Install MCR on Windows Servers¶
Mirantis Container Runtime (MCR) enables native Docker containers on Windows Server. The Mirantis Container Runtime installation package includes everything you need to run Docker on Windows Server. This topic describes pre-install considerations, and how to download and install Mirantis Container Runtime.
Note
Refer to the MCR 23.0 Compatibility Matrix for information on which Windows Server versions are supported.
System requirements¶
Windows OS CPU and RAM requirements that must be met are specified in the Windows Server Requirements.
Install MCR with an Internet connection¶
Mirantis provides an installation script to ease MCR installation on a Windows Server machine. The script uses default values, thus allowing it to be run without configuration. You can, however, override the default values with script parameters and env variables. Parameter values take precedence over env variables. Both take precedence over inbuilt default values.
The installation script must be executed from an elevated command prompt. If you want to change the default daemon values, ensure that you have the alternative cofigurations and the related collateral in place prior to executing the script. For example, if you want to enable TLS, store the certificates and write the daemon configuration file before invoking the script.
Obtain the installation script for MCR for Windows Server at https://get.mirantis.com/install.ps1.
(Optional): Allow downloaded script files to run in the current session
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
Run the installation script.
The installer will issue a prompt, should it require a reboot.
Note
The installation script installs a numerically higher version by default. The latest tag, however, explicitly denotes the binary that was last pushed, which may not be a numerically higher version.
Test your MCR installation by running the
hello-world
container.docker run hello-world:nanoserver
The container starts, prints the
Hello from Docker!
message, and then exits.Unable to find image 'hello-world:nanoserver' locally nanoserver: Pulling from library/hello-world bce2fbc256ea: Pull complete 3ac17e2e6106: Pull complete 8cac44e17f16: Pull complete 5e160e4d8db3: Pull complete Digest: sha256:25eac12ba40f7591969085ab3fb9772e8a4307553c14ea72d0e6f98b2c8ced9d Status: Downloaded newer image for hello-world:nanoserver Hello from Docker! This message shows that your installation appears to be working correctly.
FIPS 140-2 cryptographic module support¶
Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.
MCR provides FIPS 140-2 support in Windows Server, which includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in MCR.
Note
FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, run the following command in PowerShell:
[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine")
You can also enable FIPS 140-2 mode using the Windows Registry. To update the pertinent registry key, execute the following PowerShell command as an Administrator:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\" -Name "Enabled" -Value "1"
Restart the Docker service.
Stop-Service docker
Start-Service docker
To confirm Docker is running with FIPS-140-2 enabled, run the docker info.
Labels:
com.docker.security.fips=enabled
Note
FIPS-140-2 compliance can be disabled if the FIPS-140-2 cryptographic
module is installed on the operating system. To disable FIPS-140-2 in
Docker but not the operating system, set the value "DOCKER_FIPS","0"
in
[System.Environment].\
Install MCR offline¶
If your hardware is air-gapped you can still install MCR. To do so, download the installer and copy the files to the air-gapped machine (the default installation assumes that the zipped files and script are in the same location).
On any Internet connected system, go to https://get.mirantis.com/install.ps1 to obtain the MCR for Windows Server installation script.
(Optional): Allow the downloaded script files to run in the current session.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
Run the installation script with the
-DownloadOnly
parameter. As per the parameter name, this action only downloads the zip file (no installation is performed)..\<installation-script> -DownloadOnly
Copy the installation script and the installation zip file over to the air-gapped machine and run the install with the
-Offline
parameter..\<installation-script> -Offline
If prompted, reboot the installer.
Install a specific version¶
Use the following three parameters separately or in tandem to install a specific version of MCR for Windows Server.
Caution
MCR does not support using earlier versions of containerd than the version with which it is released. For supported containerd versions, refer to the Major component versions section of the required MCR version in Release Notes.
.\install.ps1 -Channel
.\install.ps1 -ContainerdVersion
.\install.ps1 -DockerVersion
For example, the installation script will always use the latest GA.
For parameter descriptions, refer to Install script usage.
Update MCR¶
To update MCR to the most recent release, download the latest copy of the installation script and rerun the installation steps.
Obtain the installation script for MCR for Windows Server at https://get.mirantis.com/install.ps1.
(Optional): Allow downloaded script files to run in the current session.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process
Run the installation script.
Install script usage¶
The installation script uses the parameters detailed below.
Parameter |
Description |
---|---|
.PARAMETER DownloadUrl |
[Alternately specified by $Env:DOWNLOAD_URL] Specifies an alternative repository in which to download container runtime packages. |
.PARAMETER Channel |
[Alternately specified by $Env:CHANNEL]
Specifies which channel to use for picking the binaries (examples
include |
.PARAMETER DockerVersion |
[Alternately specified by $Env:DOCKER_VERSION] Specifies the version number for the DockerEE binaries to install. The latest version is the default. |
.PARAMETER ContainerdVersion |
[Alternately specified by $Env:CONTAINERD_VERSION] Specifies the version number for the containerd binaries to install The latest version is the default. |
.PARAMETER DryRun |
If specified, list different steps to use without actually invoking those steps. |
.PARAMETER Uninstall |
If specified, uninstalls all packages. This includes
unregistering the corresponding services and removing paths
for the package from the registry.
All other script parameters (except |
.PARAMETER Ver |
Print version info for the script and exit. |
.PARAMETER NoServiceStarts |
If specified, services are not started on successful install. By default, all services installed by the script are left in a running state before exit. |
.PARAMETER DestPath |
Path to the directory under which binaries will be installed. Default: %PROGRAMDATA% |
.PARAMETER OfflinePackagesPath |
The folder for airgap/offline scenarios. For use when the
offline or |
.PARAMETER Offline |
Install packages in offline/airgap mode. By default the
current directory is used to locate previously
downloaded packages, a setting that can be overridden by using
the |
.PARAMETER DownloadOnly |
Download and save packages for later offline/airgap install. |
.PARAMETER EngineOnly |
Skip all steps except those related to MCR. |
Install script notes¶
In scenarios where you have existing software installed that has its own copies of OpenSSL libraries, you may encounter the following error:
OpenSSL error: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
This is often arises if you have ming/mingw64 as a part of your PATH env variable. As a workaround, ensure that the offending software is not on the PATH and run the script again.
The script supports airgap functionality by providing access to download packages while online, as well as to install those selfsame packages while offline.
For downloads, please ensure that the script has access to the internet. Use the
-DownloadOnly
parameter. By default the script will use the current directory to store the packages after download, a setting that can be changed by specifying the path explicitly with the-OfflinePackagesPath
parameter.For offline/airgap install, please use the
-Offline
parameter. By default the script searches for pacakages in the current directory, a setting that can be changed by specifying the-OfflinePackagesPath
parameter.While downloading using
-DownloadOnly
parameter, confirm that the download path is accessible to the script, especially if you run the script without administrative rights.
The following is required so that the script can be invoked with named
parameters (for example, -ContainerdVersion 1.3.4...
). If a parameter is
used, its type is checked by powershell - we give a higher precedence to the
parameters specified in this manner versus the same value specified by env
vars.
Parameters received at invocation time. Some of these values are merged with values specified by env vars - see reconcileParams. Others are used as-is.
Disable MCR Telemetry¶
By default, MCR automatically records and transmits data to Mirantis for monitoring and analysis purposes. The data collected provides the Mirantis Customer Success Organization with information that helps Mirantis to better understand the operational use of MCR by our customers. It also provides key feedback in the form of product usage statistics, which enables our product teams to enhance Mirantis products and services.
To disable the telemetry function, set features.telemetry
to false
in
the daemon.json
file, which is located in
C:\ProgramData\docker\config\
.
{"features":{"telemetry": false}}
You can change the setting back to true
to re-enable telemetry
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Uninstall MCR¶
Use the following commands to remove MCR from a Windows Server.
Leave any active Docker Swarms.
docker swarm leave --force
Prune container data.
docker system prune -all
Run the installation script using the
uninstall
flag to remove MCR from the system.