I thought jobs were used for Windows Containers: "Windows containers utilize job objects to group and track processes associated with each container. Resource controls are implemented on the parent job object associated with the container."
Ah, you are right. I thought it mostly relied on Hyper-V isolation (a bit like core isolation) and the process grouping was mostly a bonus inside the Hyper-V context, but apparently this works without Hyper-V as well so it would make sense that you'd just use the Job API.
Maybe if there was some ProjFS-style text I/O for the Job API someone would have made a OCI-like container format, but I suppose even then it would be too different to be embraced like Docker was when it was released. You'd need to have it combined with WinFsp or a FUSE-alike adapter and it might even be possible to have layers and use a union/merge/overlay FS. Putting that side-by-side with containerd and cgroups2, it would still look rather Frankenstein-ish; not very windows-y, and not linux-ish either.
MSIX files are Microsoft's equivalent of OCI containers and do all those things. It's not well known but here's a brief rundown of the format and tech:
- They're zips (sorta, but you can't make them with any existing zip library)
- They can contain VFS overlays for system directories. Files placed inside the package under the VFS directory will appear at runtime as if they are installed to c:\Windows\System32 and other well known locations, but only for apps within that package. This is built using an equivalent of unionfs called bindflt.
- Apps run inside "app containers" which are at the lower levels composed of job objects and other kernel features. App containers are the basis of all sandboxing on Windows and are the closest equivalent of cgroups.
- Writes to the user's home directory are transparently redirected to a separate directory specific to that package. This allows data to be cleaned on uninstall.
- You can express various integration points in a declarative manifest file, install/uninstall/download them from the CLI, and individual packages have update feeds a bit like a Docker repository.
There are some differences:
- MSIX is designed for desktop apps, not servers.
- There's no concept of layering like Docker has.
- A Docker repository is a relatively heavy serverish thing. MSIX packages can have a stream of updates expressed, but it's done by just publishing an XML file to a web server.
- MSIX doesn't try to wrap an entire Windows userland in the same way that Docker images ship entire copies of Linux userland. It's all about overlay filesystems.
But that's the problem, isn't it? It tries to be too much of an 'enterprise solution' instead of a developer-centric ship-your-stuff method. It's not getting traction, and it's not compatible with anything.
It's technically a correct format, but that's not what you need to get a thriving ecosystem.
It is getting traction for everyone targeting the Windows Store, and long term, as discussed at Blue Hat IL 2023, Windows will be locked down by default.
This is just the first step of the roadmap that was discussed at the conference.
Developer certificates are also coming, just like on macOS.
All security knobs enabled by default, no longer opt-in.
So in essence it's getting no traction, it's just force-fed (which doesn't require traction) and only if you are targeting the windows store. This is the same pattern as they followed with all the other attempts Microsoft made over the years, I doubt the result will be any different.
So from a developer perspective (in the OCI ecosystem), it's perhaps 10% new GUI stuff, and then 10% of what Docker does, and Docker doesn't even do its own stuff all that well. Unless someone really wants that GUI stuff (as in, presenting the packaged application with a GUI, something OCI doesn't do well), this will never get picked unless forced, and if forced people will not use it because they enjoy it or because it has ecosystem traction, but because they were forced.
Again, it doesn't matter how correct it is, what features it does have or how it compares to all the other attempts from the past, what matters is that unless a developer is in the single scenario where they are forced to use it, they will probably ignore it.
Granted, before we got into the 'microsoft container concepts suck' threat, this article was specifically about win32 app isolation, so if we look at it from that perspective, this is a step up. But that's not where the mindshare or the money is.
If you had spent any time reading the related Blue Hat content, this is the first step alongside developer certificates, to bring UWP model to across all Windows workloads.
You can then either switch to macOS or ChromeOS with similar models already, use one of the mobile OSes, which have used such restrictions for years, or maybe it is finally when the exodus to Linux Desktop takes place.
I'm not really interested in that dead-end avenue. Bulk usage is all browser based, most basic applications that do have a desktop-based client are essentially packaged chrome browsers, and high-performance apps are so custom and so tied to old APIs that they wouldn't work with any of the new container methods Microsoft attempted over the years.
Windows workloads are getting smaller, not bigger.
This attempt at a yet another microsft iteration of things like flatpak/docker/dpkg/rpm/nix etc is no more likely to be embraced than the previous ones. There is a reason default packaging of popular software is still SFX packages spewing files all over the place and not MSI or MSIX. The former is usually only included als an alternative (i.e. Chrome's "Enterprise" version) because tools like SCCM are not very useful without it.
I'm surprised after 14 replies you are still completely missing the point. This has nothing to do with 'windows bad' or 'app sandboxing bad' or 'haha desktop' some nonsense like that. (which is what you seem to be interpreting every time)
This has to do with Microsoft trying to re-invent the wheel time after time, and consistently failing (within their own ecosystem) because they build things that contradict the desired user experience which prevents adoption. And with adoption, I mean the same kind of adoption that Docker (now OCI) has.
That is not a direct link between desktop-app sandboxing vs. microservice containers, but a comparison between doing things good enough for mass usage (Docker) vs. trying to do it 'the enterprise way' (every attempt beyond win32 so far, including COM, MSI and APPX). And it's not about their technology having bugs either (every tech does, not just MS-tech), plenty of the technical aspects are fine, but that alone is not going to drive adoption as the last few decades have shown.
https://learn.microsoft.com/en-us/virtualization/windowscont...