You might encounter issues when using Windows Server containers with the February 11, 2020 security update release

Gäller för: Windows Server 2016Windows Server 2019, all editionsWindows Server version 1803

Last updated March 10, 2020 10:00am PST

Symptoms


You might encounter issues using Windows Server containers if the container host or container image has the February 11, 2020 security update, unless both the Windows container host and Windows Server container images are matched with the February 11, 2020 security update. 

Symptoms when running or building a container might include: 

  1. When you run the command "docker run" or “docker build” you might not receive output and it might become non-responsive.

  2. Your Windows Server Container in Kubernetes does not reach the "running" state.

  3. You receive the error, “docker: Error response from daemon: container <id>  encountered an error during Start: failure in a Windows system call: The wait operation timed out. (0x102).” 

  4. Your 32-bit application or processes running inside the container might silently fail.

Cause


This issue was the result of a security change which required an interface change between user mode and kernel mode. Since process isolated containers share the kernel mode with the container host and the container images, user mode component without the update were both incompatible and unsecured with the new secured kernel interface.

Resolution and workaround


We have added new update guidance on the Windows Container Docs site in the Windows container version compatibility and Update Windows Server containers sections.  This also includes details on update compatibility and matrix.  For information on the specific issues listed in this article, please see the resolution and mitigation below.

 

Resolution for "not running" and "32-bit applications silently failing" issues (symptom 1, 2, 3, 4):

On February 18, 2020, updated container images were released to address the issues with symptoms (1,2,3,4) in this article.  If you are encountering these issues, we recommend you update your container host to the February 11, 2020 security update release and the container images released on February 18, 2020.  Note The February 18, 2020 release is for container images only.  February 11, 2020 security updates are still the latest for the container host. 

To resolve the issue in your environment, re-run the pull command to update Windows Server base OS images or your applicable container image, such as IIS or .NET and re-run your automation pipeline to rebuild your containers using the container images with the February 18, 2020 container image. 

Important If you changed your pull tags or automation as a workaround for the issues in this article, you should revert your changes to your previous pull tags.  You should no longer need to use a specific version. 

Mitigation for "32-bit applications silently failing" issue (symptom 4):

We strongly recommend you update the container host to the February 11, 2020 security update, as described above. If you are unable to update the container host to the February 11, 2020 security updates, you will need to match the build and revision version of the container image with the build and revision version of your container host operating system.  For instructions on how to check the version of your container host, see this article. Once you have the version from your container host, you can pull the container image version using the following command (you will need to adjust the  Windows Server base OS image and version as applies in your environment). For example, if you are using Windows Server Core container:

docker pull mcr.microsoft.com/windows/servercore:<version your container host, such as 10.0.17763.1040>

After your container host and container image versions match, you should be able to resume your container commands such as run or build.

Note We only recommend changing your pull tags or automation if you are encountering silently failing apps.

References


The list below shows the Windows Server versions for which we support container images, along with the version numbers for the security updates released on January 14, 2020 and February 11, 2020 and the container image only release on February 18, 2020.  The container images released on February 18, 2020 listed below will be pulled automatically if you don’t specify version in your floating tags. 

Version of Windows Server (floating tag) Update version for January 14, 2020 release Update version for February 11, 2020 Update version for February 18, 2020

Windows Server 2016 (ltsc2016)

10.0.14393.3443 10.0.14393.3504 10.0.14393.3506
Windows Server, version 1803 (1803) 10.0.17134.1246 10.0.17134.1304 10.0.17134.1305

Windows Server 2019 (ltsc2019)
Windows Server, version 1809 (1809)

10.0.17763.973 10.0.17763.1039 10.0.17763.1040
Windows Server, version 1903 (1903) 10.0.18362.592 10.0.18362.657  10.0.18362.658
Windows Server, version 1909 (1909) 10.0.18363.592 10.0.18363.657 10.0.18363.658

 

If you are using Azure Marketplace Virtual Machine images with containers, the February 2020 images are available now. You should not encounter the issues or symptoms above using these images.  For more information, see KB4540981.

For a complete list of Windows container image, please refer to the Docker Hub page here.

For more detailed information on Windows Server containers, please see https://aka.ms/containers.