Containers for Windows: 10 years before Microsoft
In October 2014, Microsoft announced 
a partnership with Docker , in which the implementation of container virtualization for a future version of Windows Server will be presented, expected in Q3 2015. To support the containers Microsoft will use its own technology, developed in the research project Drawbridge . The Drawbridge virtualization technology is similar to the one used in the Wine project, which allows running Windows applications on computers with UNIX-like operating systems. A key feature of both technologies is that hardware virtualization (processor, memory, input / output devices) is not required, and only the Windows executable environment is emulated.
Parallels began developing containers for Windows long before they thought about it at Microsoft. And since this topic in connection with the announcement of Microsoft, obviously, becomes very relevant, in this post I will try to tell you what technologies our Windows containers work with, what functionality they have, and what the main scenarios of their use are. In the comments is ready to answer all questions, including the most popular - how many containers as possible can be run on the host.
The increase in computing power continues to obey Moore's law , but how to effectively use these systems with minimal overhead? One possible solution is to use containers to control resources and isolate applications running by different users. Without false modesty, the pioneer and leader in the advancement of container technology is Parallels, which, in addition to products for the OS based on the Linux kernel, has been offering its own implementation of Windows containers for almost 10 years. The approach implemented in Parallels is based on OS kernel virtualization , which, after modifications, is capable of running an arbitrary number of Windows user environments.
The user environment is located on a virtual disk containing references to Windows OS files and its own system registry; Windows OS system files are launched from the same disk, which form the environment for users (including the administrator), with the possibility of domain membership, application operation and network interaction via a virtual adapter. This is what we call Parallels-container for Windows.
Parallels containers — both for Linux-based OS and Windows — rely on kernel modifications. And if the Linux community took most of these changes from Parallels to the main branch of the kernel source, Microsoft wasn’t so open. During the work on the containers, we sent a large number of messages to Microsoft about the detected limitations and simple errors in the components of the Windows kernel. Some of them were taken into account in the following versions of Windows, and to solve more than a dozen problems, Microsoft released separate fix packs. So we can say that we also participate, albeit indirectly, in the development of the Windows core components. But, unfortunately, they did not dare to go on our initiatives to expand cooperation in Microsoft.
')
So how does this still work if Microsoft does not accept the changes and does not provide access to the source code of the Windows kernel? When developing Parallels containers, 2 technologies occupy a central place: reverse engineering and updating the program code during execution .
And if reverse engineering is rather a practical application of the method of scientific knowledge, known as systems analysis , in the field of computer science, then we are really proud of the implementation of the technology of updating the program code during execution in Parallels, considering it one of the best in the world , and protect patents.
As already noted, the entire virtualization technology works in the OS kernel, which allows the separation of kernel objects between containers, thereby isolating the containers from each other. Each container has its own set of processes, sessions and drivers, as well as the registry and the tree of kernel objects.
Pay attention to the screenshots. First, it can be concluded that the experience of user interaction with the OS in the container is no different from interaction with the Windows operating system itself, and secondly, it becomes clear how isolation works. Containers know nothing about each other or about the host on which they are located, but from the host containers are easily accessible, so the host administrator is the SuperAdministrator for containers. Containers are integrated into Windows so that standard OS tools such as Task Manager, Registry Editor and Mark Russinovich’s Sysinternals toolkit can be used to manage and monitor containers.
The most popular question of our users is how many Parallels containers can be run on a host? In the Parallels laboratory, during the experiment, we were able to launch about 600 containers into which it was possible to log in via RDP, although the delays in the response of the user interface were already unacceptably long. Further experiments have confirmed that the overhead of virtualizing the OS kernel is relatively small and noticeably less than in hypervisor- based solutions, so the deciding factors will be the applications you plan to run in the container and the physical capabilities of the host itself.
For real-life applications, the number of applications inside containers needs to be limited, so resource control is a key feature of Parallels containers. You can control the consumption of container computing power of processors, memory, storage space on the storage system and network traffic.
How to deploy applications inside Parallels containers? You can do it as usual by running the application installer, but if there are a lot of containers, you will have to press the “Install” button incalculable times. To automate the process and not to waste container disk space to host application files, we use Application Templates. Physically, a template is a file that stores information that reproduces the original location of files, folders, and registry keys. To create an application template, use a special tool, the Template Creation Wizard, which tracks all changes in the file system and in the registry that the application installer makes and saves these changes to the application template. The resulting application pattern can be connected to any container, which will be equivalent to installing this application, and immediately start using it in the container. The user of Parallels containers can create a template from any application that can be installed inside the container.
Parallels containers share with each other not only the kernel, but also all the files installed on the host from the Windows OC distribution, which saves space on the storage system. Deduplication of data is carried out at the file level using templates and a specialized file system with support for copy-on-write . For each supported version of the Windows operating system, including language localizations, Parallels releases an OS template. The OS template differs from the application template only in that the contents of the files are not stored in it. From within the container, accessing files from an OS template looks completely transparent, creating a holistic view of the Windows file structure, consisting of files that are common and private to the container. Support in the file system copy-on-write allows you to avoid modifying files from the OS template, saving the changes only inside the container.
From the very beginning of the project, we in Parallels offered our containers for hosting web applications, the most important of which is the Parallels Plesk automation system. Parallels container-based hosting products are offered by the world's leading providers, such as AT & T, 1 & 1, GoDaddy, HostEurope, and others.
But most of all, Parallels containers for Windows are suitable for deploying many identical environments that are managed and configured uniformly. An example of such a scenario is desktop virtualization . So, Parallels in partnership with the integrator IBS has developed and since 2013 has been offering the FSTEC-certified Parallels VDI solution, which consists of a connection broker and container-based virtualization. At the moment, on the basis of this decision, a large-scale project is being implemented to automate the Federal Tax Service of the Russian Federation, involving the transfer to the cloud-based data center of more than 10,000 jobs.
The project of containers under Windows was launched in May 2002, after successful experiments with Parallels containers based on the Linux kernel. In January 2003, a prototype was demonstrated on Windows 2000 Server, which was able to run 50 isolated copies of Microsoft IIS and Microsoft SQL Server, and in June 2005, the first public release of Parallels Virtuozzo Containers for Windows 2003 Server version 3.0 took place.
To date, the project has experienced 7 public releases, nearly 300 updates have been released, and the project code base has exceeded 1,300,000 SLOCs. More recently, the total number of containers created using Parallels technologies (including the one described) exceeded 1.000.000 !
Parallels containers have also earned high marks at Microsoft - in private conversations the engineers of this company spoke of the project as the most technically complex for the Windows kernel.
Microsoft’s entry into the container market will no doubt make this approach to virtualization much more popular, and Docker solutions will allow wrapping applications into containers in an easy and convenient way. From a technical point of view, the small cost of virtualization and the ability to implement containers exclusively in the user mode of the OS can be considered the advantage of Microsoft containers. The disadvantages include difficulties in ensuring application compatibility, because for this it is necessary to emulate the entire Windows API , which currently has thousands of calls.
Despite the fact that the approaches to the implementation of containers in Parallels and Microsoft are different, both technologies can perfectly complement each other - Microsoft containers will probably be able to work inside Parallels containers. Therefore, we consider Microsoft not as a competitor, but as the creator of the Windows ecosystem, in which container virtualization occupies an important place.
We can hope that the fact that container virtualization projects for OS based on the Linux kernel that are currently on the market are not in a state of competition - most of them are teams from Parallels, Google, IBM, Canonical, Docker, etc. work together. And although the Windows ecosystem is understandably more closed for obvious reasons, we look forward to further cooperation.
Learn more and try Parallels Containers for Windows here .
I will also try to answer all your questions in the comments.
a partnership with Docker , in which the implementation of container virtualization for a future version of Windows Server will be presented, expected in Q3 2015. To support the containers Microsoft will use its own technology, developed in the research project Drawbridge . The Drawbridge virtualization technology is similar to the one used in the Wine project, which allows running Windows applications on computers with UNIX-like operating systems. A key feature of both technologies is that hardware virtualization (processor, memory, input / output devices) is not required, and only the Windows executable environment is emulated.Parallels began developing containers for Windows long before they thought about it at Microsoft. And since this topic in connection with the announcement of Microsoft, obviously, becomes very relevant, in this post I will try to tell you what technologies our Windows containers work with, what functionality they have, and what the main scenarios of their use are. In the comments is ready to answer all questions, including the most popular - how many containers as possible can be run on the host.
Parallels Containers
The increase in computing power continues to obey Moore's law , but how to effectively use these systems with minimal overhead? One possible solution is to use containers to control resources and isolate applications running by different users. Without false modesty, the pioneer and leader in the advancement of container technology is Parallels, which, in addition to products for the OS based on the Linux kernel, has been offering its own implementation of Windows containers for almost 10 years. The approach implemented in Parallels is based on OS kernel virtualization , which, after modifications, is capable of running an arbitrary number of Windows user environments.
The user environment is located on a virtual disk containing references to Windows OS files and its own system registry; Windows OS system files are launched from the same disk, which form the environment for users (including the administrator), with the possibility of domain membership, application operation and network interaction via a virtual adapter. This is what we call Parallels-container for Windows.And what's under the hood?
Parallels containers — both for Linux-based OS and Windows — rely on kernel modifications. And if the Linux community took most of these changes from Parallels to the main branch of the kernel source, Microsoft wasn’t so open. During the work on the containers, we sent a large number of messages to Microsoft about the detected limitations and simple errors in the components of the Windows kernel. Some of them were taken into account in the following versions of Windows, and to solve more than a dozen problems, Microsoft released separate fix packs. So we can say that we also participate, albeit indirectly, in the development of the Windows core components. But, unfortunately, they did not dare to go on our initiatives to expand cooperation in Microsoft.
')
So how does this still work if Microsoft does not accept the changes and does not provide access to the source code of the Windows kernel? When developing Parallels containers, 2 technologies occupy a central place: reverse engineering and updating the program code during execution .
And if reverse engineering is rather a practical application of the method of scientific knowledge, known as systems analysis , in the field of computer science, then we are really proud of the implementation of the technology of updating the program code during execution in Parallels, considering it one of the best in the world , and protect patents.
As already noted, the entire virtualization technology works in the OS kernel, which allows the separation of kernel objects between containers, thereby isolating the containers from each other. Each container has its own set of processes, sessions and drivers, as well as the registry and the tree of kernel objects.
Pay attention to the screenshots. First, it can be concluded that the experience of user interaction with the OS in the container is no different from interaction with the Windows operating system itself, and secondly, it becomes clear how isolation works. Containers know nothing about each other or about the host on which they are located, but from the host containers are easily accessible, so the host administrator is the SuperAdministrator for containers. Containers are integrated into Windows so that standard OS tools such as Task Manager, Registry Editor and Mark Russinovich’s Sysinternals toolkit can be used to manage and monitor containers.
How much to hang in grams?
The most popular question of our users is how many Parallels containers can be run on a host? In the Parallels laboratory, during the experiment, we were able to launch about 600 containers into which it was possible to log in via RDP, although the delays in the response of the user interface were already unacceptably long. Further experiments have confirmed that the overhead of virtualizing the OS kernel is relatively small and noticeably less than in hypervisor- based solutions, so the deciding factors will be the applications you plan to run in the container and the physical capabilities of the host itself.
For real-life applications, the number of applications inside containers needs to be limited, so resource control is a key feature of Parallels containers. You can control the consumption of container computing power of processors, memory, storage space on the storage system and network traffic.Application Templates
How to deploy applications inside Parallels containers? You can do it as usual by running the application installer, but if there are a lot of containers, you will have to press the “Install” button incalculable times. To automate the process and not to waste container disk space to host application files, we use Application Templates. Physically, a template is a file that stores information that reproduces the original location of files, folders, and registry keys. To create an application template, use a special tool, the Template Creation Wizard, which tracks all changes in the file system and in the registry that the application installer makes and saves these changes to the application template. The resulting application pattern can be connected to any container, which will be equivalent to installing this application, and immediately start using it in the container. The user of Parallels containers can create a template from any application that can be installed inside the container.
Copy-on-write file system
Parallels containers share with each other not only the kernel, but also all the files installed on the host from the Windows OC distribution, which saves space on the storage system. Deduplication of data is carried out at the file level using templates and a specialized file system with support for copy-on-write . For each supported version of the Windows operating system, including language localizations, Parallels releases an OS template. The OS template differs from the application template only in that the contents of the files are not stored in it. From within the container, accessing files from an OS template looks completely transparent, creating a holistic view of the Windows file structure, consisting of files that are common and private to the container. Support in the file system copy-on-write allows you to avoid modifying files from the OS template, saving the changes only inside the container.
Who needs it?
From the very beginning of the project, we in Parallels offered our containers for hosting web applications, the most important of which is the Parallels Plesk automation system. Parallels container-based hosting products are offered by the world's leading providers, such as AT & T, 1 & 1, GoDaddy, HostEurope, and others.
But most of all, Parallels containers for Windows are suitable for deploying many identical environments that are managed and configured uniformly. An example of such a scenario is desktop virtualization . So, Parallels in partnership with the integrator IBS has developed and since 2013 has been offering the FSTEC-certified Parallels VDI solution, which consists of a connection broker and container-based virtualization. At the moment, on the basis of this decision, a large-scale project is being implemented to automate the Federal Tax Service of the Russian Federation, involving the transfer to the cloud-based data center of more than 10,000 jobs.
Project history
The project of containers under Windows was launched in May 2002, after successful experiments with Parallels containers based on the Linux kernel. In January 2003, a prototype was demonstrated on Windows 2000 Server, which was able to run 50 isolated copies of Microsoft IIS and Microsoft SQL Server, and in June 2005, the first public release of Parallels Virtuozzo Containers for Windows 2003 Server version 3.0 took place.
To date, the project has experienced 7 public releases, nearly 300 updates have been released, and the project code base has exceeded 1,300,000 SLOCs. More recently, the total number of containers created using Parallels technologies (including the one described) exceeded 1.000.000 !
Parallels containers have also earned high marks at Microsoft - in private conversations the engineers of this company spoke of the project as the most technically complex for the Windows kernel.
Conclusion
Microsoft’s entry into the container market will no doubt make this approach to virtualization much more popular, and Docker solutions will allow wrapping applications into containers in an easy and convenient way. From a technical point of view, the small cost of virtualization and the ability to implement containers exclusively in the user mode of the OS can be considered the advantage of Microsoft containers. The disadvantages include difficulties in ensuring application compatibility, because for this it is necessary to emulate the entire Windows API , which currently has thousands of calls.
Despite the fact that the approaches to the implementation of containers in Parallels and Microsoft are different, both technologies can perfectly complement each other - Microsoft containers will probably be able to work inside Parallels containers. Therefore, we consider Microsoft not as a competitor, but as the creator of the Windows ecosystem, in which container virtualization occupies an important place.
We can hope that the fact that container virtualization projects for OS based on the Linux kernel that are currently on the market are not in a state of competition - most of them are teams from Parallels, Google, IBM, Canonical, Docker, etc. work together. And although the Windows ecosystem is understandably more closed for obvious reasons, we look forward to further cooperation.
Learn more and try Parallels Containers for Windows here .
I will also try to answer all your questions in the comments.
Source: https://habr.com/ru/post/245533/
All Articles