Introducing Lens AppIQ -  App-Centric Intelligence for Modern Application Management   Learn More

Introducing Lens AppIQ: App-Centric Intelligence for Modern Application Management

< BLOG HOME

So you want to run Windows containers

image

Are you a Windows user thinking about running containers? 

Windows containers provide many of the same benefits as Linux containers, enabling users to run workloads portably, securely, and efficiently. Now is a great time for Windows users to start taking advantage of containers, but it’s not always clear how to get started. 

In this post, we’ll give you a tour of the Windows container landscape and clear up some common questions, including:

  • What’s the difference between Windows containers and Linux containers?

  • What tools are available to help me run and work with containers on Windows?

  • Which tools should I use?

What’s the difference between Windows containers and Linux containers?

To answer this one, we need to take a step back and consider the architecture of a container.

When you run a workload on a virtual machine, you simulate an entire machine-within-a-machine—from the operating system kernel on up to the application, and everything in between. Containers achieve a smaller footprint in part by sharing the host machine’s OS kernel (and creating a sandbox with namespaces to provide an isolated view of the world, similar to a ‘normal’ machine). 

What this means in practice is that while containers are highly portable, they still need to be built with a target kernel (and architecture) in mind. Windows containers run on Windows hosts and Linux containers run on Linux hosts and never the twain shall meet.

(Okay, nothing’s ever really that simple. You can run Linux containers on Windows using Windows Subsystem for Linux, but it usually isn’t the smoothest experience and we don’t recommend it for running production workloads—this is mostly useful for development. And Windows containers can be isolated via Hyper-V, where the kernel is not shared—but this is not the default on Windows Server.)

Mirantis simplifies cloud native development.

From the leading container engine for Windows and Linux to fully managed services and training, we can help you at every step of your cloud native journey.

Connect with a Mirantis expert to learn how we can help you.

Contact Us

What tools are available to help me run and work with containers on Windows

There are four major tools you will want to consider for running and working with containers on Windows.

Mirantis Container Runtime 

Formerly known as Docker Engine - Enterprise, Mirantis Container Runtime is an enterprise-grade downstream implementation of the open source Moby project with a particular emphasis on security. (You’ll notice a theme among the options here—three of these four options sit downstream of Moby.) 

Available in a free trial, MCR is notable for providing an easy way to build and run containers and delivering the benefits of Moby with FIPS-140-2 validation, container-signing, and enterprise support.

Docker Desktop

A developer-centric solution, Docker Inc.’s GUI-driven Docker Desktop can run and build Windows containers on Windows 10 and 11. Docker Desktop can switch between so-called LCOW and WCOW (Linux Containers on Windows, and Windows Containers on Windows) and supports a broad set of features including extensions.

However, it is important to note that Docker Desktop is really only appropriate for developer machines and non-automated workflows. Docker Desktop requires a GUI for many interactions, and is not available for Windows Server.

Docker CE

Docker CE is likely what most people think of when they think of “Docker”—it’s a distribution of Moby built by Docker Inc. and distributed with a selection of additional tools and components.

However, it’s worth noting that Docker CE is currently challenging to use on Windows. While Microsoft offers a script to install “Docker CE,” it actually installs (outdated) nightly binaries from the Moby project (skipping some components normally present in Docker CE, and without codesigning). Likewise, Docker CE for Windows is currently provided as a simple zip file missing additional components like Compose, and without automation of much of the setup work, like registering services and installing firewall rules required to have a useful install.

If you must go this route, a superior community-provided solution exists in Stevedore, an open source project that simplifies installation of an up-to-date version of Docker CE along with useful components not currently present in the official Windows distribution, such as Docker Compose. It’s a simple installer wrapping official binaries from Docker Inc., and since it’s open source, you can build it yourself to help secure your supply chain further.

containerd (+ nerdctl)

Microsoft has recently gravitated toward containerd as its focus area for running containers on Windows Server. containerd is a project started by Docker Inc. and donated to the Cloud Native Computing Foundation that split out the bits actually responsible for running a container from Moby, in order to make them more reusable for other use cases like Kubernetes.

In fact, containerd is the go-to runtime for most deployments of Kubernetes, and Microsoft is investing in it as they invest in the larger Kubernetes-on-Windows ecosystem. containerd provides a service that runs containers—but it doesn't include any tooling to use that service out of the box. Recently the nerdctl project has sprung up to fill that void, offering a mostly Docker-compatible command line interface to containerd.

nerdctl can be a useful solution for running some simple containers, but keep in mind that its support for Windows is still maturing and there are plenty of sharp edges. The particular sharp edge you are most likely to encounter is that containerd/nerdctl cannot yet build containers on Windows – they rely on a Moby component called BuildKit to perform builds, which doesn’t (yet!) work on Windows.

As such, if building containers and having a stable/feature-complete set of tools is important for you, you’re probably better off with a Moby-derivative such as one of the three above. 

(It is worth noting that the ctr command exists/is usable on Windows, but as the ctr command’s interface is considered unstable and only provides low-level control of containerd, it isn’t useful for most developers not working on containerd itself.)

Which tools should I use?

The right tool for you depends, of course, on your needs. So let’s consider a few common use-cases:

Individual development

Docker Desktop provides a smooth, GUI-based experience for building containers and using containers in development on Windows—and provides flexibility to build both Linux and Windows containers.

For users on Windows Server, Docker Desktop isn’t an option. Stevedore provides an easy way to install and leverage Docker CE—along with dev-friendly tools like Docker Compose.

If you’re developing in a larger organization, enterprises around the world take advantage of Mirantis Container Runtime specifically for development.

Running Windows container workloads at scale

For this use case, you’ll want to consider issues such as support and SLAs as well as security. Mirantis Container Runtime is a natural fit for running production workloads in Windows environments, whether those are standalone instances, a Swarm cluster,  or Windows Server nodes in Kubernetes clusters when combined with Mirantis Kubernetes Engine. It is also the only current solution providing enterprise support for running Window containers or doing so with validated cryptographic modules.

The other prominent option for Kubernetes on Windows is Azure Kubernetes Service (AKS), which uses containerd as the core runtime. AKS provides a solution when you want something fully managed and would rather pay the public cloud premium over managing your own infrastructure. However it is worth noting that you’ll still need a mechanism to build images locally and in CI – Azure Pipelines will provide a build of Moby for you in CI, but you’ll still want to select a runtime capable of building images for your developer machines, or any CI machines that are not part of a managed service. 

Conclusion

The Windows container ecosystem can be confusing as it’s still less developed than its Linux sibling, but it’s also full of diverse solutions, projects, and products that are improving every day. Today, the right answer for your Windows container needs largely depends on your use case. 

If you’d like to quickly get started with Mirantis Container Runtime on Windows Server, you can use our Mirantis-published "Windows Server 2019 Datacenter with Containers (Mirantis Container Runtime)" Azure Marketplace image. The cost of support is included in the cost of this image.

If you have more complex needs or are deploying machines outside of Azure, Mirantis Container Runtime is also available with more traditional, non-marketplace based licensing. You can get started with a free trial and work with our enterprise sales team to tailor a solution that is ideal for your environment.

Choose your cloud native journey.

Whatever your role, we’re here to help with open source tools and world-class support.

GET STARTED