab Build your first container using Docker on Hyper‑V, where you’ll be guided through the process of installing Windows Containers, Hyper-V, and Docker on Windows Server, and how to deploy and isolate containers.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Download this eBook!

External Sharing and Guest User Access in Microsoft 365 and Teams

his eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure. The eBook will also outline some of the major decision points across four general-purpose guest access policy scenarios for how an organization can set this up with standard licensing.

Download Now

Sponsored By