Running process-isolated containers

On Windows 10, in order to run process-isolated containers, you have to explicitly specify the --isolation=process parameter while creating the container. As we mentioned previously, it is also necessary to specify the container image version that matches your OS. Let's get started:

1. Assuming you are running Windows 10, version 1903, let's execute the following command, which attempts to create a process-isolated container in detached (background) mode. Run a ping command stating the number of echo requests to be sent to your localhost machine, that is, 100:

docker run -d --rm --isolation=process mcr.microsoft.com/windows/nanoserver:1809 cmd /c ping localhost -n 100

The selected version of the mcr.microsoft.com/windows/nanoserver image is 1809, which does not match your OS version. Therefore, it will fail with an error informing you that the container's base image OS version does not match the host OS:

2. Now, let's execute a similar command but now specify the proper, matching version (1903) of the container base image:

docker run -d --rm --isolation=process mcr.microsoft.com/windows/nanoserver:1903 cmd /c ping localhost -n 100

In this case, the container has started successfully, which can be verified by using the docker ps command:

3. Now, let's check how process isolation differs in practice from Hyper-V isolation. We will compare the visibility of the container processes in the host OS between these two isolation types.

 

4. First, get the container ID of your newly created process-isolated container. This container should run for a few minutes as it performs 100 echo requests to localhost before it terminates and is removed automatically. In our example, the container ID is a627beadb1297f492ec1f73a3b74c95dbebef2cfaf8f9d6a03e326a1997ec2c1. Using the docker top <containerId> command, it is possible to list all the processes running inside the container, including their process IDs (PID):

docker top a627beadb1297f492ec1f73a3b74c95dbebef2cfaf8f9d6a03e326a1997ec2c1

The following screenshot shows the output of the preceding command:

In the preceding screenshot, the PID of the ping.exe process inside the container is 6420. In order to list ping.exe processes running in the context of the host OS, use the Get-Process cmdlet in Powershell:

Get-Process -Name ping

The following screenshot shows the output of the preceding command:

The preceding output reveals that the ping.exe process running inside the container is also visible from the host and has exactly the same PID: 6420.

For comparison, we will create a similar container, but this time specify the --isolation=hyperv parameter in order to enforce Hyper-V isolation. On Windows 10, when running a default Docker configuration, you can omit the --isolation parameter altogether since the default isolation level is Hyper-V. We can create the container (with a different base image OS version than the host) using the following command:

docker run -d --rm --isolation=hyperv mcr.microsoft.com/windows/nanoserver:1809 cmd /c ping localhost -n 100

The following screenshot shows the output of the preceding command:

The container has started successfully. In this case, the container ID is c62f82f54cbce3a7673f5722e29629c1ab3d8a4645af9c519c0e60675730b66f. Inspecting the processes running inside the container reveals that ping.exe has a PID of 1268:

When inspecting the processes running on the host, you will see that there is no ping.exe process with a PID of 1268 (and nor is there a cmd.exe process with a PID of 1216, which is the main process in the container):

The reason for this is that the processes running in the Hyper-V container are not sharing the kernel with host as they are executed in separate, lightweight Hyper-V VM with their own kernel matching the container base image OS version.

Now, it's time to run your first Linux container on Windows using LCOW!