Hello. I have built a multi-architecture image that looks like:

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "manifests": [
    {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "size": 742,
      "digest": "sha256:9ea3ea0478769884c5be0caf15c70c97ef47ae894fddeb48779dc3fd404fd67a",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "size": 3459,
      "digest": "sha256:bcaed176b5f2c5ea1092249252f42db5ae8814dd3f5536b94313cdc976ef5b37",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.17763.5458"
      }
    },
    {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "size": 3459,
      "digest": "sha256:0f8a9f04e95afe0db02b867644f0b62bae7bd57c73c47dd4be06edd36fbceb4e",
      "platform": {
        "architecture": "amd64",
        "os": "windows",
        "os.version": "10.0.20348.2322"
      }
    }
  ]
}

When I run docker info locally I see:

 Operating System: Microsoft Windows Version 23H2 (OS Build 22631.3296)

When I run a docker pull on my image I see the following in the event log after enabling debugging:

debug: will prefer Windows entries with version 10.0.22631
debug: ignoring linux/amd64  with media type application/vnd.docker.distribution.manifest.v2+json, digest sha256:9ea3ea0478769884c5be0caf15c70c97ef47ae894fddeb48779dc3fd404fd67a
debug: found match windows/amd64 10.0.17763.5458 with media type application/vnd.docker.distribution.manifest.v2+json, digest sha256:bcaed176b5f2c5ea1092249252f42db5ae8814dd3f5536b94313cdc976ef5b37
debug: found match windows/amd64 10.0.20348.2322 with media type application/vnd.docker.distribution.manifest.v2+json, digest sha256:0f8a9f04e95afe0db02b867644f0b62bae7bd57c73c47dd4be06edd36fbceb4e

But when I inspect the image on my local machine I see the oldest OsVersion. So docker pull elected to pull the oldest image in the multi architecture image that matched my machine’s architecture.

"Architecture": "amd64",
"Os": "windows",
"OsVersion": "10.0.17763.5458"

So my local OS Version is 10.0.22631, and the multi-arch image contains OS Versions 10.0.17763.5458 and 10.0.20348.2322. Why is docker pull grabbing 10.0.17763 and is there a way I can request 10.0.20348?

Kind regards,
Jason.

What do you see exactly when you do docker inspect? I’m not sure how you could pull a version whch doesn’t even exist remotely. What I know is that Windows containers can work in process isolation mode and HyperV isolation mode. In process isolation mode you need to use the same Windows version while in HyperV isolation mode the containers vill be virtualized.

You could try setting --isolation=hyperv when pulling the image. Assuming it is supported by the pull subcommand on Windows, since it is not mentioned in the documentation, only for docker run

I also recommend reading this:

https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-11#matching-container-host-version-with-container-image-versions

Continuing the discussion from Windows Pulling Olders OsVersion in Multi Architecture Image:

Thank you for your reply! This is what I see in docker inspect for the image after a pull on my Windows 11 machine:

[
    {
        "Id": "sha256:63f9b6297abc9e95e4f49731877edd30b47fedff60866eb1479199b90bb1fd33",
        "RepoTags": [
            "myimage:latest"
        ],
        "RepoDigests": [
            "myimage@sha256:cf12b9e19b66988122d745b20f0317432d76c357c133d138817ede5f4868a3cc"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2024-03-16T05:36:26.3589864Z",
        "Container": "c13b7757a8b61a386abba1754b71fc0b23b62dd7e4db3ceb74bed0fb89cec34f",
        "ContainerConfig": {
            "Hostname": "c13b7757a8b6",
            "Domainname": "",
            "User": "ContainerUser",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": null,
            "Image": "sha256:e1f06d732e476ca5af9ee207b031257c3344a94d6fb375345c705350ed55181c",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Shell": [
                "pwsh",
                "-Command"
            ]
        },
        "DockerVersion": "24.0.7",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "ContainerUser",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": null,
            "Cmd": [
                "c:\\windows\\system32\\cmd.exe"
            ],
            "Image": "sha256:e1f06d732e476ca5af9ee207b031257c3344a94d6fb375345c705350ed55181c",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Shell": [
                "pwsh",
                "-Command"
            ]
        },
        "Architecture": "amd64",
        "Os": "windows",
        "OsVersion": "10.0.17763.5458",
        "Size": 5070369050,
        "GraphDriver": {
            "Data": {
                "dir": "C:\\ProgramData\\Docker\\windowsfilter\\e9a81addca75e6912765c85bc5e222233ea69a7994ba6fd3c29e27bd962eddd3"
            },
            "Name": "windowsfilter"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:da2d874340bd0ca5f710fcb2bb9abc7423e71287e9f2b87694767375272e797d",
                "sha256:08e291647280028dbd8f912d8852d16eeb2f24abbd9d4b1093c4b89e51b81bcc",
                "sha256:8d6a529aacc03723095a1637f6292126bcd8f09f4d87ca0566d43e7594125726",
                "sha256:536e90c00aa1436217888a59be43a856dbbccde397d8043d14cd9466903f29a3",
                "sha256:15e6ed54178fbd187ebc784d6ec5172af4f152bab9a5758c7e9776e503fccd55",
                "sha256:bb8a222828be9f3c559b463f71fe2fdc470c4c6297c06435f3eeff54f187225e",
                "sha256:4d6e894415a31953e4e0eda80f09b8eb27d074ffacc5f315ea4a380538a04c09",
                "sha256:8eca60cbd2fc99c94c1d85475fab897024a8dac203d14e25228b4b788762a481",
                "sha256:a294a5196fef474f1eb1b5ba1957d918a7a2ea3c8a7b63c55cdc61752ec6f8d2",
                "sha256:84c13435e4181f5e80b1874d7f5b19590636b3ac4a982fa3dc4871c393e31dc5",
                "sha256:5e14d7585ee375514ffa03f24d97318872dac23aca87c4f6bb096efa3a20aec1",
                "sha256:8c1484656218550179c3095c91a472b93f086a9432dd2c96eadae45193c81e94",
                "sha256:2d490c1646b128a8d23b90b7e7b621ece69519703c3ba6e8af47d46a00a7eac5",
                "sha256:c47bf9abd3901e552abb83433bf5a0cb5d083ecae306f0fcdb96187143c8e085",
                "sha256:6ddbb9dcb68edfe7cd2ad6884ae04a86bfdf9b0e7876a3b84d544f5826b108ce"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

In the article you linked it describes how the Windows docker matches images for process isolation. Given Major.Minor.Build.Revision the Build must match between host and image for process isolation. The exception is Windows 11 (e.g. 10.0.22631.3296) which can run Windows Server 2022 images (e.g. 10.0.22631.3296).

So I have created a multi-architecture manifest list which contains an image for Windows 10.0.20348.2322 (Windows Server 2019) and an image for Windows 10.0.17763.5458 (Windows Server 2022). I’m running Windows 10.0.22631.3296 (Windows 11) which supports running images for 10.0.20348.2322 with process isolation (not Hyper-V) (as documented in your link). When I docker pull my manifest list, docker pulls the 10.0.17763.5458 image which can’t be run on my 10.0.22631.3296 Windows 11 machine without Hyper-V. I would’ve expected docker to pull the 10.0.20348 image instead.

My question is: 1) Why is docker pulling an Os.Version which isn’t supported by my host’s process isolation. Given the two images I would’ve expected it to pull the one which most closely matches my OS version. 2) Is there a way I can run a docker pull on my manifest list to pull the 10.0.20348 image? I’ve had a play with the --platform argument but can’t seem to specify an Os.Version.

This is the exact same topic? Why did you inserted the link? Was it automatically inserted somehow?

According to the documentation, it is a preview feature:

Process isolation on Windows client is available in preview for Windows 11 with Windows Server 2022 images - with build number mismatch.

I didn’t know that they already had a preview as I don’t follow Windows container news and I don’t have experience that would help you here. While you are waiting here for more users to answer, maybe you could ask this question on a Microsoft forum as well.

Apologies, yes that ‘continuing the discussion from’ was automatically inserted unintentionally.

Good pick up on the fact that process isolation with build mismatch is a preview feature.

Is there a way for me to docker pull from a manifest list and request a specific Os.Version?

Even if you could pull a specific version when you run the container, it could be overwritten, but you could try using the digest from the manifest json. For example:

docker pull imagename@sha256:bcaed176b5f2c5ea1092249252f42db5ae8814dd3f5536b94313cdc976ef5b37

Just make sure you use the correct image name and choose the digest that belongs to the OS version you want.

Then when you start the container, use the same tag with the digest that you used to pull the image. You don’t need to pull before running, but if you pull before it, you can inspect it and confirm that is the right version. When you use it in a Dockerfile, you could use the digest in the FROM instruction. If it doesn’t help, I’m out of ideas. You can read about the digest here:

https://docs.docker.com/reference/cli/docker/image/pull/