Install MCR on Windows Servers

Mirantis Container Runtime (MCR) enables native Docker containers on Windows Server. The Mirantis Container Runtime installation package includes everything you need to run Docker on Windows Server. This topic describes pre-install considerations, and how to download and install Mirantis Container Runtime.

Note

Refer to the MCR 23.0 Compatibility Matrix for information on which Windows Server versions are supported.

System requirements

Windows OS CPU and RAM requirements that must be met are specified in the Windows Server Requirements.

Install MCR with an Internet connection

Mirantis provides an installation script to ease MCR installation on a Windows Server machine. The script uses default values, thus allowing it to be run without configuration. You can, however, override the default values with script parameters and env variables. Parameter values take precedence over env variables. Both take precedence over inbuilt default values.

The installation script must be executed from an elevated command prompt. If you want to change the default daemon values, ensure that you have the alternative cofigurations and the related collateral in place prior to executing the script. For example, if you want to enable TLS, store the certificates and write the daemon configuration file before invoking the script.

  1. Obtain the installation script for MCR for Windows Server at https://get.mirantis.com/install.ps1.

  2. (Optional): Allow downloaded script files to run in the current session

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
    
  3. Run the installation script.

    The installer will issue a prompt, should it require a reboot.

    Note

    The installation script installs a numerically higher version by default. The latest tag, however, explicitly denotes the binary that was last pushed, which may not be a numerically higher version.

  4. Test your MCR installation by running the hello-world container.

    docker run hello-world:nanoserver
    

    The container starts, prints the Hello from Docker! message, and then exits.

    Unable to find image 'hello-world:nanoserver' locally
    nanoserver: Pulling from library/hello-world
    bce2fbc256ea: Pull complete
    3ac17e2e6106: Pull complete
    8cac44e17f16: Pull complete
    5e160e4d8db3: Pull complete
    Digest: sha256:25eac12ba40f7591969085ab3fb9772e8a4307553c14ea72d0e6f98b2c8ced9d
    Status: Downloaded newer image for hello-world:nanoserver
    
    Hello from Docker!
    This message shows that your installation appears to be working correctly.
    

FIPS 140-2 cryptographic module support

Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.

MCR provides FIPS 140-2 support in Windows Server, which includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in MCR.

Note

FIPS 140-2 is only supported in MCR. MKE and MSR currently do not support FIPS 140-2.

To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, run the following command in PowerShell:

[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine")

You can also enable FIPS 140-2 mode using the Windows Registry. To update the pertinent registry key, execute the following PowerShell command as an Administrator:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\" -Name "Enabled" -Value "1"

Restart the Docker service.

Stop-Service docker
Start-Service docker

To confirm Docker is running with FIPS-140-2 enabled, run the docker info.

Labels:
 com.docker.security.fips=enabled

Note

FIPS-140-2 compliance can be disabled if the FIPS-140-2 cryptographic module is installed on the operating system. To disable FIPS-140-2 in Docker but not the operating system, set the value "DOCKER_FIPS","0" in [System.Environment].\

Install MCR offline

If your hardware is air-gapped you can still install MCR. To do so, download the installer and copy the files to the air-gapped machine (the default installation assumes that the zipped files and script are in the same location).

  1. On any Internet connected system, go to https://get.mirantis.com/install.ps1 to obtain the MCR for Windows Server installation script.

  2. (Optional): Allow the downloaded script files to run in the current session.

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process;
    
  3. Run the installation script with the -DownloadOnly parameter. As per the parameter name, this action only downloads the zip file (no installation is performed).

    .\<installation-script> -DownloadOnly
    
  4. Copy the installation script and the installation zip file over to the air-gapped machine and run the install with the -Offline parameter.

    .\<installation-script> -Offline
    
  5. If prompted, reboot the installer.

Install a specific version

Use the following three parameters separately or in tandem to install a specific version of MCR for Windows Server.

Caution

MCR does not support using earlier versions of containerd than the version with which it is released. For supported containerd versions, refer to the Major component versions section of the required MCR version in Release Notes.

.\install.ps1 -Channel
.\install.ps1 -ContainerdVersion
.\install.ps1 -DockerVersion

For example, the installation script will always use the latest GA.

For parameter descriptions, refer to Install script usage.

Update MCR

To update MCR to the most recent release, download the latest copy of the installation script and rerun the installation steps.

  1. Obtain the installation script for MCR for Windows Server at https://get.mirantis.com/install.ps1.

  2. (Optional): Allow downloaded script files to run in the current session.

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force -Scope Process
    
  3. Run the installation script.

Install script usage

The installation script uses the parameters detailed below.

Parameter

Description

.PARAMETER DownloadUrl

[Alternately specified by $Env:DOWNLOAD_URL] Specifies an alternative repository in which to download container runtime packages.

.PARAMETER Channel

[Alternately specified by $Env:CHANNEL] Specifies which channel to use for picking the binaries (examples include stable and test). Default: stable.

.PARAMETER DockerVersion

[Alternately specified by $Env:DOCKER_VERSION] Specifies the version number for the DockerEE binaries to install. The latest version is the default.

.PARAMETER ContainerdVersion

[Alternately specified by $Env:CONTAINERD_VERSION] Specifies the version number for the containerd binaries to install The latest version is the default.

.PARAMETER DryRun

If specified, list different steps to use without actually invoking those steps.

.PARAMETER Uninstall

If specified, uninstalls all packages. This includes unregistering the corresponding services and removing paths for the package from the registry. All other script parameters (except DryRun and DestPath) are ignored if this switch is specified. Common parameters such as -Verbose are still honored.

.PARAMETER Ver

Print version info for the script and exit.

.PARAMETER NoServiceStarts

If specified, services are not started on successful install. By default, all services installed by the script are left in a running state before exit.

.PARAMETER DestPath

Path to the directory under which binaries will be installed. Default: %PROGRAMDATA%

.PARAMETER OfflinePackagesPath

The folder for airgap/offline scenarios. For use when the offline or DownloadOnly parameters are specified. Used to either save the downloaded packages for later offline use or for pointing to previously downloaded packages for offline install.

.PARAMETER Offline

Install packages in offline/airgap mode. By default the current directory is used to locate previously downloaded packages, a setting that can be overridden by using the OfflinePackagesPath parameter.

.PARAMETER DownloadOnly

Download and save packages for later offline/airgap install.

.PARAMETER EngineOnly

Skip all steps except those related to MCR.

Install script notes

  1. In scenarios where you have existing software installed that has its own copies of OpenSSL libraries, you may encounter the following error:

    OpenSSL error: error:0F06D065:common libcrypto
    routines:FIPS_mode_set:fips mode not supported
    

    This is often arises if you have ming/mingw64 as a part of your PATH env variable. As a workaround, ensure that the offending software is not on the PATH and run the script again.

  2. The script supports airgap functionality by providing access to download packages while online, as well as to install those selfsame packages while offline.

    For downloads, please ensure that the script has access to the internet. Use the -DownloadOnly parameter. By default the script will use the current directory to store the packages after download, a setting that can be changed by specifying the path explicitly with the -OfflinePackagesPath parameter.

    For offline/airgap install, please use the -Offline parameter. By default the script searches for pacakages in the current directory, a setting that can be changed by specifying the -OfflinePackagesPath parameter.

    While downloading using -DownloadOnly parameter, confirm that the download path is accessible to the script, especially if you run the script without administrative rights.

The following is required so that the script can be invoked with named parameters (for example, -ContainerdVersion 1.3.4...). If a parameter is used, its type is checked by powershell - we give a higher precedence to the parameters specified in this manner versus the same value specified by env vars.

Parameters received at invocation time. Some of these values are merged with values specified by env vars - see reconcileParams. Others are used as-is.

Disable MCR Telemetry

By default, MCR automatically records and transmits data to Mirantis for monitoring and analysis purposes. The data collected provides the Mirantis Customer Success Organization with information that helps Mirantis to better understand the operational use of MCR by our customers. It also provides key feedback in the form of product usage statistics, which enables our product teams to enhance Mirantis products and services.

To disable the telemetry function, set features.telemetry to false in the daemon.json file, which is located in C:\ProgramData\docker\config\.

{"features":{"telemetry": false}}

You can change the setting back to true to re-enable telemetry

Caution

To send the telemetry, verify that dockerd can resolve api.segment.io and create a TCP (HTTPS) connection on port 443.

Uninstall MCR

Use the following commands to remove MCR from a Windows Server.

  1. Leave any active Docker Swarms.

    docker swarm leave --force
    
  2. Prune container data.

    docker system prune -all
    
  3. Run the installation script using the uninstall flag to remove MCR from the system.