Last updated March 10, 2020 10:00am PST
Symptoms
You might encounter issues using Windows Server containers if the container host or container image has the February 11, 2020 security update, unless both the Windows container host and Windows Server container images are matched with the February 11, 2020 security update.
Symptoms when running or building a container might include:
-
When you run the command "docker run" or “docker build” you might not receive output and it might become non-responsive.
-
Your Windows Server Container in Kubernetes does not reach the "running" state.
-
You receive the error, “docker: Error response from daemon: container <id> encountered an error during Start: failure in a Windows system call: The wait operation timed out. (0x102).”
-
Your 32-bit application or processes running inside the container might silently fail.
Cause
This issue was the result of a security change which required an interface change between user mode and kernel mode. Since process isolated containers share the kernel mode with the container host and the container images, user mode component without the update were both incompatible and unsecured with the new secured kernel interface.
Resolution and workaround
We have added new update guidance on the Windows Container Docs site in the Windows container version compatibility and Update Windows Server containers sections. This also includes details on update compatibility and matrix. For information on the specific issues listed in this article, please see the resolution and mitigation below.
Resolution for "not running" and "32-bit applications silently failing" issues (symptom 1, 2, 3, 4):
On February 18, 2020, updated container images were released to address the issues with symptoms (1,2,3,4) in this article. If you are encountering these issues, we recommend you update your container host to the February 11, 2020 security update release and the container images released on February 18, 2020. Note The February 18, 2020 release is for container images only. February 11, 2020 security updates are still the latest for the container host.
To resolve the issue in your environment, re-run the pull command to update Windows Server base OS images or your applicable container image, such as IIS or .NET and re-run your automation pipeline to rebuild your containers using the container images with the February 18, 2020 container image.
Important If you changed your pull tags or automation as a workaround for the issues in this article, you should revert your changes to your previous pull tags. You should no longer need to use a specific version.
Mitigation for "32-bit applications silently failing" issue (symptom 4):
We strongly recommend you update the container host to the February 11, 2020 security update, as described above. If you are unable to update the container host to the February 11, 2020 security updates, you will need to match the build and revision version of the container image with the build and revision version of your container host operating system. For instructions on how to check the version of your container host, see this article. Once you have the version from your container host, you can pull the container image version using the following command (you will need to adjust the Windows Server base OS image and version as applies in your environment). For example, if you are using Windows Server Core container:
docker pull mcr.microsoft.com/windows/servercore:<version your container host, such as 10.0.17763.1040>
After your container host and container image versions match, you should be able to resume your container commands such as run or build.
Note We only recommend changing your pull tags or automation if you are encountering silently failing apps.
References
The list below shows the Windows Server versions for which we support container images, along with the version numbers for the security updates released on January 14, 2020 and February 11, 2020 and the container image only release on February 18, 2020. The container images released on February 18, 2020 listed below will be pulled automatically if you don’t specify version in your floating tags.
Version of Windows Server (floating tag) |
Update version for January 14, 2020 release |
Update version for February 11, 2020 |
Update version for February 18, 2020 |
Windows Server 2016 (ltsc2016) |
10.0.14393.3443 |
10.0.14393.3504 |
10.0.14393.3506 |
Windows Server, version 1803 (1803) |
10.0.17134.1246 |
10.0.17134.1304 |
10.0.17134.1305 |
Windows Server 2019 (ltsc2019) Windows Server, version 1809 (1809) |
10.0.17763.973 |
10.0.17763.1039 |
10.0.17763.1040 |
Windows Server, version 1903 (1903) |
10.0.18362.592 |
10.0.18362.657 |
10.0.18362.658 |
Windows Server, version 1909 (1909) |
10.0.18363.592 |
10.0.18363.657 |
10.0.18363.658 |
If you are using Azure Marketplace Virtual Machine images with containers, the February 2020 images are available now. You should not encounter the issues or symptoms above using these images. For more information, see KB4540981.
For a complete list of Windows container image, please refer to the Docker Hub page here.
For more detailed information on Windows Server containers, please see https://aka.ms/containers.