Development Tools

Docker CE on Windows User Guide

| Product: Docker CE on Windows

Overview

This guide provides comprehensive instructions for deploying and using the cloudimg Docker Community Edition on Windows AMI on Amazon Web Services. The AMI delivers a fully preconfigured Windows Server instance with Docker CE installed and running as a Windows service, enabling you to build, ship, and run containerized applications immediately after launch.

Docker Community Edition is the free, open source container runtime that allows you to package applications and their dependencies into lightweight, portable containers. Running Docker on Windows Server enables you to containerize Windows based applications, run Windows containers natively, and leverage the Docker ecosystem of tools and registries for your deployment workflows.

This AMI is ideal for developers building and testing Windows container images, DevOps teams that need a Windows based CI/CD build environment, or organizations migrating traditional Windows applications into containers. By running Docker on an AWS instance, you gain access to scalable compute resources and seamless integration with AWS container services such as Amazon ECR for image storage.

For any issues encountered while following this guide, please contact support@cloudimg.co.uk.

Prerequisites

Before launching the Docker CE on Windows AMI, ensure you have the following in place.

AWS Account You need an active AWS account with permissions to launch EC2 instances, manage security groups, and access the AWS Marketplace.

EC2 Key Pair Create or identify an existing EC2 key pair in the region where you plan to launch the instance. This key pair is required to decrypt the Windows Administrator password after launch.

Security Group Prepare a security group that allows inbound RDP access. Additional ports may be required depending on the containers you run.

Protocol Type Port Description
RDP TCP 3389 Remote Desktop Access

If your containers expose services (for example, a web server on port 80 or 443), add the corresponding inbound rules to the security group as needed. It is strongly recommended to restrict the source IP range for RDP access to your known IP addresses or corporate CIDR blocks.

Remote Desktop Client Install a Remote Desktop Protocol client on your local machine. Options include Microsoft Remote Desktop (available for Windows and macOS), Remmina (Linux), or any other RDP compatible client.

Minimum Instance Requirements

Minimum CPU Minimum RAM Required Disk Space
1 vCPU 1 GB 30 GB

While the minimum requirements above will allow the instance to run, a t3.medium or larger instance type is strongly recommended for running Docker containers. Container workloads require additional CPU and memory above what the base operating system uses. For production container workloads, consider a t3.large or larger.

Step by Step Setup

Follow the steps below to launch and connect to your Docker CE on Windows instance.

Step 1: Launch the Instance

  1. Log in to your AWS account and navigate to the AWS Marketplace.
  2. Search for the cloudimg Docker CE on Windows AMI.
  3. Select your desired instance type (t3.medium or larger is recommended).
  4. Choose your preferred region and VPC configuration.
  5. Select the EC2 key pair you created in the prerequisites.
  6. Assign the security group with RDP access on port 3389 and any additional ports for your container services.
  7. Configure storage (30 GB minimum on the root volume; consider 50 GB or more for storing container images).
  8. Launch the instance.

Step 2: Wait for Status Checks

After launching the instance, navigate to the EC2 console and wait for the instance to show 2/2 status checks passing. This ensures the instance has fully booted and Windows has completed its initial setup. This process typically takes between 3 and 10 minutes.

Step 3: Retrieve the Administrator Password

  1. Open the EC2 console in the AWS region where you launched the instance.
  2. Select Instances from the left navigation panel.
  3. Locate and select your newly launched instance.
  4. Click Actions at the top of the page.
  5. Navigate to Security and then select Get Windows password.
  6. Click Browse and upload the private key file (.pem) from the key pair you selected during launch.
  7. Click Decrypt password.
  8. Copy the decrypted password and store it securely. This is your Administrator password.

Step 4: Connect via Remote Desktop

  1. Open your Remote Desktop client application.
  2. Create a new connection using the public IP address of your EC2 instance (or the private IP if connecting through a VPN or from within the same VPC).
  3. Enter the following credentials when prompted:
  4. Username: Administrator
  5. Password: The decrypted value from Step 3
  6. If a certificate warning appears, click Continue to proceed. This is expected for new connections.
  7. You will be connected to the Windows Server desktop.

Step 5: Verify Docker Is Running

Open the Command Prompt from the Start menu and run the following command to verify Docker is installed and running:

docker --help

This will display the available Docker commands, confirming the installation is functional. You can also verify the Docker version with:

docker version

Server Components

The following software components are preinstalled on this AMI.

Component Version
Docker Community Edition Latest

The AMI is built on Windows Server and includes Docker CE preconfigured as a Windows service. The Docker Engine runs natively and supports Windows containers out of the box.

Filesystem Layout

The instance uses a single volume configuration.

Drive Purpose Minimum Size
C:\ Operating system and application 30 GB

Key directory locations on the instance:

Path Description
C:\Program Files\Docker\ Docker installation directory
C:\ProgramData\Docker\ Docker daemon configuration and data
C:\ProgramData\Docker\config\daemon.json Docker daemon configuration file
C:\ProgramData\Docker\windowsfilter\ Container filesystem layers and images
C:\Users\Administrator\ User home directory for Dockerfiles

Container images and layers are stored under C:\ProgramData\Docker\ and can consume significant disk space. If you plan to work with many container images, attach an additional EBS volume and configure Docker to use it as the data root directory.

Managing Services

The Docker Engine is configured to start automatically when the instance boots. You can manage the Docker service using the Windows Services panel or the command line.

Using the Windows Services Panel

  1. Open the Start menu and search for Services.
  2. Click Services to open the Services management console.
  3. Locate Docker Engine in the services list.
  4. Double click on Docker Engine to view its properties.
  5. From the properties dialog, you can start, stop, pause, or restart the service.
  6. The Startup type is set to Automatic by default, meaning Docker starts when the instance boots.

Using the Command Line

You can also manage the Docker service from an elevated Command Prompt or PowerShell window.

To check the status of the Docker service:

sc query docker

To stop the Docker service:

sc stop docker

To start the Docker service:

sc start docker

To restart the Docker service:

sc stop docker && sc start docker

To change the startup type to manual (Docker will not start on boot):

sc config docker start=demand

To change the startup type back to automatic:

sc config docker start=auto

Scripts and Logs

Docker Daemon Logs

Docker daemon logs on Windows are integrated with the Windows Event Log system. To view Docker logs:

  1. Open the Start menu and search for Event Viewer.
  2. Navigate to Applications and Services Logs then Docker Engine (if available), or check the Application log under Windows Logs for Docker related entries.

Alternatively, use PowerShell to retrieve Docker events:

Get-EventLog -LogName Application -Source Docker -Newest 50

Docker Container Logs

To view logs from a running or stopped container:

docker logs <container_name_or_id>

To follow logs in real time:

docker logs -f <container_name_or_id>

Docker Daemon Configuration

The Docker daemon configuration file is located at:

C:\ProgramData\Docker\config\daemon.json

You can edit this file to configure daemon settings such as storage drivers, logging options, registry mirrors, and network settings. After modifying the configuration, restart the Docker service for changes to take effect.

Windows Event Logs

For system level diagnostics, use the Windows Event Viewer. Press the Windows key, search for Event Viewer, and open it to review application and system logs.

Troubleshooting

Cannot connect via RDP

  • Verify that the instance has passed 2/2 status checks in the EC2 console.
  • Confirm that your security group allows inbound TCP traffic on port 3389 from your IP address.
  • Ensure you are using the correct public IP address. If the instance was stopped and started, the public IP may have changed unless you are using an Elastic IP.
  • Check that your local firewall or corporate network is not blocking outbound RDP connections.

Password decryption fails

  • Ensure you are uploading the correct .pem file that matches the key pair selected during instance launch.
  • The password may take up to 15 minutes to become available after the first launch. Wait and try again if the option is greyed out.

Docker service is not running

  • Open the Services panel and check if the Docker Engine service is in a Running state.
  • If the service is stopped, try starting it manually. If it fails to start, check the Windows Event Viewer for error messages.
  • Ensure the instance has sufficient disk space. Docker may fail to start if the system drive is full.

Docker commands return errors

  • Verify you are running the Command Prompt as Administrator. Some Docker operations require elevated privileges.
  • Run docker version to check that both the Docker client and server components are responding.
  • If you see a "cannot connect to the Docker daemon" error, the Docker service may not be running. Start it using the methods described in the Managing Services section.

Container cannot access the network

  • Check that the security group allows outbound traffic on the ports your container needs.
  • Verify the Windows Firewall is not blocking container network traffic.
  • Use docker network ls to list available Docker networks and ensure your container is attached to the correct one.

Cannot pull images from Docker Hub

  • Ensure the instance has outbound internet access on port 443 (HTTPS).
  • If the instance is in a private subnet, configure a NAT gateway to allow outbound traffic.
  • Verify that DNS resolution is working by running nslookup hub.docker.com from the Command Prompt.

Insufficient disk space for container images

  • Docker images and container layers are stored on the C: drive by default. Monitor disk usage regularly.
  • Remove unused images with docker image prune and stopped containers with docker container prune.
  • For a more thorough cleanup, run docker system prune to remove all unused images, containers, networks, and build cache.
  • Attach an additional EBS volume and configure Docker to use it as the data root directory by editing the daemon.json file and adding a data-root setting.

Container performance is poor

  • Consider upgrading to a larger instance type with more CPU and RAM.
  • Monitor resource usage with docker stats to identify containers consuming excessive resources.
  • Use resource limits when starting containers with --memory and --cpus flags.

RDP session disconnects frequently

  • Check your network connection stability.
  • Adjust the RDP client settings to reduce bandwidth requirements by lowering the display quality or disabling visual effects.
  • Ensure the instance is not running out of memory due to container workloads.

Security Recommendations

Change the Administrator Password

After your first login, change the default Administrator password to a strong, unique password. Open the Windows command prompt or PowerShell and run:

net user Administrator YourNewStrongPassword

Note that once you change the password, the original decrypted password from the AWS console will no longer be valid.

Restrict RDP Access

Limit the security group rule for port 3389 to only your specific IP addresses or a trusted CIDR range. Avoid using 0.0.0.0/0, which would expose the instance to RDP brute force attacks from the entire internet.

Use Trusted Container Images

Only pull container images from trusted sources. Use official images from Docker Hub or your own private registry. Scan images for vulnerabilities before deploying them to production.

Use Amazon ECR for Private Images

Store your custom container images in Amazon Elastic Container Registry (ECR) instead of public registries. ECR provides encryption at rest, IAM based access control, and integrates seamlessly with AWS services.

Limit Container Privileges

Avoid running containers with elevated privileges unless absolutely necessary. Use the --user flag to run containers as a non root user when possible.

Restrict Container Network Access

Configure Docker network settings to isolate containers from each other and from the host network. Use Docker networks to control which containers can communicate with each other.

Keep Software Updated

Regularly update Docker CE and Windows Server to ensure you have the latest security patches and bug fixes. Check for Docker updates using docker version and compare against the latest release.

Enable Windows Firewall Rules

Review and configure the Windows Firewall to restrict inbound and outbound traffic to only what is necessary for your container workloads.

Use an Elastic IP

Assign an Elastic IP to your instance to maintain a consistent IP address across stop and start cycles. This is especially important if your containers expose services that need a stable endpoint.

Enable CloudWatch Monitoring

Configure Amazon CloudWatch to monitor your instance metrics such as CPU utilization, memory usage, and disk space. Set up alarms to notify you if resources are running low, which is critical for Docker workloads that can consume resources rapidly.

Rotate Credentials Regularly

If you authenticate to Docker Hub or Amazon ECR from this instance, ensure credentials are rotated regularly. Use IAM roles for ECR authentication to avoid storing long term credentials on the instance.

Support

If you encounter any issues not covered in this guide, the cloudimg support team is available to help.

  • Email: support@cloudimg.co.uk
  • Phone: (+44) 02045382725
  • Website: www.cloudimg.co.uk
  • Address: 3rd Floor, 86 90 Paul Street, London, EC2A 4NE

Support is available for any issues related to the AMI, including connectivity problems, Docker service configuration, and general guidance on using the preconfigured environment.

When contacting support, please include your EC2 instance ID, the AWS region, the output of docker version and docker info, and a description of the issue along with any relevant error messages or screenshots.