Docker Community Forums

Share and learn in the Docker community.

Can't run windows container (encrypted / compressed issue) although container lies on unencrypted, uncompressed location

Docker Version: 2.5.0.1
Windows Version: 10.0.18363

I have a bitlocker encrypted notebook (can’t change that because of company policy). I installed docker for windows and tried to run a windows subsystem. I get an error

docker run mcr.microsoft.com/windows/nanoserver:10.0.18363.1198
docker: Error response from daemon: hcsshim::CreateComputeSystem 9dfc8685de20c73908ef9d2a1c4de6d92083346f74ab8b3b8ee5b079689fa83d: Der angeforderte Vorgang konnte aufgrund einer Beschränkung für das virtuelle Datenträgersystem nicht abgeschlossen werden. Die Dateien virtueller Festplatten müssen unkomprimiert und unverschlüsselt sein und dürfen nicht als platzsparend festgelegt werden.
(extra info: {“SystemType”:“Container”,“Name”:“9dfc8685de20c73908ef9d2a1c4de6d92083346f74ab8b3b8ee5b079689fa83d”,“Owner”:“docker”,“IgnoreFlushesDuringBoot”:true,“LayerFolderPath”:“E:\Docker\windowsfilter\9dfc8685de20c73908ef9d2a1c4de6d92083346f74ab8b3b8ee5b079689fa83d”,“Layers”:[{“ID”:“ab5b0dab-7662-566f-bd10-95813160350b”,“Path”:“E:\Docker\windowsfilter\5186d91a1d1fb92f91816ebe503e00f37f512d4b4b9f4218c5b3fe2a01c58f69”}],“HostName”:“9dfc8685de20”,“HvPartition”:true,“EndpointList”:[“F97F9575-8791-4D60-B013-2E1FF003C167”],“HvRuntime”:{“ImagePath”:“E:\Docker\windowsfilter\5186d91a1d1fb92f91816ebe503e00f37f512d4b4b9f4218c5b3fe2a01c58f69\UtilityVM”},“AllowUnqualifiedDNSQuery”:true}).

I changed the data root in

C:\ProgramData\Docker\config\daemon.json

to E:\Docker. This is an unencrypted an uncompressed partition. Why am I getting this error, when the container lies in E:\Docker\windowsfilter ?

The error in english:

The requested operation could not be completed due to a limitation on the virtual disk system. Virtual hard disk files must be uncompressed and unencrypted and must not be designated as space-saving.

EDIT:
I decompressed my whole system now. The message ist still the same. This means to me: Docker with Windows Containers is not possible with bitlocker. Right?

EDIT2:
As an experiment, I created a Win10 Hyper-V machine and moved it over all partitions. It started everywhere without any problems. So it seems to be a docker bug or misconfiguration. But I have no clue where to start.

So no idea? Nobody? Sorry, but if Docker didn’t run with bitlocker it shold be told before the installation…

Hmm very silent forum… So from a fresh Windows I did these steps:

  • Activate Bitlocker
  • Enable Compression
  • Install Docker for Win
  • Notive that Windows Container don’t work
  • Disable compression on all drives

Hyper-V works on all drives. So dear docker… whats the problem? Or should I move to another container technology?

@AnyDockerSupportMember: what about thinking and helping?

Updated to Docker 3.0. No change. Frustrating piece of software…

Just out of curriousity: only windows containers are affected?

I have seen many colleagues of mine see using Docker Desktop for Windows on our corparate notebooks with bitlocker (not sure if they use compression though). I can imagine some sort of security hardending rolled out by group polices or antivirus settings might be the reason. If your company’s policies do not specificy forbid to run Docker, I would suggest to raise a support ticket in your companies IT deparment and make it their problem.

I personaly still use my own vagrant ubuntu boxes and run docker where it belongs: on a linux system where it is treated as a first class citizen.

First of all: thank you for the first answer since weeks… I felt a little bit lost here…

Ok. That ist good news I think. That means bitlocker is not a blocker for running containers.

Sadly I don’t think they will help me. Other colleagues are using docker too (but I don’t know if they only use windows containers). So it’s a configuration problem with my windows installation I think. A hint for that is, that Hyper-V runs on my system.

Yes. Linux containers wor for me, too (testet with the hellow world container). I want to check wether my companys (windows) software runs inside a windows docker container.

So Linux is not the question at this time.

As you see in my Error Messsage the container runs on E: what is unencrypted und uncompressed. I don’t think the message points to the real problem.

I have seen your questions and feelt it would be better if someone actualy using it DDfW would respond. Since no one did, I at least wanted to share what I have seen.

Escallate :slight_smile: Be unconfortable to them. Maybe your Windows installation is bugged? Or the other users using it are using a less constraining profile in the antivirus programm? After all, your company is the one beeing responsible to provide needs-based work equipment, aren’t they :wink:

If you drop me a specific docker run command using a publicly available image, I can ask one of my collegues to run it and get back with the result to you.

Update: I have missed that you did in your first post: docker run mcr.microsoft.com/windows/nanoserver:10.0.18363.1198. We might be on a more recent kernel with our windows hosts… I will ask somone to execute it anyway.

So I asked a collegue and he points out with Windows 1909 (check version with: Win+R winver) Linux containers are run with WSL2, which does not use hyperv. From what I remember WSL2 needs to enabled explicitly.

Windows container always need hyperv, though he indicated that the it department is able to apply group policies to prevent execution of hyperv (or just the vms?!).

So if you Linux containers do use WSL2, this might be an explaination.

I’m able to run hyper-v (using hyper-v-manager). I tried every partition and it worked on all…
Thx for your help!