Support Kubernetes Go binaries in Nanoserver Images

[jeremyje]

Go is a statically linked language but for OS specific logic there's the need to occasionally use CGO. Kubernetes binaries tends to have a dependency on netapi32.dll specifically for lookup_windows.go in os.User function. There's logic to query Active Directory user information. For more context see golang/go#21867. It appears that the DLL was removed in Windows Server 1709.

It'd be nice if Windows Nanoserver images had the necessary support to run most Kubernetes binaries without doing the netapi32.dll copy trick. There are probably other dependencies that Kubernetes for Windows needs but this appears to be the most significant.

I think it would also be useful to understand what is and is not included in Windows Nanoserver images. Some of this information used to be documented at https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/mt588480(v=vs.85).

A nondisruptive option might be to introduce a Nanoserver variant that includes the DLLs necessary to run Go binaries with http://golang.org/x/sys/windows linked in and offer it here, https://hub.docker.com/publishers/microsoftowner.

[jeremyje]

CC: @craiglpeters @pjh

[jsturtevant]

@weijuans-msft for what is/isn't included in nano

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[jeremyje]

https://techcommunity.microsoft.com/t5/containers/what-s-new-for-windows-containers-on-windows-server-2022/ba-p/2167036 came out. Is netapi32.dll going to be a part of that?

[weijuans-msft]

@jeremyje No, we didn't make any changes in the Nanoserver for Windows Server 2022 release.

What are you use cases? If you are comfortable to share publicly, please email us at [email protected]. It'll be helpful to understand the use case so we can prioritize.

Is this the file all you need to be added to Nanoserver container to enable the scenario here?

/Windows/System32/netapi32.dll

[weijuans-msft]

For Microsoft folks, internally I have created this scenario in Azure DevOps to track: 32512068.

[weijuans-msft]

And this Microsoft internal tracking deliverable in ADO #32788516.

[johnSchnake]

FWIW I just ran into this as well; Sonobuoy is working on supporting Windows nodes in K8s and I initially tried nanoserver and ran into the same missing DLL. That's the only one I know causes a problem but I haven't messed with trying to add that DLL back into the image or anything. Easiest fix for us is just to use servercore instead, not sure if you have another recommendation.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[weijuans-msft]

We have it in our internal backlog and will evaluate with other similar related asks and prioritize.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@weijuans-msft, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, please provide an update or close this issue.

[mloskot]

@weijuans-msft

If there is data on (...) use cases/scenarios, please do share.

There is quite a lot of GUI-less software servers that require the Network Management API, for example licencing servers like Gemalto's, and it would be very helpful if such serves run on nanoserver. Those run on servercore containers fine, but it is hard to justify the extra 1 GB of container size.
The nanoserver offers all features necessary and just the handful of DLLs is missing.

[m-deepakraja]

Any update on this issue?

[weijuans-msft]

Our engineer is getting close to finish the code change. Next need to test, and also figure out a shipping vehicle. Curious what OS are folks using? Windows Server 2019? Windows Server 2022? Our current engineering process is we will first make the change in the active branch which is Windows Server vNext (general Insider builds are out; we are working on getting the container Insider builds out too). Will folks to be interested in testing with Windows Server vNext? @jterry75 @mloskot @jeremyje

[mloskot]

Curious what OS are folks using? Windows Server 2019? Windows Server 2022?

2019, but if Windows Server 2022 release delivers NanoServer improvements, then switching to 2022 is not a problem at all.

Will folks to be interested in testing with Windows Server vNext?

Yes, I am interested to test any new container images of NanoServer to see if they can run my software, if I can switch over from ServerCore.

[TBBle]

From the ABI stability support announced with Server 2022, as I recall, for process isolation a Server vNext container image will need a Server vNext host, but a Server 2022 container image will work on both 2022 and vNext hosts (and Windows 11). Is that accurate?

[weijuans-msft]

@mloskot Windows Server 2022 GA'ed last Sept hence any changes to that will be released with the shipping vehicle of the monthly patches (usually the 2nd Tue of the month). In another word, currently there is no major improvement in Nano server of the Server 2022 release. But we are and will be doing more on Windows Server vNext, and if those work out, we'll back port to Server 2022. Yeah, that takes a bit time. If I had a magic wand, I would love to make it faster.

Great to see the interest in Windows Server vNext Insider builds. Curious how you usually use it? Basically I could use more adoption data of the Insider builds to convince my team to prioritize this :).

@TBBle Good observation! You are right, Windows Server 2022 container images will be the first that can be run on a host OS at the same version or higher version as a process isolated container. That is the host will need to be Server 2022 or higher.

[jterry75]

@weijuans-msft - We are also on WS2019 and WS2022 for prod (no vNext), but we could certainly test on vNext to support the changes and provide feedback.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@msjingli, please provide an update or close this issue.

[mloskot]

(Don't close this yet.)

[ghost]

This issue has been open for 30 days with no updates.
@akarshm, please provide an update or close this issue.

[ghost]

This issue has been open for 30 days with no updates.
@akarshm, please provide an update or close this issue.

[mloskot]

/cc @fady-azmy-msft @akarshm

[ghost]

This issue has been open for 30 days with no updates.
@akarshm, please provide an update or close this issue.

[mloskot]

Bump

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
@akarshm, please provide an update or close this issue.

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
@akarshm, please provide an update or close this issue.

[mloskot]

Please, don't close and instead, please, make NanoServer go for Go!

[akarshm]

This is in our backlog and will be considered a feature item for the next major release for Windows Server Containers. Unfortunately, I don't have a timeline to share at this time.

[TBBle]

Is it reasonable to equate "next major release for Windows Server Containers" with "next Windows Server LTSC"? I recognise that this isn't committed for that next major release, just wondering if there's a distinct release cadence for Windows Server Containers vs Windows Server.

[akarshm]

You're right. Windows Server Container releases are aligned to the Windows Server release cadence.