Introduce windows images #362
Conversation
|
A couple of things we'll need to think about:
|
This would also involve updating their SHA256-sums which are used instead of GPG signature checking. |
|
I keep the Windows Dockerfiles up to date with this update.sh |
|
We could switch over to GPG signature checking for Windows as well. But I only found https://www.gpg4win.org/package-integrity.html which burries the gpg.exe into a exe installer and eventually not working in Nanoserver. It is complex to get rid of the temporary exe installer again I guess. But once we have PR moby/moby#31257 in offical Docker engine we could run the gpg installer in windowsservercore, then download and check GPG signature and extract the ZIPs and finally draft small windowsservercore and nanoserver images with multiple FROM instructions. In my dockerfiles repo I could switch to this approach as I'm using AppVeyory and can switch to master builds of dockerd.exe very easily. |
|
That would be a way to do it. See a proof-of-concept at
which does the gpg installation, adding the gpg keys, downloading SHA256SUMS.txt.asc checking the signature and grepping the checksum for the zip file and the final sha256 check itself. |
|
@StefanScherer could you include updates to the files @chorrell mentions? You can look at the python repo for examples of |
StefanScherer
force-pushed
the
introduce-windows-images
branch
2 times, most recently
from
2dab140
to
3d6a793
Compare
|
@SimenB I've updated the |
|
@nodejs/docker any reason not to merge this? If not, how do we handle CI? @tianon does this look correct to you? Is using multi-stage builds ok? |
|
@StefanScherer could you paste the output from running Edit: oops, wrong tag. Fat thumbs! |
|
Maybe I should add Yarn as well? |
Definitely! |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
@SimenB This is the output of |
|
I had a look at Yarn how to install it on Windows. I can't take the similar way as on Linux, there is no *.asc file and there is only a MSI package. But they provide a Chocolatey package that does the download + checksum check here. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
Oh, a Should we ask the Yarn team to provide a GPG signature for the MSI package? |
|
@yhwang Don't worry. Adding AppVeyor CI would help testing further pull requests for the Windows images. I have added an Think of AppVeyor = Travis, but for Windows :-) |
|
Do we need to use the msi? Why not just download the JS file (that's what the other images do, right?)? /Cc @Daniel15 as he has done lots of work on yarn packaging (and use Windows!) |
|
I thought about |
Why can't we do the same for windows? AFAIK there are no native dependencies, it should be pure JS |
|
@SimenB Good idea. Yes, even the .tar.gz has the |
|
Still not so easy, I need 7-Zip to extract the .tar.gz 😂 |
|
I know this issue has been floating around for a while, but we're really excited to see something like this land :) Anything we can do to help? |
|
docker-library/official-images#5929 has landed, so we should be able to use multi-staged builds now. @StefanScherer wanna refresh this? |
|
Thanks @SimenB for the heads-up. That are very good news. A lot things changed since then, a lot of base images for different Windows OS versions are available, nanoserver:sac2016 and 1709 is already deprecated. Do you know if this repo also has access to multiple Windows Server versions? The golang repo uses eg. |
|
I don't know, maybe @tianon could chime in? 🙂 |
|
If any other official images can, I believe that we also can, just need help from official image team. Maybe we can resolve some of the conflicts first? |
|
The main obstacles at the time was that there was that we were unable to install a GPG tool to validate the download on nanoserver. |
|
I would recommend just ditching PGP verification for Windows -- IMO the added overhead of installing a tool isn't worth the benefit (a SHA256 or similar should be sufficient). What I'd recommend for getting Nano Server accepted here is to structure this with Windows Server Core variants that Nano Server uses via See docker-library/openjdk@e4f01b5 for an example of this approach I've just played with over on OpenJDK (although that one will ultimately likely not end up getting published due to https://bugs.openjdk.java.net/browse/JDK-8218486 / https://bugs.openjdk.java.net/browse/JDK-8225425 which still plagues even OpenJDK 13 -- Nano Server really just doesn't seem to be actually supported by OpenJDK, and I'd caution only going forward with Nano Server here if the Node.js community is going to support Nano Server officially). |
|
Do you even need PGP verification on Windows, if you're using Authenticode verification? |
|
I have a version with MSI and Authenticode in #827, but that won't work on nanoserver |
@nodejs/build is this something you can chime in on? Regardless of ^, we could start with |
|
I've not seen any discussion of nanoserver on the Node side and there are no instances in our CI. @joaocgreis is this in your plans at all? |
|
It might be possible to add Nano Server to CI, we are looking into this. cc @MichelLopez |
|
Well, for nanoserver you only need a Windows Server 2016/2019 with Docker engine, then you can run nanoserver containers. There is no nanoserver OS anymore, only as a lightweight container image. |
|
What's the latest status with this PR? Doesn't appear to have been any activity for quite a while. I ask because I am looking for exactly this image (node + windowsservercore) for one of our projects. |
|
hi dont any update about it?? |
|
Hello @StefanScherer, This issue is somewhat blocking the release of a product here at Microsoft (it creates a sub-par experience where we have to embed nodejs in our image instead of using an official image). I'm willing to spend some engineering time needed to make this happen. What was the reasoning behind closing this PR, except the fact it was open quite a long time ago? What is needed to get a Windows-based NodeJS image? Thanks in advance for your answer! |
|
@tianon @yosifkit any new thoughts on this, or is #362 (comment) still the current state of affairs? Any versions you recommend (or not)? |
|
My suggestion would be to start with a Windows Server Core version and only doing checksum validation (which can be done in raw PowerShell -- I can provide examples if necessary). I'm willing to work on an initial version from what Stefan's built here too, if you want. |
|
@tianon let me know if you need anything from me (pair programming, testing on different Windows VMs, ...). |
|
Here's a first pass: (verbose on the FROM mcr.microsoft.com/windows/servercore:1809
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
# PATH isn't actually set in the Docker image, so we have to set it from within the container
RUN $newPath = ('C:\nodejs;{0}\Yarn\bin;{1}' -f $env:LOCALAPPDATA, $env:PATH); \
Write-Host ('Updating PATH: {0}' -f $newPath); \
[Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine)
# doing this first to share cache across versions more aggressively
ENV NODE_VERSION 17.6.0
ENV NODE_SHA256 eb9ff1dde916436716fe9054e6b5fd310e7f6bac3599bbd0cb335d4ac8b0cc96
RUN $url = ('https://nodejs.org/dist/v{0}/node-v{0}-win-x64.zip' -f $env:NODE_VERSION); \
Write-Host ('Downloading {0} ...' -f $url); \
Invoke-WebRequest -Uri $url -OutFile 'node.zip'; \
\
Write-Host ('Verifying sha256 ({0}) ...' -f $env:NODE_SHA256); \
if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $env:NODE_SHA256) { throw 'SHA256 mismatch' }; \
\
Write-Host 'Expanding ...'; \
Expand-Archive node.zip -DestinationPath C:\; \
\
Write-Host 'Renaming ...'; \
Rename-Item -Path ('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs'; \
\
Write-Host 'Removing ...'; \
Remove-Item node.zip -Force; \
\
Write-Host 'Verifying ("node --version") ...'; \
node --version; \
Write-Host 'Verifying ("npm --version") ...'; \
npm --version; \
\
Write-Host 'Complete.'
ENV YARN_VERSION 1.22.17
# "It is recommended to install Yarn through the npm package manager" (https://classic.yarnpkg.com/en/docs/install)
RUN Write-Host 'Installing "yarn" ...'; \
npm install --global ('yarn@{0}' -f $env:YARN_VERSION); \
\
Write-Host 'Verifying ("yarn --version") ...'; \
yarn --version; \
\
Write-Host 'Complete.'
CMD [ "node" ]One fun quirk here (that's a quirk of Windows containers in general) is that you can |
|
@tianon Thanks a lot your Dockerfile works gr8 🎉 I only encountered one problem when using parcel-bundler because vc_redist is missing So one should also add something like this to the Dockerfile RUN $url = 'https://aka.ms/vs/17/release/vc_redist.x64.exe'; \
Write-Host ('Downloading {0} ...' -f $url); \
Invoke-WebRequest -Uri $url -OutFile vcredist_x64.exe; \
\
Write-Host ('Installing vcredist_x64.exe ...'); \
Start-Process -filepath "vcredist_x64.exe" -ArgumentList "/install", "/passive", \
"/norestart", "'/log c:/temp/a.txt'" -PassThru | wait-process; \
\
Write-Host 'Removing vcredist_x64.exe ...'; \
Remove-Item vcredist_x64.exe -Force; \
\
Write-Host 'Complete.'I put it before the node installation for caching reasons |
|
Whats the status on this? Will node never host images compatible for docker-windows? |
This PR introduces Dockerfiles for both Windows base OS images
windowsservercoreandnanoserver.You can use AppVeyor for test builds like the Travis builds for Linux. The
appveyor.ymlis provided with this PR. It runstest-build.ps1which builds and tests the images like thetest-build.shscript.See https://ci.appveyor.com/project/StefanScherer/docker-node for an example.
Supersedes #222 and #223