70

If Docker community runs natively on windows, then why does it need Hyper-v? I.E., doesn't native imply that Docker-Engine can run instructions on windows? It looks to me like it still starts up a Linux VM and runs with-in that.

To me, is seems that docker-toolbox uses an oracle hyper-visor running linux, while Docker community uses Hyper-V running linux. Is there another important difference that I'm overlooking?

Is this correct? Am I understanding the word "native" wrong, is docker mis-using the word, or is there some other aspect I'm missing?

The reason I'm asking, is because I noticed that you don't use Docker-machine with the community edition, and I'm wondering why that is. Is docker-machine the thing that runs natiely on windows, while Docker Engine doesn't? I think the word docker is over-loaded and maybe leads to confusion in this case.

cafce25
  • 15,907
  • 4
  • 25
  • 31
TigerBear
  • 2,479
  • 1
  • 21
  • 24
  • Sometime you need to unlock the virtualisation in your Bios for Docker to work on windows. But once it is unlocked (mine was unlocked by default), it should work. – Sylhare Jan 14 '18 at 16:36
  • 5
    Hi @Sylhare, I guess what I'm asking is "why do we need to unlock virtualization if it runs natively". – TigerBear Jan 14 '18 at 16:42

7 Answers7

43

Docker support for Windows has several variants:

  1. Docker Toolbox which includes Docker Machine that will spin up a boot2docker image inside of VirtualBox. These are Linux containers running with a Linux kernel inside the VM. This was originally the only option for Windows users.

  2. Docker for Windows using Hyper-V to run the Moby VM, based on LinuxKit, to run Linux images. LinuxKit provides a container based Linux OS, and there's some integration to make it appear less like a VM to the end user, e.g. you can use 127.0.0.1 instead of the IP of the VirtualBox VM. If you have Hyper-V available and want to run Linux containers on Windows, this is the preferred option.

  3. Windows Server Containers which run Windows binaries on the same host OS, similar to how Linux containers on a Linux OS do not need a VM.

  4. Hyper-V Containers which run Windows binaries inside of a separate VM for additional isolation.

You can read more about the latter two options in Microsoft's docs.

What's important to note is that when you install Docker for Windows on a supported server, like 2016, you have options 2, 3, and 4, that you can toggle between. For Linux and Windows containers, there's a switch in the settings that affects all running containers and commands. And between Windows Server Containers and Hyper-V containers, there's an --isolation option on the docker run command line. So I believe you're required to have Hyper-V support to cover 2 and 4 even if you only want option 3.

Sabuncu
  • 5,095
  • 5
  • 55
  • 89
BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Hi @BMitch, so far I’m thinking you’re right. Docker-machine was needed with docker-toolbox in order to connect a terminal window to the Docker-engine and run docker commands. Docker-machine is used to connect to foreign machines, Now, this isn’t needed. So here, the word „native“ seems to imply that hyper-v has additional capabilities over Virtual-Box that allows windows to see it as a local machine instead of a foreign machine, thus not needing Docker-machine – TigerBear Jan 15 '18 at 08:08
  • @tigerbear toolbox is a packaging of several tools, including docker machine. Docker machine is used to manage VMs and remote instances of docker, but lacks in the user experience. Native to me means the binary format in the image matches the host OS, so you don't need a VM. – BMitch Jan 15 '18 at 10:20
  • 2
    "there's some integration to make it appear less like a VM to the end user, e.g. you can use 127.0.0.1 instead of the IP of the VirutalBox VM" - this is the main difference if I understand correctly. For me as an end-user what else difference in convinience will be if I install "native" Docker for Windows (Hyper-V) instead of Docker Toolbox (VBox)? Is `docker run` executes instantly with Hyper-V unlike docker-machine? Is mounted shared folders are really shared etc? – Ruslan Stelmachenko Sep 09 '19 at 01:15
9

Support for Docker on Windows is not native, Docker was written to be run on Linux initially. So the requirements for running Docker CE on Windows are:

  1. Virtualization must be enabled since docker-ce creates a VM on Hyper-V. Since all hypervisors require hardware virtualization to be enabled, Hyper-V in this matter is not exceptional. The Docker for Windows installer will enable Hyper-V for you, if needed, and restart your machine.

  2. For older Windows systems that don’t support hardware virtualization, it’s recommended to use Docker Toolbox which uses Oracle Virtualbox to spin up VMs that will host docker containers instead of Hyper-V.

Lea Klein
  • 408
  • 2
  • 2
  • 2
    This is correct for Linux containers on Windows, but I believe the OP is asking about Windows containers (running Windows binaries). – BMitch Jan 15 '18 at 15:29
9

Windows does support "Process Isolation" in addition to "Hyper-v Isolation".

Process isolation containers on Windows run without an additional layer of virtualization (similar to what you may be used to with docker on linux); I believe this is what the OP is looking for when referring to "native" containers.

Process isolation support is still fairly new but the latest versions of Windows Server 2019 and Windows 10 can indeed run windows containers without the extra overhead of a hyper-v virtual host. One thing to note is that your windows container base image kernel version must match the kernel version on your host machine. So you probably won't be able to simply use the exact same containers you've be running on hyper-v.

Here is a Windows container version compatibility table which highlights which host OSs support process or hyperv isolation.

Even though this^ page doesn't indicate it, Windows 10 Update 1809 is the first update to support Docker process isolation as noted in the Docker Engine Release Notes.

dk.
  • 937
  • 1
  • 10
  • 12
8

Docker evolved on Linux. Much of the confusion arises with Docker trying to support containerization on Windows.

A container is considered “native”, if it can run directly on the host operating system.

Linux Container: A Linux application that runs in an isolated Linux environment.
This same container can be run on Windows using virtualization to emulate a Linux environment, but the container is still running on Linux. This virtualization can be

  • VirtualBox (Docker Toolbox)
  • Hyper-V backend (Docker Desktop)
  • WSL2 backend (Docker Desktop)

Windows (Server) Container: A Windows application that runs in an isolated Windows environment.

  • Process Isolation - This is the “traditional” isolation mode for containers. It is approximately the same as how Linux containers run on Linux
  • Hyper-V isolation - This isolation mode offers enhanced security and broader compatibility between host and container versions.

As you can see, Hyper-V can be used to run even native Windows containers, which is generally a source of confusion.

Further, docker-machine is a superseded product.

Machine was the only way to run Docker on Mac or Windows previous to Docker v1.12. Starting with the beta program and Docker v1.12, Docker Desktop for Mac and Docker Desktop for Windows are available as native apps and the better choice for this use case on newer desktops and laptops.

See Docker Container in Linux and Windows for a high level overview of much of the terminology, technology and references.

ap-osd
  • 2,624
  • 16
  • 16
3

Windows Server Containers require Hyper-V isolation on Windows 10 in order to provide developers with the same kernel version and configuration that will be used in production,more about this can be found on the About Windows container page.

Neha
  • 3,456
  • 3
  • 14
  • 26
  • Do you have details (link or quote) explaining how "Windows Server Containers" require Hyper-V for a different kernel? From the article you included, I'm seeing: "Running a container on Windows with or without Hyper-V Isolation is a runtime decision. You may elect to create the container with Hyper-V isolation initially and later at runtime choose to run it instead as a Windows Server container." – BMitch Jan 15 '18 at 15:34
0

My understanding is that Hyper-V is windows' implementation of a virtual machine solution.

Docker running on windows 'natively' implies that it does not require a third party software such as virtualbox, vmware fusion or parallels installed in order to run, instead it uses the Hyper-V software which ships with windows 10.

Vice
  • 312
  • 2
  • 5
  • 4
    But containers aren't VMs — they're just isolated portions of the host OS. Docker doesn't need any VM support to work on Linux. But if Docker is really specific to Linux, "Docker on Windows" might just mean running Docker containers in a Linux VM that's running on Windows. The details aren't clear and that's what the question is about. – Wyzard Jan 14 '18 at 18:04
0

I know I'm late to the party, but the same question has been itching my newbie mind recently so here are my 2 cents.

Short answer

Even if we say that we never ever are going to launch Linux containers on Windows, or use Hyper-V isolation mode, one thing still remains that Hypervisor is required for. I'm talking about vNIC. Windows container networking shows us that it's an integral part for Windows Server Containers.

Long answer

As far as I understand, here are two key components that made Native containers possible on Windows:

  1. Host Compute Service and Host Network Service were implemented as a layer of abstraction above the low level functionality. Services work together to create containers and attach endpoints to a network.
  2. Server Silo is a main feature that allows native containers to be 'isolated'. If I'm not mistaken, in different places the feature is also referred to as the Container User Mode or Namespace. A good overview is given in Windows Containers Internals.

As for Networking, each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch), so my guess is that this is the main tech reason you still need Hyper-V stuff for.

Kiryl
  • 1,416
  • 9
  • 21