Announcing Windows Container Base Image Redistribution Rights Change
Published Oct 12 2022 09:00 AM 8,682 Views

Today I am pleased to announce that we are making a change to Windows Container base image redistribution rights. In the past, customers could distribute Windows Container base images within their own organization, but they were not allowed to redistribute outside their own organization. With the change we are announcing today and the updated End User License Agreement (EULA), customers can now distribute the Windows Container base image as part of a consolidated container image comprising their application or framework.  


What is the Change? 

The updated EULA can be found here End User License Agreement (EULA). You will find the updated section under User Rights. This can also be viewed in all the base images released from September 2022 onwards. As a reminder the file is labeled license.txt. 


Why the Change? 

This change enables Windows Server customers to increasingly leverage containers in their modernization journey. We are implementing this based on feedback from our customers that needed the ability to distribute a complete containerized application directly to their customers. By allowing customers to directly ship their consolidated images with the base image it will enable customers across air-gapped environments to benefit from Windows Containers in their modernization journey. 


What is a Foreign Layer and How does it work? 

In the actual implementation, it was implemented as a “Foreign Layer.” 

All containers are created from container images. A container image is a bundle of files organized into a stack of layers that reside on the user’s local machine or in a remote container registry. The architectural design of Windows containers requires that the first layer of Windows container images must be a layer of Windows container base image. Any framework or application can then build new images based upon that base layer.   

Windows container base images were prohibited from being redistributed by customers. In other words, customers could not freely package the base images into their own solutions and distribute them freely to their end users.  

To achieve the user experience parity with Linux while honoring Window’s unique redistribution restriction, we partnered with the Docker community to design an approach, often referred as “foreign layer”. When using Docker’s image building tooling, customers’ Windows container images will not carry the actual payload of the Windows container base Images. Instead, they only carry a foreign layer link that directs to the base layer on Microsoft Container Registry (MCR) where the Windows container base images are serviced. These base images are exclusively downloaded from MCR when the images are executed at runtime. 


Air-Gapped Environments  

While the "Foreign layer" approach addressed the unique distribution requirements of Windows containers, it alone would not work for many of our customers that operate in air-gapped environments or those without internet connectivity. Customers can accomplish this by configuring the –allow-nondistributable-artifacts settings for the docker daemon (See here). When this flag is enabled, images pushed to the specified registries also push their non-distributable or “foreign” layers. Previously this was only permitted within the same origination, with the updated license this flag will enable customers to leverage the same experience to distribute the base image to customers. 


Prior to change: For example, this will allow customers (Customer A) to distribute Windows container base images internally within their organization but prevents customers (Customer A) from redistributing the base images to their end users (Customer B). The end users (Customer B) will be downloading the base images directly from MCR vs. from Customer A. By using MCR they will know the base images are coming from Microsoft and are properly maintained and secure as well as you will not need to store copies of the images.  

After change: Utilizing the –allow-nondistributable-artifacts configuration (Customer A) can distribute the windows base image within their own organization while also redistributing the base image to their end user (Customer B). The end users (Customer B) will be able to download the base images directly from Customer A’s repository, which may or may not be publicly assessable. 


For end-users: The official license term is included as a “license.txt” file in all supported Windows Container base images. We have updated all the supported images with the updated license term. There are no action items on end-users, however, we encourage you to review the updated license.


In Closing 

We encourage you to reach out with any questions. With this change to Windows Container's license, we are pursuing engineering efforts to enable better developer experience while using foreign layers. We will have a follow-up blog to address the engineering implementation and will engage the community to find the best solution.  

Thank you. 

Version history
Last update:
‎Oct 12 2022 05:24 PM
Updated by: