As a Developer I want to be able to build Windows Containers with BuildKit

[bplasmeijer]

The windows BuildKit is only supported on Linux

[jsturtevant]

It is possible to use buildx (which uses buildkit) if there are no RUN commands in the docker file:

docker buildx create --name img-builder --use
docker buildx build --no-cache --pull --push \
  --platform "windows/amd64" -t $imagetag -f $dockerfile .
docker buildx rm img-builder

ARG nanoserverTag="mcr.microsoft.com/windows/nanoserver:1809-amd64"
# othertags list: curl -L https://mcr.microsoft.com/v2/windows/nanoserver/tags/list

FROM ${nanoserverTag}
COPY some.exe "/Windows/System32/some.exe"

It would be interesting to see if could use some windows emulator connected to Binfmt_misc as QEMU is used for other architectures

[jorgearteiro]

There is an issue logged on BuildKit repo https://github.com/moby/buildkit/issues/616

[TBBle]

@jsturtevant If you wanted to go down that path, I believe Wine can be used with binfmt_misc, although I'm not sure how well that would work with namespaces since there's a WineServer and configuration directory to create, and you probably don't want that in the final image...

It would be easier to prototype that on a raw Linux box than via the Linux support in Docker on Windows, I think.

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[TBBle]

Current status of my work on https://github.com/moby/buildkit/issues/616 is that it's stalled waiting on a pile of 4 containerd PRs to be reviewed and advanced. The top of the stack is https://github.com/containerd/containerd/pull/4419, but there's some outstanding design questions on the top two PRs regarding HCS behaviours, see https://github.com/microsoft/hcsshim/issues/853, but the bottom two are just pending containerd maintainer review to merge or rework as appropriate.

And after that, will come fixing path-related issues in the BuildKit LLB layer, for which I'd only scratched the surface of in https://github.com/moby/buildkit/pull/1621, exploring the solution space, and which needs to be reworked per maintainer feedback.

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[TBBle]

Status unchanged, still waiting on merging or feedback on containerd support for Windows container creation/export/mount support, and then continuing the work on BuildKit itself, starting from https://github.com/moby/buildkit/pull/1621

[immuzz]

@kevpar Do you have any information on the containerd PRs mentioned above?

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[TBBle]

Still working through containerd PRs per above. One of four has landed, and one needs to be rewritten or at least iterated upon further. I've also opened PR on hcsshim again to remove some duplication of code with the containerd PRs.

That said, Docker is looking at supporting containerd on Windows for 21.x (https://github.com/moby/moby/issues/41455), which might mean we get BuildKit on Docker+containerd even without that containerd PR stack, as the parts I was trying to implement in containerd (WCOW layer management) are provided by Docker when Docker uses containerd, as far as I know.

I haven't looked closely at how BuildKit integrates with Docker though, it's possible it'll still need fixes in containerd, and either way, BuildKit itself has higher-level issues to be resolved, e.g., https://github.com/moby/buildkit/pull/1621.

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[TBBle]

Not much has changed since December. The containerd PRs are now in a reasonable state, two are ready-to-go and one (https://github.com/containerd/containerd/pull/4419) is functional but possibly needs some discussion about the test suite changes, and depends on a hcsshim feature PR (https://github.com/microsoft/hcsshim/pull/901).

Some recent testing suggests that that hcsshim PR might have issues with Windows 10 20H2 that don't appear on Windows Server LTSC2019, but I haven't definitely proved that as I have only tested the latter via CI pipelines so far. Edit: Still using CI pipelines, I confirmed that the PR works on RS5 on AppVeyor (VS 2019 image), but fails on my personal Windows 10 20H2 box, suggesting that some part of the reverse engineering used to build that PR was incorrect or incomplete.

[immuzz]

@weijuans-msft can you provide clarity here as part of your effort to provide containerd parity with Docker developer experience.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[TBBle]

Compared to January, I've identified and have a fix for the issue that https://github.com/microsoft/hcsshim/pull/901 shows on Windows 10 20H2, but that PR is still pending merge, and then the fix will be up for PR.

The containerd PRs (https://github.com/containerd/containerd/pull/4399, https://github.com/containerd/containerd/pull/4415, and https://github.com/containerd/containerd/pull/4419) should all be in a reasonable state to flow through, although the latter depends on https://github.com/microsoft/hcsshim/pull/901, often triggers a now-known containerd issue (https://github.com/containerd/containerd/issues/4924) in its test suite, and also frequently triggers an unknown (hcsshim?) issue that I've yet been unable to replicate outside containerd.

It's possible that the Docker/containerd integration for Windows (https://github.com/moby/moby/issues/41455 is the best place to track that) will mean some or all of those PRs stop being critical-path for BuildKit on Windows, and then the BuildKit-local platform issues (i.e. filesystem handling and similar) can be addressed.

[weijuans-msft]

@TBBle great work here! I changed this to "In Progress" as I am seeing you and lots of others in the moby and containerd community working on this. Thank you.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[grochoge]

Without this, is there any good way to handle build-time secrets for Windows containers?

[TBBle]

One kind-of heavy-weight option, used by ue4-docker, is running a service outside the container that exposes the secret, and have the container image build pull that secret over the network connection.

You can see ue4-docker's implementation of the external host and a Git Credential Helper to query it, including a generated token to provide the bare-minimum protection.

A significant cost to this approach is that the token ends up in the image as a build-arg, so layer caching is confounded; I don't know if the same thing happens when using BuildKit secret mounts, but I assume not.

In ue4-docker's case, the container builds are done under control of the script, so the credential endpoint is served by the script, rather than being left running all the time, which make this approach more feasible than it would be for just a Dockerfile being distributed for use with docker build.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[meirgbinahai]

I'd love to assist, as I really need this feature to speed up the process of building Docker Windows images.

Is there any way to build stages in parallel in Windows without using BuildKit?

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[viceice]

Can somebody please freeze this issue? 😕

[weijuans-msft]

I don't know if we can freeze issues. If anyone knows, let me know :).

I could use help to be enlightened on the benefit or the pain points this can address. I see these so far in this thread:

• containerd parity
• Run Linux and Windows container side by side
• Can use secrets

What else?

How does this help in your or your company's modernization effort? Is this really Developer centric or it can add value to your DevOps in production?

[timja]

We would like this so that eventually docker buildx bake support can be added so that we can define one hcl file with all our image builds declaratively configuring things like image tags and args, along with parallel builds out of the box. We use this on linux right now and it works really well.

[darkvertex]

What else?

Off the top of my head, I'd bring up:

• BuildKit automatically parallelizes multi-stage builds for you. It's probably my favorite feature. See: https://www.gasparevitta.com/posts/advanced-docker-multistage-parallel-build-buildkit/

• If you manage a container build farm or CI system with many workers, BuildKit makes it easy to share Docker build caches across several machines, which can speed up similar builds across them. See: https://link.medium.com/VYWZJPwnVkb

• Other projects exclusively dependant on BuildKit would finally support Windows, like the wonderful "Earthly", sort of Makefile Dockerfile hybrid built upon the BuildKit core APIs. See: https://earthly.dev (Only for Linux containers at this time due to the missing Windows BuildKit support.)

If I think of more I'll extend this list. 🤔

[FaustinCarter]

I'd like to add:

• passing secrets in as build args

[darkvertex]

I remembered another big useful feature: Buildkit has "build-time mounts" support.

Everyone knows about --mount=type=secret to access secret files without baking them in the image layers, but did you know Buildkit also offers:

• --mount=type=bind to bindmount non-sensitive stuff at build time temporarily that that is outside of your build context.
• --mount=type=cache to make a cache path survive between runs, speeding up your builds. You can use this to cache Go packages, pip build caches, Rust crate caches, apt-get caches and so on!
• Mounting secrets is one thing, but if you're just using them for SSH access don't do that and use --mount=type=ssh which lets you do SSH agent forwarding for a singular RUN statement, making SSH connections magically work at build time without having to bake in your keys or mount them via secret mounts.

[snorrk]

Not being able to pass secrets into the Windows container build is painful - for us it means copying down files to the container build host (since that requires a secret) and then having docker slowly discover the container build context and copy the files into the container during the container build (double I/O).

It would be much better to be able to just download the files inside the container as part of the container build.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates. @weijuans-msft, please provide an update or close this issue.

[krokofant]

Thank you @msftbot for the monthly reminder that nothing has changed. 👀

[slonopotamus]

What do you expect from Microsoft here? You want them to write and submit patches that add Windows support to BuildKit? Why they would do it? Looking at how https://github.com/microsoft/hcsshim/pull/901 is stuck waiting for approval for around a year, it would be more effective to remove Microsoft from dependency chain of this feature.

[agowa]

What do you expect from Microsoft here? You want them to write and submit patches that add Windows support to BuildKit? Why they would do it?

@slonopotamus because of the huge differences in how windows containers and linux containers work. I dought that anyone else has enough knowledge about the internals to do it...

[cwilhit]

Hi all, in effort to reduce spam of the beloved msftbot asking for status ten times over, I am going to freeze conversation on this issue (hoping it pauses the bot spam in the process). Given this issue has over 80 emoji reactions, we hear you loud and clear this is something you as developers would like to see. If and when we have a concrete update to share on our investments in this area, we will reply here and unfreeze the issue.

[fady-azmy-msft]

FYI @muzz

[ghost]

This issue has been open for 30 days with no updates. @immuzz, please provide an update or close this issue.

[bplasmeijer]

Checking the latest status

[TBBle]

Current status on my end:

• https://github.com/microsoft/hcsshim/pull/901 has cleared its legal concerns, but needs some updating and the rest of its tests written. (Which hopefully will reproduce the issue I've seen in containerd with this code, so I can fix it)
• https://github.com/containerd/containerd/pull/4419 is the last containerd PR in the series of PRs that should fulfill BuildKit's requirements to function on WCOW. However, it still has a snapshotter test suite failure (on LTSC2019), and a bunch of stuff in there is somewhat hacky and needs to be unhacked.
• Then someone can come back to https://github.com/moby/buildkit/issues/616 and work through whatever's bitrotted in BuildKit since I got (hacky, incomplete, and rather faulty) WCOW support working years ago.

I do plan to continue trying to get this working, but I'm not going to be able to do much for the next month or two at least, due to personal-life things, e.g., moving home.

I don't know how BuildKit integrates into docker buildx, so it's possible that some of the above could be shortcut by the upcoming Docker 22.06 release's support for containerd on Windows. However I suspect that at the very least https://github.com/microsoft/hcsshim/pull/901 would need to be completed and integrated into Docker's storage system; possibly it'd also need https://github.com/containerd/containerd/pull/4419 since parts of that are directly compiled into BuildKit.

[bplasmeijer]

I dump again into the deep here. where are we with containerd and building windows containers with podman, nerdctl? cc: @jsturtevant

[jsturtevant]

nerdctl uses build kit. Buildkit support is still in progress, you can see the relevant PRs in https://github.com/microsoft/Windows-Containers/issues/34#issuecomment-1235634370.

I am not sure how podman builds containers.

[bplasmeijer]

@TBBle any update from your side? I am checking myself now.

[TBBle]

Nothing from me personally since September 3rd, I'm still on sabbatical. One or two other people have been pushing at the same and related PRs in my absence, but I can't report any measurable progress here.

[bplasmeijer]

Nothing from me personally since September 3rd, I'm still on sabbatical. One or two other people have been pushing at the same and related PRs in my absence, but I can't report any measurable progress here.

Thanks, keep enjoying your ooo.