Windows: Experimental: ContainerD runtime

[lowenna]

Signed-off-by: John Howard jhoward@microsoft.com

Fixes #22874
Fixes #38719

See each of the commit messages for more detail on the changes.

TL;DR

Allows the use of containerd as an experimental runtime for containers on Windows (WCOW being both process and Hyper-V isolation, as well as LCOW).

Detail

• Splits libcontainerd so that both remote and local can be loaded rather than conditional compile
• Generate a consistent OCI spec that a remote (not-in-process) runtime can escape
• Fix a couple of bugs
• Adds ETW logging for Windows (requires bumping logrus to v1.3.0)
• Fixes a leak if the init proc fails to start
• Vendoring updates for Microsoft/hcsshim and Microsoft/go-winio

Note containerd and hcsshim for HCS v2 APIs do not yet support all the required
functionality needed for docker. gMSA and cloning/templating are two obvious omissions. The gaps will be resolved in time - this PR is a stepping stone in migrating Docker on Windows to containerd for those wishing to experiment, not a full switch-over.

How to use

You will need RS5 (goal is for RS1+ and although RS1 is currently enabled, there's some issues still being worked through, so it may be disabled prior to merge) and to start with something like the following:

Window 1:

• containerd --log-level debug

Window 2:

• $env:DOCKER_WINDOWS_CONTAINERD_RUNTIME=1
• dockerd --experimental -D --containerd \\.\pipe\containerd-containerd

Required Binaries

You will need the following binary from github.com/containerd/containerd in your path. You will need to make sure this is from master currently, not a 1.2.x branch.

• containerd.exe

(Do not use containerd-shim-runhcs-v1.exe from the containerd repo - if not already, it will be removed very soon. You should use the one from the https://github.com/Microsoft/hcsshim below)

You will need the following binaries from https://github.com/Microsoft/hcsshim in your path, again currently from 'master' due to the in-flux current status:

• containerd-shim-runhcs-v1.exe
• runhcs.exe (not required but potentially useful)

For LCOW, the following binaries are required:

• C:\Program Files\Linux Containers\initrd.img
• C:\Program Files\Linux Containers\kernel

This is no different to the current requirements. Linuxkit (https://github.com/linuxkit/lcow) is currently far behind https://github.com/Microsoft/opengcs master, so you may need to build your own initrd.img, as well as kernel. A 4.19 based kernel is preferred.

[ddebroy]

@andrey-ko PTAL

[lowenna]

@ddebroy @andrey-ko Waaaaaaay too early and much is in flux.

[codecov]

Codecov Report

Merging #38541 into master will increase coverage by 0.54%.
The diff coverage is 26.54%.

@@            Coverage Diff             @@
##           master   #38541      +/-   ##
==========================================
+ Coverage   36.47%   37.01%   +0.54%     
==========================================
  Files         613      610       -3     
  Lines       45814    45321     -493     
==========================================
+ Hits        16709    16775      +66     
+ Misses      26823    26260     -563     
- Partials     2282     2286       +4

[thaJeztah]

Ah, well, whatever information would be useful then (instead of runhcs) 😅

[andrewhsu]

@andrey-ko when you get a chance, can you have a look a verifying this PR with windows binaries according to the john howard instructions? cc @ddebroy

[andrewhsu]

@jhowardmsft in regards to getting PR jobs modified to test with containerd on windows in the future and getting nightly builds up with the new dependent binaries, we should proceed with that in parallel with this PR cc @dave-tucker

(could use msft help on this if you guys got canonical ways to build windows binaries from golang in an automated pipeline)

[StefanScherer]

The runhcs.exe is required, I otherwise got this I couldn't run or kill containers.

PS C:\Program Files\Docker> docker run mcr.microsoft.com/windows/nanoserver:1809 ipconfig
...
C:\Program Files\Docker\docker.exe: Error response from daemon: exec: "runhcs.exe": executable file not found in %!P(MISSING)ATH%!(NOVERB): unknown.

[lowenna]

Interesting. It shouldn’t be needed. I’ll fix it as a followup

[thaJeztah]

%!P(MISSING)ATH%!(NOVERB)

Looks like an incorrect format-string somewhere as well 🤔

[lowenna]

@StefanScherer doesn't repro here. Are you POSITIVE you are using the right shim binary?

[StefanScherer]

@jhowardmsft I tried a Dockerfile using double quotes.

# escape=`
ARG core=mcr.microsoft.com/windows/servercore:1809
ARG target=mcr.microsoft.com/windows/servercore:1809
FROM $core as download

SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

ENV GPG_VERSION 2.3.4

RUN Invoke-WebRequest "https://files.gpg4win.org/gpg4win-vanilla-${env:GPG_VERSION}.exe" -OutFile "gpg4win.exe" -UseBasicParsing ; `
    Start-Process .\gpg4win.exe -ArgumentList '/S' -NoNewWindow -Wait

Single line RUN instructions seem to work 🎉 💯. What a relief.
But I have problems with this multi-line

RUN @( 
    "94AE36675C464D64BAFA68DD7434390BDBE9B9C5", 
    "FD3A5288F042B6850C66B31F09FE44734EB7990E", 
    "71DCFD284A79C3B38668286BC97EC7A07EDE3FC1", 
    "DD8F2338BAE7501E3DD5AC78C273792F7D83545D", 
    "C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8", 
    "B9AE9905FFD7803F25714661B63B535A4C206CA9", 
    "77984A986EBC2AA786BC0F66B01FBB92821C587A", 
    "8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600", 
    "4ED778F539E3634C779C87C6D7062848A1AB005C", 
    "A48C2BEE680E841632CD4E44F07496B3EB3C1762", 
    "B9E2F5981AA6E0CD28160D9FF13993A75599653C" 
    ) | foreach { 
      gpg --keyserver ha.pool.sks-keyservers.net --recv-keys $_ ; 
    }

Sure I can keep single quotes here, but wanted to try out where people might use it.

[lowenna]

Is that a regression (the multi-line)?

[StefanScherer]

@jhowardmsft oh the shim was my fault, I accidentally copied the wrong one :-(

FROM mcr.microsoft.com/windows/servercore:1809
ENV VERSION=1.2.3
RUN powershell -Command Write-Output "The version is $env:VERSION"
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
RUN Write-Output "The version is $env:VERSION"

Building this Dockerfile gives me

PS C:\node\quoteetst> docker build --no-cache -t test .
Sending build context to Docker daemon  2.048kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:1809
 ---> 1206cbf9524c
Step 2/5 : ENV VERSION=1.2.3
 ---> Running in 1bd568e4ee34
Removing intermediate container 1bd568e4ee34
 ---> 0a74f370c77f
Step 3/5 : RUN powershell -Command Write-Output "The version is $env:VERSION"
 ---> Running in d6a007ab1b1e
The
version
is
1.2.3
Removing intermediate container d6a007ab1b1e
 ---> 0342b5e97e70
Step 4/5 : SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 ---> Running in 37f64078846b
Removing intermediate container 37f64078846b
 ---> 256f3d5579da
Step 5/5 : RUN Write-Output "The version is $env:VERSION"
 ---> Running in 0b5f8071c718
The
version
is
1.2.3
Removing intermediate container 0b5f8071c718
 ---> a27d43c226db
Successfully built a27d43c226db
Successfully tagged test:latest

The output is multi-line so there were no quotes in the Write-Output command. My download from the previous Dockerfile fortunately worked without the quotes.

[andrey-ko]

I've access problems with container removal:

PS C:\Users\akolomentsev> docker run --rm -it mcr.microsoft.com/windows/nanoserver:1803
Microsoft Windows [Version 10.0.17134.648]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>exit
ERRO[0005] Error waiting for container: container a2d618fa593f2f4992590a92ac49e2317497b088ba4fb6a383cee40491de1cb7: driver "windowsfilter" failed to remove root filesystem: failed to detach VHD: invalid argument: rename C:\ProgramData\Docker\windowsfilter\a2d618fa593f2f4992590a92ac49e2317497b088ba4fb6a383cee40491de1cb7 C:\ProgramData\Docker\windowsfilter\a2d618fa593f2f4992590a92ac49e2317497b088ba4fb6a383cee40491de1cb7-removing: Access is denied.

and looks like it stays forever in "removal in progress state"....

PS C:\Users\akolomentsev> docker container ls -a
CONTAINER ID        IMAGE                                       COMMAND                    CREATED              STATUS                PORTS               NAMES
a2d618fa593f        mcr.microsoft.com/windows/nanoserver:1803   "c:\\windows\\system32…"   About a minute ago   Removal In Progress                       sleepy_beaver
PS C:\Users\akolomentsev>

[lowenna]

Removal issue known and understood. Needs a fix to the shim which is in flight

[lowenna]

@StefanScherer I’m still trying to understand if this is a regression or not. Can you be more precise?

[StefanScherer]

@jhowardmsft I think I remembered something wrong. I kept in my mind that I sometime should test this PR to check an enhancement how we can use quotes in RUN instructions. As I finally had some time today to set everything up I tried it out in the hope that we can use double quotes, but it seems I remembered this wrong. So no regression, it just doesn't work as it would be nice to work. So forget about this false alarm. We should track this in another issue.

All other things with containerd work for me on a Server 2019, even docker run --rm.

[lowenna]

I’m going to merge this so we can move forward given there are three LGTMs and a slack-LGTM from Derek. @thaJeztah YOLO.

[lowenna]

( channeling @jessfraz 😱 😁)

[thaJeztah]

😂🥳🎉