Windows Container download issues

As mentioned in my previous blog post my first attempt installing and configuring Windows Containers was not very successful. I experienced download issues of various Windows Container components and received messages like “Unable to download the list of available providers” or “Bits Transfers failed”. This blog post will explain more about the root cause and how to solve these issue so you can start using Windows Containers.

My first experience with Windows Container

After enabling the feature a package provider needs to be installed. When running the command “Install-PackageProvider ContainerImage -Force” the following message can be displayed.

So as mentioned I checked my internet connection and I could ping bing.com without any problem.

check-your-internet-connection

After some searching on the internet I found the following Stack Overflow article. With the following lines I was able to run the Install-PackageProvider command.

Following the guide “Find-ContainerImage” is up next but also this command is not running as expected. The following message is displayed.

Now what is not captured in this message is the download attempt of the txt file and with a screenshot I was able get the URL which is the SearchContainerImages.txt.

I decided to download the required wim file and installed it by using “Install-ContainerOSImage -WimPath [path]”.

One of the last steps to get Docker up and running is to install the Docker client. Now Microsoft delivers a script but again this was not working so by manually downloading the script and pointing all the download references to a local copy of the binaries fixed it. By doing this I was able to verify the version by using the command “docker version”. A image should be installed and this can be verified by the command “docker images”.

Now Docker is running you should be able to run the container by the following command.

I received the following return message from Docker.

This message is related to the images which is not marked as latest. Because it is not tagged as latest Docker will reach the internet to pull the latest version of this image. In order to resolve this you should tag you image as latest with the following command.

After this you should be able to run a container.

The root cause of these downloading issues

When experiencing these downloading issues you can eventually get it up and running but it is a real hassle. When paying attention to the code part of Stack Overflow and the message “x509: certificate signed by unknown authority.” it should trigger you there is something wrong with the certificates. Files can contain a certificate, this is common when shipping products and all the binaries contain a signature of the company. This also applies to secure websites. When downloading this from the internet it will automatically verify these certificates. If the certificate cannot be verified you will experience these kind of errors. I can happen a policy named “Turn off Automatic Root Certificates Update” is configured which is not updating these root certificated. This will result the certificates cannot be verified.

Conclusion

All these errors and messages are cause by certificates and you have to make sure the user is are allowed to verify these certificates. Check the applied group policies and specifically the “Turn off Automatic Root Certificates Update”.

I hope this blog post is helpful and if you have a question please feel free to contact me.