Process isolation

Process-isolated containers, also known as WSC, is the default isolation mode provided for containers on Windows Server. The architecture of process isolation is similar to what you have when running containers on the Linux OS:

• Containers use the same shared kernel.
• Isolation is provided at the kernel level using features such as process tables, object namespaces, and job objects. More information can be found in the Docker containerization on Windows section.

This is summarized in the following diagram:

Process isolation provides a lightweight runtime for containers (compared to Hyper-V isolation) and offers a greater density of deployment, better performance, and lower spin-up time. However, there are a few points you should consider when using this type of isolation:

• The Docker container base image has to match the version of the container host OS. For example, if you are running Windows 10, version 1903, you can only run containers that have used base image version 1903 of Windows 10 or Windows Server. This means you have to rebuild the image for each version of Windows that is being released (only major feature updates).
• This should be only for the execution of trusted code. In order to execute untrusted code, Hyper-V isolation is advised.

With Windows 10, version 1809 and later, it is possible to use process isolation for the container runtime, provided that you are running Docker Desktop for Windows 2.0.1.0 (Edge release channel) or later and Docker Engine 18.09.1+. For Windows 10, the default isolation level for containers is Hyper-V and in order to use process isolation, it has to be specified explicitly while creating a container using the --isolation=process argument:

docker run -d --isolation=process mcr.microsoft.com/windows/nanoserver:1903 cmd /c ping localhost -n 100

This option can be also specified as a parameter to the Docker daemon using the --exec-opt parameter. For more details, please see the official Docker documentation at the: https://docs.docker.com/engine/reference/commandline/run/#specify-isolation-technology-for-container---isolation.