Welcome back to Docker Bootcamp. Up to this point, all the examples we’ve gone through have used Linux containers. In this post, we’ll switch to Windows containers. All the Docker commands you’ve learned will still work. But now we’ll have access to Windows, PowerShell, and Internet Information Services (IIS) to run .net-based applications.
Examples
Switch to Windows Containers
- Enable optional Windows features
- Open a PowerShell window as an admin user
- Enable-WindowsOptionalFeature -Online -FeatureName $(“Microsoft-Hyper-V”, “Containers”) -All
- Restart computer
- Check current container settings
- Docker info
- Notice the line OSType is currently set to Linux
- Docker info
- Use the dockercli to switch container engines
- ‘c:\Program Files\Docker\Docker\dockercli.exe’ -SwitchWindowsEngine
- Validate new container settings
- Docker info
- Notice the line OSType is now set to windows
- Docker info
Run a Windows Container
- Pull an image from the docker registry
- docker pull mcr.microsoft.com/windows/servercore/iis
- Create and start a detached container and map exposed port to a specific host port
- docker run -d -p 8080:80 –name defaultsite mcr.microsoft.com/windows/servercore/iis
- View default site
- Browse to localhost:8080
- Notice the default IIS website loads
- Browse to localhost:8080
Connect a Powershell Terminal
- Execute a command to start an interactive PowerShell terminal
- docker exec -it defaultsite powershell.exe
You now have access to the full PowerShell terminal for navigating the file system and managing the container. You can also connect to a command prompt by executing cmd.exe instead of powershell.exe. As mentioned before, docker does not support guis. You will get an error if you try to exec explorer.exe.
Attach a volume
- Create a folder on the host to serve as the wwwroot volume
- <path_to_folder>\wwwroot
- Create an index.html file inside the host wwwroot folder
- Edit the file and add basic hello world html
- Create and start a detached container, attach a volume, and map exposed port to a specified host port
- docker run -d -v <path to folder>\wwwroot:c:\inetpub\wwwroot -p 8181:80 –name customsite mcr.microsoft.com/windows/servercore/iis
- View custom site
- Browse to localhost:8181
- Notice you get an access denied error
- Browse to localhost:8181
- Change permission on the host wwwroot folder
- In file explorer, right click wwwroot folder -> Properties
- On the security tab, click edit to change permissions
- Add the “Everyone” user
- Give the Everyone user read permission
- View custom site
- Browse to localhost:8181
- View the basic hello world html you created
- Browse to localhost:8181
This example highlights one of the security issues with containers and bind mount volumes. The application runs inside the container as a different user than the host machine. The host security setting still applies to the shared volume. Take a look at the username for your host machine and the container
- View your username
- whoami
- You should see yourmachinename\yourusername
- Mine is desktop-prft\eric.sanner
- whoami
- Execute a command to start an interactive PowerShell terminal
- docker exec -it customsite powershell.exe
- View the username inside the container
- whoami
- You should see the name of the container user
- Mine is usermanager\containeradministrator
- whoami
The user containeradministrator does not have access to the contents of the host folder. Adding the everyone permission solved the problem quickly. In a production environment it would be more secure to create a specific user inside the container and give that user permissions to the host folder.
As you can see, everything we have learned up to this point using Linux containers applies to windows containers. Feel free to apply previous topics such as environment variables, network types, user-defined networks, host names, and resource limits to your Windows containers.