If Docker runs natively on windows, then why does it need hyper-v

If Docker community runs natively on windows, then why does it need Hyper-v? I.E., doesn't native imply that Docker-Engine can run instructions on windows? It looks to me like it still starts up a Linux VM and runs with-in that.

To me, is seems that docker-toolbox uses an oracle hyper-visor running linux, while Docker community uses Hyper-V running linux. Is there another important difference that I'm overlooking?

Is this correct? Am I understanding the word "native" wrong, is docker mis-using the word, or is there some other aspect I'm missing?

The reason I'm asking, is because I noticed that you don't use Docker-machine with the community edition, and I'm wondering why that is. Is docker-machine the thing that runs natiely on windows, while Docker Engine doesn't? I think the word docker is over-loaded and maybe leads to confusion in this case :)

Thanks in advance!


Solution 1:

Docker support for Windows has several variants:

  1. Docker Toolbox which includes Docker Machine that will spin up a boot2docker image inside of VirtualBox. These are Linux containers running with a Linux kernel inside the VM. This was originally the only option for Windows users.

  2. Docker for Windows using Hyper-V to run the Moby VM, based on LinuxKit, to run Linux images. LinuxKit provides a container based Linux OS, and there's some integration to make it appear less like a VM to the end user, e.g. you can use 127.0.0.1 instead of the IP of the VirtualBox VM. If you have Hyper-V available and want to run Linux containers on Windows, this is the preferred option.

  3. Windows Server Containers which run Windows binaries on the same host OS, similar to how Linux containers on a Linux OS do not need a VM.

  4. Hyper-V Containers which run Windows binaries inside of a separate VM for additional isolation.

You can read more about the latter two options in Microsoft's docs.

What's important to note is that when you install Docker for Windows on a supported server, like 2016, you have options 2, 3, and 4, that you can toggle between. For Linux and Windows containers, there's a switch in the settings that affects all running containers and commands. And between Windows Server Containers and Hyper-V containers, there's an --isolation option on the docker run command line. So I believe you're required to have Hyper-V support to cover 2 and 4 even if you only want option 3.

Solution 2:

Support for Docker on Windows is not native, Docker was written to be run on Linux initially. So the requirements for running Docker CE on Windows are:

  1. Virtualization must be enabled since docker-ce creates a VM on Hyper-V. Since all hypervisors require hardware virtualization to be enabled, Hyper-V in this matter is not exceptional. The Docker for Windows installer will enable Hyper-V for you, if needed, and restart your machine.

  2. For older Windows systems that don’t support hardware virtualization, it’s recommended to use Docker Toolbox which uses Oracle Virtualbox to spin up VMs that will host docker containers instead of Hyper-V.

Solution 3:

Windows does support "Process Isolation" in addition to "Hyper-v Isolation".

Process isolation containers on Windows run without an additional layer of virtualization (similar to what you may be used to with docker on linux); I believe this is what the OP is looking for when referring to "native" containers.

Process isolation support is still fairly new but the latest versions of Windows Server 2019 and Windows 10 can indeed run windows containers without the extra overhead of a hyper-v virtual host. One thing to note is that your windows container base image kernel version must match the kernel version on your host machine. So you probably won't be able to simply use the exact same containers you've be running on hyper-v.

Here is a Windows container version compatibility table which highlights which host OSs support process or hyperv isolation.

Even though this^ page doesn't indicate it, Windows 10 Update 1809 is the first update to support Docker process isolation as noted in the Docker Engine Release Notes.

Solution 4:

Docker evolved on Linux. Much of the confusion arises with Docker trying to support containerization on Windows.

A container is considered “native”, if it can run directly on the host operating system.

Linux Container: A Linux application that runs in an isolated Linux environment.
This same container can be run on Windows using virtualization to emulate a Linux environment, but the container is still running on Linux. This virtualization can be

  • VirtualBox (Docker Toolbox)
  • Hyper-V backend (Docker Desktop)
  • WSL2 backend (Docker Desktop)

Windows (Server) Container: A Windows application that runs in an isolated Windows environment.

  • Process Isolation - This is the “traditional” isolation mode for containers. It is approximately the same as how Linux containers run on Linux
  • Hyper-V isolation - This isolation mode offers enhanced security and broader compatibility between host and container versions.

As you can see, Hyper-V can be used to run even native Windows containers, which is generally a source of confusion.

Further, docker-machine is a superseded product.

Machine was the only way to run Docker on Mac or Windows previous to Docker v1.12. Starting with the beta program and Docker v1.12, Docker Desktop for Mac and Docker Desktop for Windows are available as native apps and the better choice for this use case on newer desktops and laptops.

See Docker Container in Linux and Windows for a high level overview of much of the terminology, technology and references.