Windows-Containers icon indicating copy to clipboard operation
Windows-Containers copied to clipboard
verified publisher icon microsoft

Windows 11 Process Isolation of Windows Server 2022 (Preview) fails to expose/forward ports properly

Open robertoandrade opened this issue 2 years ago • 6 comments

Please fill out all the sections below for bug issues, otherwise it'll be closed as it won't be actionable for us to address.

Describe the bug According to the docs running Windows Server 2022 containers on Windows Client 11 host using Process Isolation is supported and it's currently in Preview mode. When I attempt to run a simple IIS container exposing port 80 I'm unable to get a response when attempting to connect on the host side of port 80. Doing it within the container works fine, switching to hyperv isolation works too but we wanted this specifically to run with process isolation so we can mount high I/O volumes within the container which are unusable when using hyperv isolation bind mounts.

To Reproduce Steps to reproduce the behavior:

  • Build a simple IIS container using the following Dockerfile: docker build -t test .
FROM mcr.microsoft.com/windows/servercore:ltsc2022

RUN dism.exe /online /enable-feature /all /featurename:iis-webserver /NoRestart

RUN echo "Hello World - Dockerfile" > c:\inetpub\wwwroot\index.html

EXPOSE 80

CMD powershell -command "\
        Start-Job { \
            while ($true) { \
                Invoke-WebRequest -UseBasicParsing localhost; \
                Sleep 1; \
                netsh http flush logbuffer; \
            } \
        };\

        Sleep 2; \
        Write-Host 'Waiting for logs...'; \

        Get-ChildItem C:\inetpub\logs\LogFiles\w3svc1\ | Get-Content -wait \
    "

  • Run a container using process isolation from the built image mapping the exposed port 80: docker run -it --isolation=process -p 80:80 test

  • Attempt to access port 80 from the host:

    • curl -v http://localhost
    • curl -v http://127.0.0.1
    • curl -v http://[::1]
    • or any of the local IPs such as the nat interface created by docker.

Expected behavior Should be able to connect and receive a response from IIS.

Configuration:

  • Edition: Windows 11 22H2 OS Build 22621.2283
  • Base Image being used: Windows Server Core 2022 (mcr.microsoft.com/windows/servercore:ltsc2022)
  • Container engine: Docker
  • Container Engine version: 24.0.6

Additional context Doing the same on a Windows Server 2022 host works as expected with process isolation.

robertoandrade avatar Oct 04 '23 20:10 robertoandrade

@robertoandrade , was there any errors returned by docker or the docker logs during the time of container creation? Also please share the output of the below commands. We can check if any other applications are already using port 80 and check state of the port mapping policy on the endpoint

  1. Reproduce the port connectivity failure
  2. Run netstat -ab on the container host
  3. Run Get-HNSEndpoint on the host

kestratt avatar Oct 25 '23 19:10 kestratt

Closing issue because its going stale

fady-azmy-msft avatar Nov 21 '23 19:11 fady-azmy-msft

I have the same issue. Please re-open. I can provide more info if needed.

I have an even simpler repro case: docker run -it --isolation=process -p 8080:80 mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022

When running this command on Windows 11 there are no visible errors. Just there is no IIS available under localhost:8080.

Running the same command on Windows Server 2022 works and the IIS is reachable.

Replacing --isolation=process with --isolation=hyperv also works on Windows 11.

diekleinekuh avatar Jul 09 '24 16:07 diekleinekuh

I just tried to repro this with your command and was able to launch the website: IIS

Please note the service on the IIS image has been stopped and started after a moment. The IIS image has an Entrypoint to the ServiceMonitor.exe, so it's not a good image to try using -it. Can you try the same with the -d option (running the command detached)?

Also, for reference, when using -it you might want to add powershell to the end of the command, so the shell enters a PS session: docker run -it --isolation=process -p 8080:80 mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022 powershell

Note: I'm running Windows 11 as the host.

vrapolinario avatar Jul 09 '24 18:07 vrapolinario

I tried with -d instead of -it but the result was the same. As before it works for me with --isolation=hyperv but not with --isolation=process. I just added the -it before to see the output of starting and stopping the service and also be able to terminate the container with Ctrl-C for testing.

Let me know what else could be helpful to debug this.

diekleinekuh avatar Jul 10 '24 13:07 diekleinekuh

This issue has been open for 30 days with no updates. @kestratt, @ntrappe-msft, please provide an update or close this issue.

microsoft-github-policy-service[bot] avatar Aug 12 '24 14:08 microsoft-github-policy-service[bot]

@diekleinekuh

Was there any errors returned by docker or the docker logs during the time of container creation? Also please share the output of the below commands. We can check if any other applications are already using port 8080 and check state of the port mapping policy on the endpoint

  1. Reproduce the port connectivity failure
  2. Run netstat -ab on the container host
  3. Run Get-HNSEndpoint on the host

adrianm-msft avatar Sep 10 '24 17:09 adrianm-msft

Closing issue because its going stale.

adrianm-msft avatar Sep 25 '24 17:09 adrianm-msft