-
Notifications
You must be signed in to change notification settings - Fork 2k
Connect to Windows Docker engine #2907
Comments
Due to the way the provisioner model currently works, it might not be too crazy to implement such functionality, although it would require re-thinking or papering over some pretty fundamental assumptions (e.g. the presence of SSH). I have a feeling that the way it will need to be implemented is by having some flags which specifically indicate that it's a Windows machine. e.g. |
I don't know much about Windows Server containers, however as Nathan said most of the work would be getting the SSH protocol on Windows either by waiting Microsoft to do it (it's happening) or providing a polyfill using WinRM maybe (I don't know how it works at all). I remember some discussion about this was happening internally too. cc: @jstarks as he is on the windows containers team. If you think you can prototype something, I would say go for it. |
Hi @StefanScherer, I'm a PM in the Hyper-V team and I'm actually looking into how we could make this possible. One of the things we're thinking about is maybe we could use this as the OS that Docker Machine could pull. If we use Nano, then it would stay as a small download. The repo for the Open SSH in Windows project is here. Any ideas are appreciated and if you're going to prototype something please let me know. I'll keep posting back here if I find out more about how to make this work. cc: @dgageot |
@enderb-ms Oh, a Nano image, that would be great as well. And OpenSSH is also an option. In the meantime other projects like Packer and Vagrant improved Windows support to use WinRM and get rid of SSH to have a more native communication. What I thought about as a first step is let docker-machine connect to a TP4 server, eg. with the generic driver. Haven't tried the azure driver yet I think of selecting a TP4 VM + docker engine template at Azure and docker-machine then knows to provision a Windows VM instead of a Linux VM. It only has to do some minimal steps to connect the local machine where docker-machine is running with that remote Docker Engine. These are the steps of a generic driver running against a Linux VM that already has Docker installed. I've added some ideas for Windows:
Phase 1:For the Azure/local TP4 with preinstalled docker engine scenario: Step 1.) it has to use WinRM (eg. have a look at packer's winrm communicator) instead of SSH. Step 2.) could check if everything is up and running and if the VM is a TP4. Otherwise abort if it's not possible to install everything eg without a reboot. It then has to do steps 9.) ... 14.) to stop docker, insert the TLS certs and restart docker. After that docker-machine has created the connection to an existing Azure VM / local or on-prem Windows VM and secured the docker port. Phase 2:Later on the step 2.) could be enhanced to allow "empty" 2016 servers to install Docker with step 6.) Phase 3:And then to have a "boot2docker.iso" with a Nano image in it to download locally. Just some first thoughts ;-) |
@dgageot are you planning to crank on this? If not, I think we should point the Microsoft folks in the right direction so that they can try and make progress |
@friism There's ongoing work with @enderb-ms already |
@dgageot great! Is there a place I can get more details? |
@dgageot I have a change that can spin up Windows server instances on Azure and setup Docker engine. Is there a repo, where @enderb-ms's work is available? I can submit mine here for review and possibly merge or unify with anything @enderb-ms is doing. Quick description of what I have done
|
@ppadala Amazing |
hawt |
Thanks @stefanfoulis @friism. The work is in https://github.com/containerx/machine, but that also includes some other changes unrelated to this PR. I am creating a new branch, cleanup code and will submit a pull request soon. |
I made the pull request, any comments and reviews are appreciated. There are still a couple of hard-coded items that need work, which I will be fixing in next few days. |
PR for reference: #3146 |
@ppadala really nice. I think @enderb-ms & docker-machine maintainers are currently trying to figure out if they should use WinRM or bootstrap OpenSSH on Windows. I'll let those folks to decide which work should go forward. As far as azure driver concerned, I'm afraid we can't take changes to |
@ppadala it's also important that this probably should not be just an |
I have actually considered the SSH option as well. I just didn't like the Windows OpenSSH server I tried, had trouble with connecting to the server from OS X. That said, I haven't tried all the possible SSH servers, you guys know better. Happy to jump in to the discussion, let me know where the discussion is happening.
No worries, the change I have done actually is not just to the azure driver, but also to rest of docker-machine to add an option for OS. I'll try out your code posted on #2742. Does the code already have support for spinning up Windows images on Azure? |
As I mentioned above, my change has both azure driver and rest of docker-machine changes. How shall we proceed from here? I can wait for your resource manager changes to be committed and then we can figure out adding windows-specific flags to docker-machine. |
@ahmetalpbalkan I checked the code you posted in #2742. As I understand, it's moving the driver to use ARM APIs and doesn't have Windows image support. Here's what I propose
I have done 2 and 3 with current driver and I can make similar changes based on your ARM based driver. Let me know your thoughts. |
@ppadala sounds good. if you try rebasing your code on top of my branch, you can get unblocked and get started doing some work. Functionality-wise the new driver is ready, but we're still addressing some issues in azure-sdk-for-go and these may still take some time (like a couple weeks) and I'll be sending the end result as a pull request. |
@ppadala this is awesome! Thank you for doing this. Unfortunately, I have not been able to get any developer time, so we have not starting working on our ideas. But this might help me get people onboard. |
I was setting up https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH as the SSH server. When I run ssh <server> <cmd> from Mac, it doesn't seem to work, though plain interactive ssh to the server works. If you include SSH server in Azure images, then that's definitely cleaner. docker-machine driver interface already seems to assume that SSH access is available. |
@ppadala I'm puzzled, too. I bet the API is trying to say you can't specify extensions on the VM create call. For instance when you deploy an ARM template with extensions and watch the deployment happening, ARM first creates the VM and then creates the Extension resource separately once the VM is created... There must be some methods to add extensions to the VMs in the |
Thanks @ahmetalpbalkan. I added VirtualMachineExtension after the VM creation and it worked. I had to wrestle a little bit to figure out the right way to setup WinRM HTTPS listeners, but I have the pull request #3329 ready. Let me know your comments. I also uploaded the binaries at https://www.dropbox.com/sh/kpc46xtc8su2sj7/AABtxVIVbGo8KLy7tu6HnWwza?dl=0 for easy testing. Usage: Three new parameters are added to Azure driver
Sample command
|
@ppadala @ahmetalpbalkan I don't know if you already incorporated this, but this article on securing the windows daemon may also be good: https://github.com/Microsoft/Virtualization-Documentation/tree/master/windows-server-container-tools/DockerTLS /cc @PatrickLang @swernli |
@ppadala Thanks, this is totally awesome. I've just tried the sample command to create a TP4 machine in Azure. And yeah, it worked with your prebuilt binaries right out of the box. (ok, you have to enter a more complex password to fit the windows password complexity requirements) A secured Docker Engine with such a simple docker-machine command. That's a great breakthrough!
|
@ppadala And what's even more fantastic is that a |
Thanks for the link @friism. Yes, the docker-engine is already secured with TLS similar to Linux. docker-machine create workflow generates the credentials (cert, key and ca) and I use WinRM to upload them to Windows Server. |
Thanks for trying @StefanScherer. The plaintext password is the only part I don't like here (I like your pass approach). We can switch to a cert based auth later. Unfortunately packer library doesn't support that yet. |
Credit goes to @ahmetalpbalkan for moving to Azure ARM and writing a clean "cleanup". |
@ppadala this is feakin' amazing. Great work! I guess the question now will be how to merge this to azure driver in the short and to other drivers (such as google/aws) in the long term. |
@ahmetalpbalkan the pull request #3329 is already synced with master and merged with azure driver, will be great if you can review and provide comments. Currently, only Azure has Windows server 2016 VMs, but the code is written in such a way that support for GCP, AWS, vSphere and others easily. |
|
@ppadala @ahmetalpbalkan Could the docker-machine 'azure' driver be used with AzureStack? |
@nilleb I'm afraid not yet. If you need it, please open a separate issue. |
I just downloaded the docker for windows that does have the 1.12 RC2 that has the 0.8.0-rc1 but when i try the "azure-os" "windows" option it does not seem to work. Please let me know where i could acquire a docker-machine version that can create TP5 Windows 2016 docker hosts on Azure. Thanks, |
@SharadGumaste what's the error when you say "it does not work"? have you tried specifying the image with |
@SharadGumaste I am guessing you were trying the released version. The patch for supporting Windows (azure-os windows option) is not merged yet. |
Pradeep, yes I did the update from the docker software. What is the best Thank you in advance for any assistance. On Thursday, June 23, 2016, Pradeep Padala notifications@github.com wrote:
completely foolproof is to underestimate the ingenuity of complete fools."
|
@SharadGumaste can you send a mail to pradeep@containerx.io? I have a separate repo for docker-machine for Windows, I can send you instructions on setting up. |
Are there any news regarding spinning up a Windows Docker host in a local VirtualBox? |
Does anyone have a prototype able to spin up Windows VMs on Azure? |
@djanosik I am working on trying to get docker-machine to spin up autoscaling Windows OpenStack and EC2 instances for my GitLab CI builds. I took @ppadala 's PR branch, got it rebased up to the latest master, and am studying it now. It's in https://github.com/davidarcher/machine/tree/azure_winrm . |
I followed @jen20's instructions to build a Windows AMI with SSH. It works with Docker Machine up to the point of provisioning, where it fails because there is no |
Has anybody started to add or think about a docker-machine driver and provisioner for Windows Docker engines?
So anybody can use docker-machine to secure and connect to a Windows Server 2016 TP4 as easy as we are used for a Linux Docker Engine?
Something like:
Using WinRM (HTTP/HTTPS) instead of SSH to access the remote Windows Server and put the TLS certs into it and reconfigures the Windows Docker service and other things.
I know that packer has communicators for SSH and WinRM built in Go for provisioning.
Just connecting the dots...
ping @ahmetalpbalkan 😄
The text was updated successfully, but these errors were encountered: