In Understanding Windows Containers on the Petri IT Knowledgebase, I introduced you to containers and Docker images, and how as a lightweight virtualization solution, containers share a kernel with the host OS and other containers. Using namespace isolation, resource control, and process isolation technologies, Windows restricts the files, network ports, and running processes each container can access, providing isolation between containers and the host OS.
But because of the shared kernel in user mode, even with process isolation technologies in place, a malicious user could break out of a container if they uncovered a design fault in the implementation of containers or an unpatched OS vulnerability.
If all the code running on a host is trusted, then the isolation provided by Windows Containers is likely to be adequate. But if we don’t trust the code, then Hyper-V Containers provide the same level of isolation as virtual machines (VMs), but with many of the benefits of standard containers.
Windows Server 2016 solves these security challenges by providing the option to place containers into Hyper-V partitions. Simply put, Hyper-V Containers are Windows Containers running in a VM, providing the kernel isolation and host separation that’s missing with standard container technology. The process for managing Hyper-V Containers, and associated images, is the same as with Windows Containers, but with the option to add the extra isolation provided by Hyper-V at deployment time.
Not only does this extra isolation provide better security, but also completely abstracts the container from the underlying host OS, so you don’t have to worry about patches or updates to the host breaking apps running in containers. Hyper-V Containers boot quickly like Windows Containers, but have more overhead because of the additional isolation provided.
And because Hyper-V Containers are Windows Containers running in a hypervisor child partition, the same images and management toolset can be used to manage both types of containers. There’s no need to convert Windows Container images for use with Hyper-V Containers, or vice versa. Windows Server 2016 supports nested virtualization, so even if the host OS is a Hyper-V VM, you can still deploy Hyper-V Containers.
If you’d like to learn more about deploying Windows and Hyper-V Containers in Windows Server 2016, try out Microsoft’s free hands-on lab Build your first container using Docker on Hyper‑V, where you’ll be guided through the process of installing Windows Containers, Hyper-V, and Docker on Windows Server, and how to deploy and isolate containers.