Proposal: Add `--platform` parameter to support multiple OS platforms for build/run/pull/import

[PatrickLang]

As mentioned in #33850, we're building support to be able to run images from multiple platforms (Linux & Windows) managed by a single Moby engine. This would need some changes to the CLI & APIs to make sure that the user can choose between platforms on a per-container basis when there is a multiarch image available such as microsoft/dotnet

Running Containers

In this proposal docker run should support running multiple platforms on a single machine.

Both of these would work on a Windows node:

docker run -it alpine /bin/bash
docker run -it microsoft/nanoserver powershell.exe

Neither of these are multi-arch images, so the OS will be determined from the image metadata.

API

The HostConfig definition is used in /containers/create, and already includes the
isolation parameter. The proposal is to add a new property platform.

---

Building containers

In this proposal, docker build would use the same --platform parameter as docker run to override platform when needed.

API

/containers/build doesn't use HostConfig as /containers/create does, so platform needs to be added to the call.

---

Choosing the platform & multi-arch images

Multi-arch images bring an extra layer of complexity to the build and run actions. If
the image has a multi-arch manifest, then there's a chance the node could run multiple images.

Here's a decision tree for how the platform is determined for a build or run action:

1. Runtime parameter - docker build --platform=... or docker run --platform=...
2. Infer from Dockerfile & image metadata - FROM microsoft/windowsservercore or FROM alpine or other image
3. If single-arch, use Image.Os from image definition

• If not in daemon's PlatformCapability list, fail
• Note: You can also use a specific image:tag to force the platform this way

3. If multi-arch, then

• Use default container platform from daemon config DefaultPlatform
• If not configured, then DefaultPlatform = OSType from daemon

---

Example - Building a Windows container

In the simple case, the platform will be chosen based on the FROM image.

For this Dockerfile:

FROM microsoft/windowsservercore:10.0.14393.976
...

And this build command:

docker build .

• On a Windows host, the image runs as normal. Metadata matches host OS
• On a Linux host, the image platform != host platform. Pull of microsoft/windowsservercore fails

---

Example - Building a Linux container

FROM alpine:latest
...

docker build .

• On a Windows host, alpine is pulled and stored to disk
  • As the container is started, Hyper-V isolation uses the default Linux runtime to run the container
• On a Linux host, the image platform != host platform. Pull of microsoft/windowsservercore fails

---

Recommendations for build & dev tools

Many tools such as IDEs, CI/CD pipelines, and more need to be able to handle building either
type of container. Here's a few proposed best practices to make automation work well.

Dockerfile

• If a project will only ever target a single OS, use the most restrictive FROM statement
  • FROM alpine
  • FROM microsoft/dotnet:alpine
  • FROM microsoft/dotnet:nanoserver
• If it will be multiarch, use FROM a multiarch image

docker build/run

• Single arch - (optional) specify --platform=...
• Multi arch - use multiple build/run commands with different --platform=... parameters

---

Pulling & importing containers

The same api /images/create is used for both operations. The same order of precedence
as build and run should be followed to figure out which specific image to pull.
When pulling an image from a repo, the metadata includes the platform.

However, in the case of docker import this metadata is not known. The default should be
the platform of the host, but can be overridden with --platform.

Note: Windows doesn't support docker import today at all

Examples:

docker pull --platform linux microsoft/dotnet-runtime will force pulling the Linux
version of this multiarch image.

docker import --platform linux dotnet-runtime.tgz would force importing to use the
Linux platform image store.

---

[thaJeztah]

ping @stevvooe @tonistiigi @johnstep PTAL

[tonistiigi]

The HostConfig definition is used in /containers/create, and already includes the
isolation parameter. The proposal is to add a new property platform.

Image passed to /containers/create should already contain that information.

In this proposal, docker build would use the same --platform parameter as docker run to override platform when needed.

I agree that something like this is needed in case builder needs to pull multi-arch images. But latest PRs are taking this into the wrong direction. There was a platform Dockerfile directive merged as part of the "preparation work" that reviewers probably didn't notice. This is not correct and should be reverted in my opinion. Dockerfile is a multi-platform format. One file can work on multiple platforms or define different commands for different platforms. In the context of lcow you should be able to write a Dockerfile where some parts use linux subsystem and some use windows. Also, directives should only be hints to the parser. It should also work together with #32487 allowing Dockerfile to detect the subsystem that is preferable.

This also points to another problem with the current design(the prs that have been merged). If I'm not mistaken then the references are not cross-platform, meaning you can have duplicate instances of the same name if they are using different execution backend. This breaks your logic for detecting platform from FROM as pulling only happens when a local image can't be found and also breaks the possibility to use multiple backends in the same file. My suggestion is to have one reference store(keeps tags), one image store(keeps image configuration json) and multiple instances of layer store(one for win and one for linux). --platform would only apply when pulling multi-platform images.

[PatrickLang]

@jhowardmsft ^^ what do you think about the reference/image/layer store design? My intent was to be able to pull & run images for multiple platforms on the same machine. Is @tonistiigi 's feedback in line with what you were thinking for the stores?

[lowenna]

Several points, @tonistiigi

For the store separation, I agree with you. Unfortunately the current docker codebase is not as separable as it should be. They really are not quite as independent as they should be. This is something I've discussed with @crosbymichael, and your suggestion is where I'd like to end up. I fully intend to improve this by 17.09 which is the target, but it's orthogonal to this issue directly. Ideally this would be hidden behind some interface, but no-one has yet managed to come up with something workable. It is very high on my list of TODOs.

For the parser directive, this is one I do disagree with you though. Having the directive allows a dockerfile to be predictable without users having to remember to specify a platform flag to build, which is exactly what is required in a multi-OS/arch image world. It is intentionally explicit and I believe required. You are right, the references are NOT cross-platform. Without a parser directive (definitive) or a build parameter (optional), we default to the OS of the host OS where the daemon is running. A parser directive makes a dockerfile explicit without any user input needed.

Please do bear in mind, this is still being worked on and I know the current implementation is not perfect. Especially that the daemon cannot support both Windows and Linux containers simultaneously right now. It is my highest priority to get this a) working and b) as non-disruptive to the code base as possible. It's iterative and baby-steps are required.

However, I think we can all agree that --platform is required for build, run, import, otherwise it's impossible to support multi-arch. This removes many of the current TODO markers if the API can be updated, as well as allowing both Windows and Linux containers to run side-by-side. I do have an in-progress/not-at-all-complete branch you can look at to see the direction with the API change (for build) if you are interested (caveat it’s far from complete).

create I need to think a little more about. You may be right. I will look tomorrow.

[tonistiigi]

@jhowardmsft For the directive, the platform should be predictable from the image defining the base to the stage with FROM. If you agree with the store layout that means that every local reference will be connected to a single platform. If there is a case when the image needs to be pulled and it references a multi-arch manifest(and user doesn't specify platform) we should add a platform specifier to the FROM clause, not to the whole file. Although this seems a bit like a misuse of multi-arch manifest then as the point for using that image instead of the one already fixed to the system is that you want to let it be determined by the user's current defaults.

[PatrickLang]

Pinging @dnephin @johnstep @simonferquel - do you have any feedback on this? We want to do a staged approach where we enable this for local testing first, then in swarm next. We need feedback on how this would impact swarm and who the reviewers need to be. @jhowardmsft is planning to start this work soon

[stevvooe]

@PatrickLang What is the structure of the arguments to --platform? How does one specify an operating system or architecture? How would arm work?

[PatrickLang]

@stevvooe the proposal is to use --platform=[windows|linux] and keep it separate from CPU architecture. platform would equate to OS platform it's targeting - Windows or Linux today, maybe more later? Something else like --architecture could conceivably be added to reflect CPU architecture later. It's not required right now though for Linux containers on Windows.

[lowenna]

#34401

[simonferquel]

I am a bit worried about the term "platform" here. I think it would give a better opportunity to make this flag useful in other scenarios than LCOW if it was architecture qualified.
IE: if we have a linux x86-64 capable of running / building linux/arm64 payload through transparent emulation, it would be nice to be able to do docker pull --platform linux/arm64 ubuntu, or even docker pull --platform linux/* ubuntu to pull the multi-arch image in all linux flavors.

Also for a build perspective, I think we could introduce a platform tiered-support like:
Tier 1: capable of storing images (to be able just to pull, save, load images) - might be usefull in air-gaped environments, to use a particular engine just as an image store
Tier 2: capable of manipulating image content (enables docker cp, a subset of docker build - everything but RUN)
Tier 3: capable of running images (OK for build-time, but not supported for production workloads) - might raise a warning with docker run, would'nt accept swarm tasks for this platform
Tier 4: fully supported

Then, we could easily have Tier2 support for every platform both on Linux and Windows, and be able to make dockerfiles like this that would work on any daemon supporting linux/amd64 on tier3 (linux/amd64 and windows with lcow flavors) and all other platforms on tier2 :

FROM golang:1.8.3 AS builder
...
RUN GOOS=linux GOARCH=amd64 go build
RUN GOOS=windows GOARCH=amd64 go build
RUN GOOS=windows GOARCH=arm64 go build  // why not !
RUN GOOS=linux GOARCH=arm64 go build
RUN GOOS=linux GOARCH=s390x go build

FROM --platform=linux/amd64 scratch AS linux-amd64
COPY --from=builder ....
CMD ...

FROM --platform=linux/arm64 scratch AS linux-arm64
COPY --from=builder ....
CMD ...

FROM --platform=linux/s390x scratch AS linux-s390x
COPY --from=builder ....
CMD ...

FROM --platform=windows/amd64 microsoft/nanoserver AS windows-amd64
COPY --from=builder ....
CMD ...

FROM --platform=windows/arm64 microsoft/nanoserver AS windows-arm64
COPY --from=builder ....
CMD ...

and then do docker build --target myimage:linux/amd64=linux-amd64 --target myimage:linux/arm64=linux-arm64 --target myimage:windows/amd64=windows-amd64 ... . and even docker push --multi-arch myimage myimage:linux/amd64 myimage:linux/arm64 myimage:windows/amd64 ...