You can improve the security of your application development infrastructure by reducing the size and scope of application and compute resources. One way to do this is to containerize workloads. Windows Server and Microsoft Hyper-V containers enable you to isolate workloads from each other and the OS. Even if a container is compromised by an attacker, it will be difficult for the attacker to access the host OS. Containers also provide a standardized environment for development, test and production teams.
Containers
Containers provide an isolated and portable operating environment for apps. From the app’s perspective, a container appears to be a complete, isolated Windows OS with its own file system, devices and configuration. Therefore, in many respects, containers are like VMs because they run an OS, they support a file system, and you can access them across a network similar to any other physical machine or VM.
Containers are virtual environments that share the kernel of the host OS but provide user space isolation, so they provides an ideal environment in which an app can run without affecting the rest of the user mode components of the OS and without the other user mode components affecting the app. Using containers, developers can create and test apps quickly in an isolated environment while using only a few OS resources. This means that containers do not need all of the processes and services that an OS on a VM might use.
Windows Server 2016 supports two types of containers:
- Windows Server containers. These containers provide app isolation through the process and namespace isolation technology. Windows Server containers share the OS kernel with the container host and with all other containers that run on the host.
- Hyper-V containers. These containers expand on the isolation that Windows Server containers provide by running each container in a highly optimized VM.
Using containers has multiple benefits. The reduced OS size means that you must maintain fewer operating-system components, which in turn results in fewer potential security risks. The reduced OS size also helps improves scalability.
Docker
To run an application workload in a container, you must use Docker. Docker is a collection of open-source tools and cloud-based services that provide a common model for packaging (containerizing) app code into a standardized unit for software development. This standardized unit, or Docker container, is software that is wrapped in a complete file system that includes everything it needs to run, including code, runtime, system tools, system libraries, and anything else you can install on a server. You must download Docker separately; it is not part of the Windows Server 2016 installation media.
Nano Server
Microsoft Nano Server is a fairly new installation option for Windows Server 2016. It is a lightweight operating system tailored for use with virtualized container instances. There is no UI; you must manage Nano Server remotely using PowerShell, but this PowerShell differs from the standard one. As of Windows Server version 1803, Nano Server is available only as a container-based OS image, and you must run it as a container in a container host, such as Docker. You can troubleshoot these new Nano containers using Docker and run them in IoT Core.
A Nano Server instance cannot function as an Active Directory domain controller. In particular, it does not support the following features:
- Group Policy
- Network interface card teaming
- Virtual host bus adapters
- Proxy server access to the internet
- System Center Configuration Manager
- System Center Data Protection Manager
Nano Server supports the following roles:
- File Services
- Hyper-V
- IIS
- DNS Server