Category Archives: Windows

Windows 2016 Containers

Containers are portable operating environments which typically utilise the same kernel whilst isolating applications. Software developers use containers to build, ship, and run applications. To the application the container gives the illusion of a totally isolated and independent operating system, in much the same way that a virtual machine doesn’t know it shares compute with other virtual machines; applications within containers are unaware they share a base operating system with other containers.

Using namespace isolation the host projects a virtualised namespace containing all the resources that an application can interact with, such as files, network ports, and running processes. Namespace isolation is extremely efficient since many of the underlying OS files, directories and running services are shared between containers. If and when an application makes changes to these resources then those changes are written to a distinct copy of that file or service using copy-on-write.

Containers house everything an application needs to run, and that gives it greater portability; allowing for exact copies between development and production environments. By using containers software developers and IT professionals can also benefit from improved efficiency in use of existing infrastructure, standardised environments, and simplified administration. This is evident from the Microsoft images below.

Deploying applications using traditional virtual machines:

containers2

Deploying applications using containers:

containers1

The user of containers isn’t new technology, it has been around for years in Linux before the toolset was properly utilised by Docker. Docker is a container technology which automates and simplifies the creation and deployment of containers to build, ship, and run distributed applications from any environment. Docker have partnered with Microsoft to develop a Docker engine for Windows 2016 and Windows 10, enabling users to take advantage of container functionality with Windows.

Windows containers run in two different formats; Windows Server containers which isolate applications using namespace isolation technology, and Hyper-V Containers which run containers inside optimised virtual machines.

Hyper-V containers have identical functionality to their Windows counterparts, the only difference is the isolation of the kernel. Whereas Windows containers share the same kernel with other containers and the host, Hyper-V containers provide kernel level isolation by provisioning individually optimised virtual machines for each container. A use case for such isolation could be a secure environment such as PCI compliance. Hyper-V containers need nested virtualisation to be enabled and this is currently only compatible with Intel processors.

Windows containers require installation of the Containers feature, and installation of the Docker engine. Once these two components are installed you can go ahead and begin building Windows server containers.

containers

Microsoft Azure are offering a free trial with £125 credit, to deploy a Windows 2016 virtual machine and try containers out for yourself see Azure Virtual Machine Deployment.

See also VMware Container Projects.

Updating WSUS Group Policy

If you need to update group policy to change an update schedule or make other alterations you can do so, even after patches have been approved on the WSUS server.

Open Group Policy Management and browse to the relevant GPO you want to update, right click and Edit the GPO. If you’re using Advanced Group Policy Management you’ll need to check out the policy before editing. Expand Computer Configuration > Policies > Administrative Components > Windows Components > Windows Update.

gpo

Double click the setting you want to change and update as appropriate. For the purpose of this post I have updated the scheduled install day from ‘1 – Every Sunday’ to ‘4 – Every Wednesday’.

gpo2

Click Ok to save the change. If you’re using Advanced Group Policy Management you’ll need to right click the GPO and check in, and then deploy the GPO.

Depending on your environment you may need to wait a short while for replication, you can force a group policy refresh on a server by running gpupdate /force from the command line. Furthermore if you are running Windows 2012 or 2012 R2 you can right clicking an OU in group policy management and select Group Policy Update.

gpoupdate

We can test if the group policy has updated by opening the registry on one of the servers and browsing to: COMPUTER\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU. Cross check the settings in the registry with those you changed on the group policy.

gpocheck

You’ll notice straight away the data is a decimal or hexadecimal value, you may have noticed too that the options in the GPO editor had a corresponding number. In this case I changed the scheduled install day from ‘1 – Sunday’ to ‘4 – Wednesday’, the value of the registry option ScheduledInstallDay has changed from 1 to 4, so I know the change has taken effect.

Another important thing to note is the UseWUServer option, this must be set to 1 to use a WSUS server, or none of the other options apply. You can go up a level to ‘Windows Update’ to check the configured Windows Update server.

Finally, here is a really useful list of registry values for Automatic Updates: https://technet.microsoft.com/en-us/library/dd939844%28v=ws.10%29.aspx.