├── .github └── workflows │ └── build.yaml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── New-HostProcessBaseImage.ps1 ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── cc0-legalcode.txt └── cc0-license.txt /.github/workflows/build.yaml: -------------------------------------------------------------------------------- 1 | name: host-process-scratch-image 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | branches: 9 | - main 10 | workflow_dispatch: 11 | 12 | jobs: 13 | build: 14 | runs-on: windows-2022 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: build image 18 | run: | 19 | .\New-HostProcessBaseImage.ps1 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 4 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 5 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. 6 | 7 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide 8 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions 9 | provided by the bot. You will only need to do this once across all repos using our CLA. 10 | 11 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 12 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 13 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 14 | 15 | ## Trademarks 16 | 17 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 18 | trademarks or logos is subject to and must follow 19 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). 20 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. 21 | Any use of third-party trademarks or logos are subject to those third-party's policies. 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /New-HostProcessBaseImage.ps1: -------------------------------------------------------------------------------- 1 | Remove-Item -Path "build" -Force -Recurse -ErrorAction SilentlyContinue 2 | New-Item -ItemType Directory -Path "build" | Out-Null 3 | New-Item -ItemType Directory -Path "build\layer" | Out-Null 4 | 5 | # Create the files that ProcessBaseLayer on Windows validates when unpackage images. 6 | # These files can be empty, they just need to exist at specific paths. 7 | New-Item -ItemType Directory -Path "build\layer\Files\Windows\System32\config" -Force | Out-Null 8 | foreach ($f in @('DEFAULT', 'SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM')) { 9 | New-Item -ItemType File -Name $f -Path "build\layer\Files\Windows\System32\config" | Out-Null 10 | } 11 | 12 | # Add CC0 license to image. 13 | Copy-Item -Path "cc0-license.txt" -Destination "build\layer\Files\License.txt" 14 | Copy-item -Path "cc0-legalcode.txt" -Destination "build\layer\Files\cc0-legalcode.txt" 15 | 16 | # Create layer.tar 17 | Push-Location build\layer 18 | if ($IsLinux) { 19 | tar -cf layer.tar Files 20 | } else { 21 | tar.exe -cf layer.tar Files 22 | } 23 | Pop-Location 24 | 25 | # Get hash of layer.tar 26 | $layerHash = (Get-FileHash -Algorithm SHA256 "build\layer\layer.tar").Hash.ToLower() 27 | Write-Output "layer.tar hash: $layerHash" 28 | 29 | # Add json and VERSION files for layer 30 | New-Item -ItemType Directory -Path "build\image\${layerhash}" | Out-Null 31 | "1.0" | Out-File -FilePath "build\image\${layerHash}\VERSION" -Encoding ascii 32 | Copy-Item -Path "build\layer\layer.tar" -Destination "build\image\${layerHash}\layer.tar" 33 | 34 | $now = [DateTime]::UtcNow.ToString("o") 35 | @" 36 | { 37 | "id": "${layerHash}", 38 | "created": "${now}", 39 | "container_config": { 40 | "Hostname": "", 41 | "Domainname": "", 42 | "User": "", 43 | "AttachStdin": false, 44 | "AttachStdout": false, 45 | "AttachStderr": false, 46 | "Tty": false, 47 | "OpenStdin": false, 48 | "StdinOnce": false, 49 | "Env": null, 50 | "Cmd": null, 51 | "Image": "", 52 | "Volumes": null, 53 | "WorkingDir": "", 54 | "Entrypoint": null, 55 | "OnBuild": null, 56 | "Labels": null 57 | }, 58 | "config": { 59 | "Hostname": "", 60 | "Domainname": "", 61 | "User": "ContainerUser", 62 | "AttachStdin": false, 63 | "AttachStdout": false, 64 | "AttachStderr": false, 65 | "Tty": false, 66 | "OpenStdin": false, 67 | "StdinOnce": false, 68 | "Env": null, 69 | "Cmd": [ 70 | "c:\\windows\\system32\\cmd.exe" 71 | ], 72 | "Image": "", 73 | "Volumes": null, 74 | "WorkingDir": "", 75 | "Entrypoint": null, 76 | "OnBuild": null, 77 | "Labels": null 78 | }, 79 | "architecture": "amd64", 80 | "os": "windows" 81 | } 82 | "@ | Out-File -FilePath "build\image\${layerHash}\json" -Encoding ascii 83 | 84 | 85 | # Create the image config and manifest files 86 | @" 87 | { 88 | "architecture": "amd64", 89 | "config": { 90 | "Hostname": "", 91 | "Domainname": "", 92 | "User": "", 93 | "AttachStdin": false, 94 | "AttachStdout": false, 95 | "AttachStderr": false, 96 | "Tty": false, 97 | "OpenStdin": false, 98 | "StdinOnce": false, 99 | "Env": null, 100 | "Cmd": [ 101 | "c:\\windows\\system32\\cmd.exe" 102 | ], 103 | "Image": "", 104 | "Volumes": null, 105 | "WorkingDir": "", 106 | "Entrypoint": null, 107 | "OnBuild": null, 108 | "Labels": null 109 | }, 110 | "created": "${now}", 111 | "history": [ 112 | { 113 | "created": "${now}" 114 | } 115 | ], 116 | "os": "windows", 117 | "rootfs": { 118 | "type": "layers", 119 | "diff_ids": [ 120 | "sha256:${layerHash}" 121 | ] 122 | } 123 | } 124 | "@ | Out-File -FilePath "build\image\config.json" -Encoding ascii 125 | $configHash = (Get-FileHash -Algorithm SHA256 "build\image\config.json").Hash.ToLower() 126 | Move-Item -Path "build\image\config.json" -Destination "build\image\${configHash}.json" 127 | 128 | @" 129 | [ 130 | { 131 | "Config": "${configHash}.json", 132 | "Layers": [ 133 | "${layerHash}/layer.tar" 134 | ] 135 | } 136 | ] 137 | "@ | Out-File -FilePath "build\image\manifest.json" -Encoding ascii 138 | 139 | # Tar the image 140 | if ($IsLinux) { 141 | tar -cf "build/windows-host-process-containers-base-image.tar" -C "build/image" . 142 | } 143 | else { 144 | tar.exe -cf "build\windows-host-process-containers-base-image.tar" -C "build\image" . 145 | } 146 | 147 | # Output a file with the image hash so we can import/push the image from CI 148 | "${configHash}" | Out-File -FilePath "build\image-id.txt" -Encoding ascii -NoNewline 149 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HostProcess container base image 2 | 3 | ## Overview 4 | 5 | This project produces a minimal base image that can be used with [HostProcess containers](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/). 6 | 7 | This image *cannot* be used with any other type of Windows container (process isolated, Hyper-V isolated, etc...) 8 | 9 | ### Benefits 10 | 11 | Using this image as a base for HostProcess containers has a few advantages over using other base images for Windows containers including: 12 | 13 | - Size - This image is a few KB. Even the smallest official base image (NanoServer) is still a few hundred MB is size. 14 | - OS compatibility - HostProcess containers do not inherit the same [compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) as Windows server containers and because of this it does not make sense to include all of the runtime / system binaries that make up the different base layers. Using this image allows for a single container image to be used on any Windows Server version which can greatly simplify container build processes. 15 | 16 | ## Usage 17 | 18 | Build your container from `mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0`. 19 | 20 | ### Dockerfile example 21 | 22 | Create `hello-world.ps1` with the following content: 23 | 24 | ```powershell 25 | Write-output "Hello World!" 26 | ``` 27 | 28 | and `Dockerfile.windows` with the following content: 29 | 30 | ```Dockerfile 31 | FROM mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0 32 | 33 | ADD hello-world.ps1 . 34 | 35 | ENV PATH="C:\Windows\system32;C:\Windows;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;" 36 | ENTRYPOINT ["powershell.exe", "./hello-world.ps1"] 37 | ``` 38 | 39 | ### Build with BuildKit 40 | 41 | Containers based on this image cannot currently be built with Docker Desktop. 42 | Instead use BuildKit or other tools. 43 | 44 | Example: 45 | 46 | #### Create a builder 47 | 48 | One time step 49 | 50 | ```cmd 51 | docker buildx create --name img-builder --use --platform windows/amd64 52 | ``` 53 | 54 | #### Build your image 55 | 56 | Use the following command to build and push to a container repository 57 | 58 | ```cmd 59 | docker buildx build --platform windows/amd64 --output=type=registry -f {Dockerfile} -t {ImageTag} . 60 | ``` 61 | 62 | ### Container Manifests 63 | 64 | As mentioned in [Benefits](#benefits) above, HostProcess containers can run on any Windows Server version however 65 | there is currently logic in containerd to only pull Windows container images if the `OSVersion` defined in the 66 | container manifest matches the `OSVersion` of the node. 67 | 68 | When building container images from this base image it is recommended to not include this image in a manifest-list 69 | and also not include *any* platform information in the manifest for now. 70 | 71 | Please see https://github.com/containerd/containerd/issues/7431 for more information. 72 | 73 | ## Licensing 74 | 75 | Code is the repository is released under the `MIT` [license](/LICENSE). 76 | 77 | The container images produced by this repository are distributed under the `CC0` license. 78 | 79 | - [CC0 license](/cc0-license.txt) 80 | - [CC0 legacode](/cc0-legalcode.txt) 81 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing 6 | issues before filing new issues to avoid duplicates. For new issues, file your bug or 7 | feature request as a new Issue. 8 | 9 | For help and questions about using this project, please reach out to the Kubernetes SIG-Windows community. 10 | More information can be found at https://github.com/kubernetes/community/tree/master/sig-windows#contact 11 | 12 | ## Microsoft Support Policy 13 | 14 | Support for this project is limited to the resources listed above. 15 | -------------------------------------------------------------------------------- /cc0-legalcode.txt: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /cc0-license.txt: -------------------------------------------------------------------------------- 1 | Windows-host-process-containers-base-image by Microsoft Corporation. 2 | 3 | To the extent possible under law, the persons who associated CC0 with 4 | Windows-host-process-containers-base-image has waived all copyright 5 | and related or neighboring rights to this work. 6 | 7 | You should have received a copy of the CC0 legalcode along with this 8 | work. If not, see . 9 | --------------------------------------------------------------------------------