Limitations and Recommendations

By: Paul Stanton

October 10, 2015

Containers have become a focus of innovation for software delivery and DevOps, with rapidly exanding industry support. Microsoft announced plans to incorporate Docker compatible container support, and recently released a Windows Server 2016 Technical. Docker has joined with industry partners to drive a formal standard through the Initiative.

WinDocks is a port of Docker's open source project to Microsoft Windows Server 2012. Fortunately, WinDocks benefits from an open sourced Windows container project originally developed by Uhuru Software. This article looks at these Windows containers, their limitations, and provides recommendations for secure use of WinDocks.

The Windows container design utilized by WinDocks has benefited from a thorough review by Microsoft’s kernel team, has incorporated Microsoft’s feedback, and we believe delivers the best possible container support on Windows Server 2012. We also understand that Microsoft evaluated the effort involved to address the limitations outlined here, but concluded the scope of the work was so significant that their efforts were best focused on the next generation design.

In summary, WinDocks will provide excellent support for on-premise and Private Cloud deployments, where an enterprise has full control over the software hosted on WinDock. For Public Clouds, WinDocks should be hosted on bare metal or virtual machine, and is not recommended for public multi-tenant use. These recommendations seem consistent with Microsoft’s recommendations for Windows Server 2016 containers.

Background on WinDocks Containers

WinDocks containers are designed to deliver process isolation, isolate containers, and prevent containers from modifying system level DLLs or resources, and support system resource management. The design employs Windows Job Objects to manage multiple processes as a unit, and allows for control of the number of processes, virtual private memory, CPU, and network usage.

Discretionary Access Control Lists (DACL) provide support for privacy and integrity of server resources, including files, directories, semaphores, pipes, and shared memory, and is comparable to the controls provided in Linux file permissions. Windows Integrity Mechanism provides a form of Mandatory Access Control which is useful for isolating containers.

A challenge in Windows management is the registry, for configuration and permissions. A file system filter and registry filters are needed to support namespace services needed for Docker compatible systems. The Windows Filtering Platform is used for managing TCP/IP operations, and for implementing firewall rules.

WinDocks provides limited namespace support through the use of resource images. For example, with containerized SQL Server, developers can have identical database names without conflict, as databases are isolated in their respective containers.

Risks and Limitations of WinDocks Containers

WinDocks provides limited Inter-process separation. There are no mechanisms available to prevent a contained process using shared memory to set an ACL on an empty list that processes in other containers can read and write to.

Windows Server 2012 lacks namespace services to restrict a contained process from reading drive letters, network interfaces, or other running processes. Work is needed to provide registry or file filtering to provide this functionality.

Windows Server also lacks support for restriction of API calls to sandboxed processes.

The command line console or calls to the AllocConsole Win32 API spawn the conhost.exe, that is not contained in the Job Object, and provides a mechanism for a contained process to spawn code that runs outside of the container.

Summary:

WinDocks will deliver the benefits of Docker to the .NET developer and DevOps community. WinDocks combined with Docker compatible systems for orchestration, monitoring, and logging, will provide a powerful option for on-premise, private, and hybrid cloud deployments, that combine the power of the Windows platform with Linux and open source services. Developers will enjoy the power of Docker Build, and agile team support provided by Docker tooling.

WinDocks will provide a path to getting started on Docker-based Windows development, and will provide a compatible upgrade path to future Microsoft products and services.

For Further Reading:

The WinDocks site: WinDocks.com

Windows Server 2016 Technical Preview

The Open Container Initiative

The Windows Isolation Project

Discussion on VMs and Container Security

Windows Job Objects

     RSS Feed