Install Docker Engine - Enterprise on Windows Servers

Install Docker Engine - Enterprise on Windows Servers

Docker Engine - Enterprise enables native Docker containers on Windows Server. Windows Server 2019 and later versions are supported. The Docker Engine - Enterprise installation package includes everything you need to run Docker on Windows Server. This topic describes pre-install considerations, and how to download and install Docker Engine - Enterprise.

System requirements

Windows OS requirements around specific CPU and RAM requirements need to be met as specified in the Windows Server Requirements.

Install Docker Engine - Enterprise with an Internet connection

These steps are for an online-only default installations, so you must have an internet connection. For instructions to install offline, see the Install Docker Engine - Enterprise offline section below. The easiest way to install Docker Engine - Enterprise on a Windows Server machine is to run the helper script we provide. The script uses default values for everything so it can run without specifying any values. Script parameters and env variables can be used to overrule the default values.

Parameter values take precedence over env variables. Both take precedence over inbuilt default values.

The script needs to be executed from an elevated command prompt. If you want to change the default daemon values, you should have the alternative cofigurations and the related collateral in-place before executing the script. For example, if you want to enable TLS, store the certificates and write the daemon configuration file before invoking the script.

  1. Download the install.ps1 file.

    Invoke-WebRequest -Uri https://get.mirantis.com/install.ps1 -o install.ps1
    
  2. (Optional): Allow downloaded script files to run in the current session

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
    
  3. Run the install script.

    .\install.ps1
    

    If the installer requires a reboot it will prompt you.

  4. Test your Docker Engine - Enterprise installation by running the hello-world container.

    docker run hello-world:nanoserver
    

    The container starts, prints the hello message, and then exits.

    Unable to find image 'hello-world:nanoserver' locally
    nanoserver: Pulling from library/hello-world
    bce2fbc256ea: Pull complete
    3ac17e2e6106: Pull complete
    8cac44e17f16: Pull complete
    5e160e4d8db3: Pull complete
    Digest: sha256:25eac12ba40f7591969085ab3fb9772e8a4307553c14ea72d0e6f98b2c8ced9d
    Status: Downloaded newer image for hello-world:nanoserver
    
    Hello from Docker!
    This message shows that your installation appears to be working correctly.
    

FIPS 140-2 cryptographic module support

Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.

Docker Engine - Enterprise provides FIPS 140-2 support in Windows Server. This includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine.

Note

FIPS 140-2 is only supported in the Docker Engine - Enterprise engine. UCP and DTR currently do not have support for FIPS 140-2.

To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, execute the following command in PowerShell:

[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine")

FIPS 140-2 mode may also be enabled via the Windows Registry. To update the pertinent registry key, execute the following PowerShell command as an Administrator:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\" -Name "Enabled" -Value "1"

Restart the Docker service by running the following command.

Stop-Service docker
Start-Service docker

To confirm Docker is running with FIPS-140-2 enabled, run the docker info command:

Labels:
 com.docker.security.fips=enabled

Note

If the system has the FIPS-140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance. To disable FIPS-140-2 in Docker but not the operating system, set the value "DOCKER_FIPS","0" in the [System.Environment].``

Install Docker Engine - Enterprise offline

If you hardware is air-gapped, you can still install Docker Engine - Enterprise. You will need to download the installer and then copy the files to the air-gapped machine. The default installation assumes that the zipped files and script are in the same location.

  1. On any Internet connected Powershell terminal: download the install.ps1 file and then run it to download the installer .zip files

    Invoke-WebRequest -Uri https://get.mirantis.com/install.ps1 -o install.ps1
    
  2. (Optional): Allow the downloaded script files to run in the current session.

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
    
  3. Run the install.ps1 with the DownloadOnly parameter. This doesn’t install anything, it only downloads the zip file.

    .\install.ps1 -DownloadOnly
    
  4. Copy the install.ps1 file and the installation zip file over to the air-gapped machine and run the install with the -Offline parameter.

    .\install.ps1 -Offline
    

If the installer requires a reboot it will prompt you.

Install a specific version

To install a specific version, you can use three parameters separately or together. They are:

.\install.ps1 -Channel
.\install.ps1 -ContainerdVersion
.\install.ps1 -DockerdVersion
For example:
.\install.ps1 will always use the latest available GA

The “Install script usage” section below dontains descriptions of these and other parameres.

Update Docker Engine - Enterprise

To update Docker Engine - Enterprise to the most recent release, download the latest copy of the install.ps1 script and rerun the installation steps.

  1. Download the install.ps1 file.

    Invoke-WebRequest -Uri https://get.mirantis.com/install.ps1 -o install.ps1
    
  2. (Optional): Allow downloaded script files to run in the current session

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process
    
  3. Run the install script.

.\install.ps1

Install script usage

The installation script uses the following parameters.

Parameter

Description

.PARAMETER DownloadUrl

[Alternately specified by $Env:DOWNLOAD_URL] Specify an alternative repository to download container runtime packages. Consult the documentation for air-gapped installs to learn more about setting up a repository mirror.

.PARAMETER Channel

[Alternately specified by $Env:CHANNEL] Specifies the channel to be used for picking the binaries. Examples of channels are: stable, test etc. Stable is used as the default channel.

.PARAMETER DockerVersion

[Alternately specified by $Env:DOCKER_VERSION] Specifies the version number for the DockerEE binaries to install. Latest is used as the default version.

.PARAMETER ContainerdVersion

[Alternately specified by $Env:CONTAINERD_VERSION] Specifies the version number for the containerd binaries to install Latest is used as the default version.

.PARAMETER DryRun

If specified, list different steps that would be used without actually invoking them.

.PARAMETER Uninstall

If specified, uninstalls all packages. This entails unregistering the corresponding services and removing paths for the package from the registry. All other script parameters (except DryRun and DestPath) are ignored if this switch is specified. Common parameters such as -Verbose are still honored.

.PARAMETER Ver

Print version info for the script and exit.

.PARAMETER NoServiceStarts

If specified, services are not started on successful install. By default, all services installed by the script are left in a running state before exit.

.PARAMETER DestPath

Path to the directory under which binaries will be installed. By default, this path is %PROGRAMDATA%

.PARAMETER OfflinePackagesPath

The folder for airgap/offline scenarios. For use when the offline or DownloadOnly parameters are specified. Used to either save the downloaded packages for later offline use or for pointing to previously downloaded packages for offline install.

.PARAMETER Offline

Install packages in offline/airgap mode. By default the current directory will be used to look for previously downloaded packages. That can be overridden by using the OfflinePackagesPath parameter.

.PARAMETER DownloadOnly

Download and save packages for later offline/airgap install.

.PARAMETER EngineOnly

Skip all steps except those related to Docker EE engine.

Install script notes

  1. In scenarios where you have existing installed software that has its own copies of OpenSSL libraries, you may run into the following error:

    OpenSSL error: error:0F06D065:common libcrypto
    routines:FIPS_mode_set:fips mode not supported
    

    This is often hit if you have ming/mingw64 as a part of your PATH env variable. To work around this, ensure that the offending software is not on the PATH and run the script again.

  2. The script supports airgap functionality by providing access to download packages while online as well as to install those selfsame packages while offline.

    For downloads, please ensure that the script has access to the internet. Use the -DownloadOnly parameter. By default the script will use the current directory to store the packages after download. This can be changed by specifying the path explicitly with the -OfflinePackagesPath parameter.

    For offline/airgap install, please use the -Offline parameter. By default the script will look for pacakage in the current directory. This can be changed by specifying the -OfflinePackagesPath parameter.

    While downloading using -DownloadOnly parameter, make sure that the download path is accessible to the script, especially if you run the script without administrative rights.

The following is required so that the script can be invoked with named parameters (e.g. -ContainerdVersion 1.3.4…). If a parameter is used, its type is checked by powershell - we give a higher precedence to the parameters specified this way vs. the same value specified by env vars.

Parameters gotten at invocation time. Some of these values are “merged” with values specified by env vars - see reconcileParams. Others are used as-is.

Uninstall Docker Engine - Enterprise

Use the following commands to remove the Docker Engine - Enterprise from a Windows Server.

  1. Leave any active Docker Swarms.

    docker swarm leave --force
    
  2. Prune container data.

    docker system prune -all
    
  3. Run the install.ps1 script using the uninstall flag to remove Docker Engine - Enterprise from your system.