1
00:00:00,940 --> 00:00:03,580
Now I mentioned when you create your own Docker images,

2
00:00:03,580 --> 00:00:06,230
you're going to start with a base container image.

3
00:00:06,230 --> 00:00:07,290
In the Docker Hub,

4
00:00:07,290 --> 00:00:11,980
Microsoft regularly updates their Windows base OS container images,

5
00:00:11,980 --> 00:00:15,000
and you need to know these for your AZ‑800 success.

6
00:00:15,000 --> 00:00:16,770
There is the Nano Server image.

7
00:00:16,770 --> 00:00:18,320
This is the lightest,

8
00:00:18,320 --> 00:00:21,940
thinnest version of Windows Server that can run as a container,

9
00:00:21,940 --> 00:00:24,550
and it's limited only to .NET Core apps,

10
00:00:24,550 --> 00:00:28,930
so it's basically for modern development not supporting legacy applications.

11
00:00:28,930 --> 00:00:33,240
If you do want a containerized .NET Framework and legacy applications,

12
00:00:33,240 --> 00:00:35,480
there is a Server Core base image,

13
00:00:35,480 --> 00:00:38,830
and then there is even a Windows Server base image that

14
00:00:38,830 --> 00:00:41,960
includes almost all of the Windows Server features including

15
00:00:41,960 --> 00:00:43,950
the desktop experience features.

16
00:00:43,950 --> 00:00:44,980
Now note though,

17
00:00:44,980 --> 00:00:48,040
that just because that Windows Server image includes

18
00:00:48,040 --> 00:00:50,760
almost all of the underlying OS binaries,

19
00:00:50,760 --> 00:00:53,100
that does not mean you get a graphical interface.

20
00:00:53,100 --> 00:00:53,630
You don't.

21
00:00:53,630 --> 00:00:57,070
None of these containers convey a graphical user interface,

22
00:00:57,070 --> 00:00:58,100
and that's the point.

23
00:00:58,100 --> 00:01:02,230
We want our container images to be as small as possible and to contain

24
00:01:02,230 --> 00:01:05,920
only the bits that are needed to run the application.

25
00:01:05,920 --> 00:01:06,410
Why?

26
00:01:06,410 --> 00:01:11,000
Obviously for security purposes, the smaller the attack surface,

27
00:01:11,000 --> 00:01:13,230
the more secure the container is, right?

28
00:01:13,230 --> 00:01:13,500
Yeah.

29
00:01:13,500 --> 00:01:14,930
Another point is size.

30
00:01:14,930 --> 00:01:18,260
Nano Server is going to be the smallest image, the slimmest image.

31
00:01:18,260 --> 00:01:22,140
Server Core would be second place, and the Windows Server image is much bigger.

32
00:01:22,140 --> 00:01:24,690
Now we haven't really discussed the notion of Linux

33
00:01:24,690 --> 00:01:26,630
versus Windows Server containers.

34
00:01:26,630 --> 00:01:30,340
We have dedicated courses in the Pluralsight library on that subject.

35
00:01:30,340 --> 00:01:33,070
I'll point you to some of them in the exercise files.

36
00:01:33,070 --> 00:01:37,620
I mentioned that Linux is really the home of Docker and containerization.

37
00:01:37,620 --> 00:01:41,210
Nowadays, you can do Linux containers on Windows,

38
00:01:41,210 --> 00:01:43,610
it's beyond our scope though because for the Windows

39
00:01:43,610 --> 00:01:47,740
Server hybrid administrator role, we are truly staying with Windows Server.

40
00:01:47,740 --> 00:01:50,900
One reason Microsoft formed such a deep partnership with

41
00:01:50,900 --> 00:01:54,040
Docker is because they wanted to engineer a way to support

42
00:01:54,040 --> 00:01:56,750
Windows Server in a container ecosystem.

43
00:01:56,750 --> 00:01:59,640
Hence, these three base images.

44
00:01:59,640 --> 00:02:04,520
Another nice thing that you can do with Windows Server‑based Docker containers

45
00:02:04,520 --> 00:02:08,780
running on Windows Server hosts is configure isolation modes,

46
00:02:08,780 --> 00:02:10,040
and this is the question.

47
00:02:10,040 --> 00:02:13,210
How much isolation do you need for your containers

48
00:02:13,210 --> 00:02:15,340
running on a Windows Server host?

49
00:02:15,340 --> 00:02:21,650
The process isolation type is the main default Docker isolation where your

50
00:02:21,650 --> 00:02:26,180
containers are essentially processes on the same Docker host,

51
00:02:26,180 --> 00:02:29,910
and they're using various technologies under the hood in order

52
00:02:29,910 --> 00:02:32,900
to isolate those containers from each other.

53
00:02:32,900 --> 00:02:37,440
If that doesn't do it for your team from a security perspective and

54
00:02:37,440 --> 00:02:40,290
you're looking at Windows Server and not Linux containers,

55
00:02:40,290 --> 00:02:43,040
then you can opt for Hyper‑V isolation.

56
00:02:43,040 --> 00:02:46,020
And what happens here is that you're running your Docker container,

57
00:02:46,020 --> 00:02:50,460
your Windows Server Docker container in basically a slim,

58
00:02:50,460 --> 00:02:54,350
highly‑optimized virtual machine that has its own OS kernel.

59
00:02:54,350 --> 00:02:59,450
So Hyper‑V isolation presents a way to combine the agility

60
00:02:59,450 --> 00:03:03,070
of containerization and the Docker ecosystem with the

61
00:03:03,070 --> 00:03:10,000
isolation and security of Hyper‑V. Now let's do a demo, and let's light up these concepts.