How do I create image using dockerfile which requires reboot?

artisticcheese · May 3, 2017, 12:52am

I’m confused about using dockerfile for situation where certain RUN actions require reboot of OS to complete. Example is below is trying to uninstall Windows-Defender-Features which never works as a result of it.

Docker file

from microsoft/iis
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'Continue'; $verbosePreference='Continue';"]
RUN Remove-WindowsFeature -Name Windows-Defender-Features -Confirm:$false

Result

PS C:\gd\test> docker exec a0 powershell -c get-windowsfeature windows-defender-features

Display Name                                            Name
------------                                            ----
[X] Windows Defender Features                           Windows-Defender-Fea...

friism · May 3, 2017, 1:49am

Why do you need to remove windows-defender features from the container image?

artisticcheese · May 3, 2017, 11:43am

I don’t need it to be running since we are running our inhouse AV on host or may be our company want to use different AV product. Also I don’t think it’s really important which specific feature requires reboot since question how to do this in general is important to know

alefesta · May 8, 2017, 9:58am

Pretty easy:
inside dockerfile use

RUN powershell -Command “Uninstall-WindowsFeature -Name Windows-Defender-Features -Restart:$true”

When you’ll run a new container it will act as a restart so the feature will be marked as removed.

artisticcheese · May 8, 2017, 12:05pm

@alefesta Did you verify that it works? I assume since during docker build container is not restarted that feature will still be available.

alefesta · May 8, 2017, 12:55pm

Yes when you create the first container the feature show as correctly uninstalled.
I did not yet tested if the same behavior occupare using the original command in the thread.
I assume that since the command is marked as removed in the build when you start the container for the first time it will interpreted as a restart.

artisticcheese · May 8, 2017, 1:47pm

This worked. Concern is that system seems to be left in “PendingReboot” state. “Get-WindowsFeature” returns some errors. Windows Defender service is still present but in stopped “State”. I really hope docker and Microsoft will have some discussion how to handle situations like this where reboot is required as part of dockerfile build.

phila1 · May 9, 2017, 7:53am

When I came across this I had to stop and restart the container to reolve the reboot state. I’m still not sure how to do this a better way.

goffinf · May 15, 2017, 6:17am

Use a multi-stage build

artisticcheese · May 15, 2017, 11:35am

How do I do that? System upon boot thinks of itself as “pending reboot” and this condition persists accross reboots since it’s never actually completes tasks Windows planned to perform upon reboot.

phila1 · May 16, 2017, 8:47am

My colleague says this problem was even mentioned at Dockercon2017.

artisticcheese · May 18, 2017, 2:33am

Do add insult to injury Defender actually takes 370 MB of drive space.

PS C:\Programdata\Microsoft\Windows Defender> C:\Chocolatey\bin\du64.bat -l 2

DU v1.6 - Directory disk usage reporter
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

           0  C:\Programdata\Microsoft\Windows Defender\Clean Store
           0  C:\Programdata\Microsoft\Windows Defender\Definition Updates\Backup
     125,924  C:\Programdata\Microsoft\Windows Defender\Definition Updates\Default
           0  C:\Programdata\Microsoft\Windows Defender\Definition Updates\NisBackup
           0  C:\Programdata\Microsoft\Windows Defender\Definition Updates\Updates
     125,924  C:\Programdata\Microsoft\Windows Defender\Definition Updates
           0  C:\Programdata\Microsoft\Windows Defender\Features
           0  C:\Programdata\Microsoft\Windows Defender\LocalCopy
           1  C:\Programdata\Microsoft\Windows Defender\Network Inspection System\Support
           1  C:\Programdata\Microsoft\Windows Defender\Network Inspection System
           0  C:\Programdata\Microsoft\Windows Defender\Quarantine
           0  C:\Programdata\Microsoft\Windows Defender\Scans\CleanFileTelemetry
           0  C:\Programdata\Microsoft\Windows Defender\Scans\CleanStore
           1  C:\Programdata\Microsoft\Windows Defender\Scans\History
           0  C:\Programdata\Microsoft\Windows Defender\Scans\MetaStore
           0  C:\Programdata\Microsoft\Windows Defender\Scans\RtSigs
     234,487  C:\Programdata\Microsoft\Windows Defender\Scans
          44  C:\Programdata\Microsoft\Windows Defender\Support
Files:        48
Directories:  46
Size:         369,107,944 bytes
Size on disk: 380,928 bytes