Docker containerization on Windows

In 2014, when Microsoft announced support for Docker Engine in the incoming release of Windows Server 2016, the Docker container engine had already matured on Linux and was proven to be an industry standard for container management. This fact has driven design decisions for Docker and containerization support for Windows, which eventually received a similar architecture for running process-isolated Windows Server containers. The Windows kernel features that are used by Docker Engine roughly map to the following:

• Kernel namespaces: This functionality is provided by, among others, Object Namespaces and the Process Table in the Windows kernel.
• Control groups: Windows has its own concept of Job Objects, which allows a group of processes to be managed as a single unit. Essentially, this feature provides similar functionality to cgroups on Linux.
• Layer filesystem capabilities: The Windows Container Isolation File System is a filesystem driver that provides a virtual filesystem view for processes that are executed in Windows containers. This is analogous to UnionFS or other implementations of union mount for the Linux OS.

On top of these low-level functionalities, the services layer, which consists of a Host Compute Service (HCS) and a Host Network Service (HNS), abstracts a public interface for running and managing containers with language bindings available for C# and Go (hcsshim). For more information about the current container platform tools, please refer to the official documentation at: https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd#hcs.

It is important to know that there are two types of Windows containers: process-isolated and Hyper-V-isolated. The difference between them will be explained in the next section – isolation is a runtime property of the containers and you can expect them to, in general, behave similarly and differ only from a security and compatibility perspective.

The following diagram summarizes the containerization architecture and Docker support for Windows:

For comparison with the high-level architecture of containerization on Linux, the following diagram presents the multi-container runtime architecture for Windows. At this point, we are only considering process-isolated Windows Server containers, which closely resemble containers on Linux, but in the next section, we will also cover the architecture of Hyper-V isolation for containers on Windows:

Next, let's look at the some differences between containers on Linux and Windows.