Azure Local Cluster on‑site working in tandem with Azure Cloud, running Dockerized AI workloads at the edge — is not just viable. It’s exactly the direction modern distributed AI systems are heading.

Let me unpack how these pieces fit together and why the architecture is so compelling.

Azure Local Baseline reference Architecture

A powerful hybrid model for real‑world AI

Think of this setup as a two‑layer AI fabric:

• Layer 1: On‑site Azure Local Cluster
  Handles real‑time inference, local decision‑making, and data preprocessing.
  This is where Docker containers shine: predictable, isolated, versioned workloads running close to the data source.
• Layer 2: Azure Cloud
  Handles heavy lifting: model training, analytics, fleet management, OTA updates, and long‑term storage.

Together, they create a system that is fast, resilient, secure, and scalable

Why this architecture works so well

1. Ultra‑low latency inference

Your on‑site Azure Local Cluster can run Dockerized AI models directly on edge hardware (Jetson, x86, ARM).
This eliminates cloud round‑trips for:

• object detection
• anomaly detection
• robotics control
• industrial automation

Azure Local provides the core platform for hosting and managing virtualized and containerized workloads on-premises or at the edge.

2. Seamless model lifecycle management

Azure Cloud can:

• train new models
• validate them
• push them as Docker images
• orchestrate rollouts to thousands of edge nodes

Your local cluster simply pulls the new container and swaps it in.
This is exactly the “atomic update” pattern from the blogpost.

3. Strong separation of concerns

Local cluster = deterministic, real‑time execution
Cloud = dynamic, scalable intelligence

This separation avoids the classic problem of trying to run everything everywhere.

4. Enterprise‑grade security

Azure Arc, IoT Edge, and Container Registry gives you:

• signed images
• policy‑based deployments
• identity‑bound devices
• encrypted communication

This is critical when edge devices live in factories, stores, or public spaces.

5. Cloud‑assisted intelligence

Even though inference happens locally, the cloud can still:

• aggregate telemetry
• retrain models
• detect drift
• optimize pipelines
• coordinate multi‑site deployments

This is how AI systems improve over time. 

How Docker fits into this hybrid world

Docker becomes the unit of deployment across both environments for DevOps and developers.

On the edge:

• lightweight images
• Hardened images
• GPU‑enabled containers
• read‑only root filesystems
• offline‑capable workloads

In the cloud:

• CI/CD pipelines
• model registries
• automated scanning
• versioned releases

The same container image runs in both places — but with different responsibilities.

My take: This is one of the strongest architectures for real‑world AI

If your goal is:

• real‑time AI
• high reliability
• centralized control
• scalable deployments
• secure operations
• hybrid cloud + edge synergy

…then Azure Local Cluster + Azure Cloud + Docker AI Edge is a near‑ideal solution.

It gives you the best of both worlds:
cloud intelligence + edge autonomy.

Here you find more about Microsoft Azure Local 

Here you find more blogposts about Docker, Windows Server 2025, and Azure Cloud Services :

Windows Server 2025 Core and Docker – A Modern Container Host Architecture

Docker Desktop Container Images and Azure Cloud App Services

The Rise of Free Hardened Docker Images: A New Security Baseline for Developers and DevOps

Containerization has become the backbone of modern software delivery. But as adoption has exploded, so has the attack surface. Vulnerable base images, outdated dependencies, and misconfigured runtimes have quietly become some of the most common entry points for supply‑chain attacks.

The industry has been asking for a better baseline—something secure by default, continuously maintained, and frictionless for teams to adopt. And now we’re finally seeing it: free hardened Docker images becoming widely available from major vendors and open‑source security communities.

This shift isn’t just a convenience upgrade. It’s a fundamental change in how we think about container security.

Why Hardened Images Matter More Than Ever

A “hardened” image isn’t just a slimmer version of a base OS. It’s a container that has been:

• Stripped of unnecessary packages
  Fewer binaries = fewer vulnerabilities.
• Built with secure defaults
  Non‑root users, locked‑down permissions, and minimized attack surface.
• Continuously scanned and patched
  Automated pipelines ensure CVEs are fixed quickly.
• Cryptographically signed
  So you can verify provenance and integrity before deployment.
• Aligned with compliance frameworks
  CIS Benchmarks, NIST 800‑190, and other standards are increasingly baked in.

For developers, this means fewer surprises during security reviews. For DevOps teams, it means fewer late‑night patch cycles and fewer emergency rebuilds.

What’s New About the Latest Generation of Free Hardened Images

The newest wave of hardened images goes far beyond the “minimal OS” approach of the past. Here’s what’s changing:

1. Hardened Language Runtimes

We’re seeing secure-by-default images for:

• Python
• Node.js
• Go
• Java
• .NET
• Rust

These images often include:

• Preconfigured non‑root users
• Read‑only root filesystems
• Mandatory access control profiles
• Reduced dependency trees

2. Automated SBOMs (Software Bills of Materials)

Every image now ships with a machine‑readable SBOM.
This gives you:

• Full visibility into dependencies
• Faster vulnerability triage
• Easier compliance reporting

SBOMs are no longer optional—they’re becoming a standard part of secure supply chains.

3. Built‑in Image Signing and Verification

Tools like Sigstore Cosign, Notary v2, and Docker Content Trust are now integrated directly into image pipelines.

This means you can enforce:

• “Only signed images may run” policies
• Zero‑trust container admission
• Immutable deployment guarantees

4. Continuous Hardening Pipelines

Instead of waiting for monthly rebuilds, hardened images are now updated:

• Daily
• Automatically
• With CVE‑aware rebuild triggers

This dramatically reduces the window of exposure for newly discovered vulnerabilities.

Read the complete blogpost about a Safer Container Ecosystem with Docker: Free Docker Hardened Images here

Docker Desktop and Azure App Cloud Services

Expanded Architecture: Docker developer environment with Azure Cloud Services.

Development Environment

• Docker Desktop + Tools: Visual Studio Code, Azure CLI, Docker Scout, AI, MCP
• Docker Scout CLI: Compares image versions, detects CVEs, integrates with pipelines

Container Host (Windows Server 2025 Core)

• Hyper-V Isolated Containers: For enhanced security
• Workloads: Microservices, legacy apps, AI containers
• GitOps Operator: Automated deployment via Git repositories
• Azure Arc Agent: Connects on-prem host to Azure Control Plane

Here you find more information about Docker on Windows Server 2025 Core

Your Windows 11 Laptop with Docker Desktop

• Hyper-V / WSL2: for your containers development
• Azure Arc Agent: for your Azure Cloud Services and security
• Docker Desktop for Windows installed

Azure Cloud Integrations

Component	Function
Azure App Service (Docker)	Hosts web apps as Docker containers with autoscaling and Key Vault integration
Azure DevOps + Pipelines	CI/CD for image build, scan, push, and deployment
Azure Copilot Security	AI-driven security recommendations and policy analysis
Azure Container Registry (ACR)	Secure storage and distribution of container images
Azure Key Vault	Secrets management: API keys, passwords, certificates
Microsoft Defender for Cloud	Runtime protection, image scanning, threat detection
Azure Policy & RBAC	Governance and access control
Azure Monitor + Sentinel	Logging, metrics, threat detection
Azure Update Manager	Hotpatching of Windows and container images without reboot

More information on Strengthening Container Security with Docker Hardened Images and Azure Container Registry

DevSecOps Workflow

1. Build & Harden Image → Dockerfile + SBOM
2. Scan with Docker Scout → CLI or pipeline
3. Push to ACR → With signing and RBAC
4. Deploy via Azure DevOps Pipelines → App Service or Arc-enabled host
5. Inject Secrets via Key Vault → Automatically at runtime
6. Monitor & Patch → Azure Monitor + Update Manager
7. Audit & Alerting → Azure Sentinel + Defender
8. Security Guidance → Copilot Security analyzes policies and offers recommendations

Example of Deploying a custom container to Azure App Service with Azure Pipelines

Microsoft Azure App Service is really scalable for Docker App Solutions:

Azure App Service is designed to scale effortlessly with your application’s needs. Whether you’re hosting a simple web app or a complex containerized microservice, it offers both vertical scaling (upgrading resources like CPU and memory) and horizontal scaling (adding more instances). With built-in autoscaling, you can respond dynamically to traffic spikes, scheduled workloads, or performance thresholds—without manual intervention or downtime.

From small startups to enterprise-grade deployments, App Service adapts to demand with precision, making it a reliable platform for modern, cloud-native applications.

Scale Up Features and Capacities Learn how to increase CPU, memory, and disk space by changing the pricing tier

Enable Automatic Scaling (Scale Out) Configure autoscaling based on traffic, schedules, or resource metrics

Per-App Scaling for High-Density Hosting Scale individual apps independently within the same App Service Plan

Conclusion

For modern developers, the combination of Azure App Services and Docker Desktop offers a powerful, flexible, and scalable foundation for building, testing, and deploying cloud-native applications.

• Developers can build locally with Docker, ensuring consistency and portability.
• Then deploy seamlessly to Azure App Services, leveraging its cloud scalability and integration.
• This workflow reduces configuration drift, accelerates testing cycles, and improves team collaboration.

As businesses race toward cloud-native infrastructure and microservices, Windows Server 2025 Core emerges as a lean, powerful platform for hosting Docker containers. With its minimal footprint and robust security posture, Server Core paired with Docker offers a compelling solution for modern application deployment.

Architecture Design: Windows Server Core + Docker

Windows Server 2025 Core is a headless, GUI-less version of Windows Server designed for performance and security. When used as a Docker container host, it provides:

• Lightweight OS footprint: Reduces attack surface and resource consumption.
• Hyper-V isolation: Enables secure container execution with kernel-level separation.
• Support for Nano Server and Server Core images: Ideal for running Windows-based microservices.
• Integration with Azure Kubernetes Service (AKS): Seamless orchestration in hybrid environments.

Key Components

Component	Role in Architecture
Windows Server 2025 Core	Host OS with minimal services
Docker Engine	Container runtime for managing containers
Hyper-V	Optional isolation layer for enhanced security
PowerShell / CLI Tools	Management and automation
Windows Admin Center	GUI-based remote management

Installation Guide

Setting up Docker on Windows Server 2025 Core is straightforward but requires precision. Here’s a simplified walkthrough:

Windows Server 2025 Datacenter Core running

1. Install Required Features

Use PowerShell to install Hyper-V and Containers features:

Install-WindowsFeature -Name Hyper-V, Containers -IncludeManagementTools -Restart

2. Install Docker

Download and install Docker from the official source or use the PowerShell script provided by Microsoft:

Invoke-WebRequest “https://download.docker.com/win/static/stable/x86_64/docker-28.4.0.zip” -OutFile “docker.zip”

Unzip and configure Docker as a service:

at Docker directory to your path

Add the Docker config directory

Set the daemon

Create the Docker Service

net start docker

docker version

Docker Host on Windows Server 2025 Core is Installed

3. Configure Networking

Ensure proper NAT or transparent networking for container communication.

4. Pull Base Images

Use Docker CLI to pull Windows container images:

docker pull mcr.microsoft.com/windows/servercore:ltsc2025

5. Test Deployment

Run a sample Windows Server 2025 core container:

docker run -it mcr.microsoft.com/windows/servercore:ltsc2025

Inside the Windows Server 2025 Core Container on the Docker host.

Best Practices

To maximize reliability, security, and scalability:

• Use Hyper-V isolation for sensitive workloads.
• Automate deployments with PowerShell scripts or CI/CD pipelines.
• Keep base images updated to patch vulnerabilities.
• Monitor containers using Azure Arc monitoring or Windows Admin Center.
• Limit container privileges and avoid running as Administrator.
• Use volume mounts for persistent data storage.

Conclusion: Why It Matters

For developers, Windows Server 2025 Core with Docker offers:

• Fast iteration cycles with isolated environments.
• Consistent dev-to-prod workflows using container images.
• Improved security with minimal OS footprint and Hyper-V isolation.

For businesses, the benefits are even broader:

• Reduced infrastructure costs via efficient resource usage.
• Simplified legacy modernization by containerizing Windows apps.
• Hybrid cloud readiness with Azure integration and Kubernetes support.
• Scalable architecture for microservices and distributed systems.

Windows Server 2025 Core isn’t just a server OS—it’s a launchpad for modern, secure, and scalable containerized applications. Whether you’re a developer building the next big thing or a business optimizing legacy systems, this combo is worth the investment.

Integrating Azure Arc into the Windows Server 2025 Core + Docker Architecture for Adaptive Cloud

Overview

Microsoft Azure Arc extends Azure’s control plane to your on-premises Windows Server 2025 Core container hosts. By onboarding your Server Core machines as Azure Arc–enabled servers, you gain unified policy enforcement, monitoring, update management, and GitOps-driven configurations—all while keeping workloads close to the data and users.

Architecture Extension

• Azure Connected Machine Agent
  Installs on Windows Server 2025 Core as a Feature on Demand, creating an Azure resource that represents your physical or virtual machine in the Azure portal.
• Control Plane Integration
  Onboarded servers appear in Azure Resource Manager (ARM), letting you apply Azure Policy, role-based access control (RBAC), and tag-based cost tracking.
• Hybrid Monitoring & Telemetry
  Azure Monitor collects logs and metrics from Docker Engine, container workloads, and host-level performance counters—streamlined into your existing Log Analytics workspaces.
• Update Management & Hotpatching
  Leverage Azure Update Manager to schedule Windows and container image patches. Critical fixes can even be applied via hotpatching on Arc-enabled machines without a reboot.
• GitOps & Configuration as Code
  Use Azure Arc–enabled Kubernetes to deploy container workloads via Git repositories, or apply Desired State Configuration (DSC) policies to Server Core itself.

Adaptive Cloud Features Enabled

• Centralized Compliance
  Apply Azure Policies to enforce security baselines across every Docker host, ensuring drift-free configurations.
• Dynamic Scaling
  Trigger Azure Automation runbooks or Logic Apps when performance thresholds are breached, auto-provisioning new container hosts.
• Unified Security Posture
  Feed security alerts from Microsoft Defender for Cloud into Azure Sentinel, correlating threats across on-prem and cloud.
• Hybrid Kubernetes Orchestration
  Extend AKS clusters to run on Arc-connected servers, enabling consistent deployment pipelines whether containers live on Azure or in your datacenter.

More information about Innovate on an Adaptive Cloud here

Integration Walkthrough

1. Prepare your Server Core host (ensure Hyper-V, Containers, and Azure Arc Feature on Demand are installed).
2. Install Azure Arc agent via Azure PowerShell
3. In the Azure portal, navigate to Azure Arc > Servers, and verify your machine is onboarded.
4. Enable Azure Policy assignments, connect to a Log Analytics workspace, and turn on Update Management.
5. (Optional) Deploy the Azure Arc GitOps operator for containerized workloads across hybrid clusters.

Visualizing Azure Arc in Your Diagram

Above your existing isometric architecture, add a floating “Azure Cloud Control Plane” layer that includes:

• ARM with Policy assignments
• Azure Monitor / Log Analytics
• Update Manager + Hotpatch service
• GitOps repo integrations

Draw data and policy-enforcement arrows from this Azure layer down to your Windows Server Core “building,” Docker cube, container workloads, and Hyper-V racks—demonstrating end-to-end adaptive management.

Why It Matters

Integrating Azure Arc transforms your static container host into an adaptive cloud-ready node. You’ll achieve:

• Consistent governance across on-prem and cloud
• Automated maintenance with zero-downtime patching
• Policy-driven security at scale
• Simplified hybrid Kubernetes and container lifecycle management

With Azure Arc, your Windows Server 2025 Core and Docker container hosts become full citizens of the Azure ecosystem—securing, monitoring, and scaling your workloads wherever they run.

Better Together

 

Docker Scout version 1.18.2

There’s a quiet moment after every deploy where you ask yourself: what actually changed? Not just the feature—you know that—but the stuff beneath it. Packages. Base images. Vulnerabilities that slipped in while you were busy shipping. Docker Scout’s CLI gives you the flashlight for that dark room. No dashboards. No detours. Just commands, signal, and the truth.

In July 2025 I wrote a blogpost about Docker Scout for Vulnerability management of Containers and remediation

Docker Scout Compare is quite significant for container security, especially in modern DevSecOps workflows. Here’s why it matters:

What Docker Scout Compare Does

• Image Comparison: It analyzes two Docker images—typically a new build vs. a production version—and highlights differences in vulnerabilities, packages, and policies.
• Security Insights: It identifies newly introduced CVEs (Common Vulnerabilities and Exposures), changes in package versions, and policy violations between image versions.
• SBOM Integration: It uses Software Bill of Materials (SBOMs) to trace dependencies and match them against vulnerability databases.

Why It’s Important for Security

• Proactive Risk Management: By comparing images before deployment, teams can catch regressions or newly introduced vulnerabilities early.
• Supply Chain Transparency: Helps track changes across the container supply chain, which is crucial for preventing issues like Log4Shell.
• CI/CD Integration: Fits seamlessly into automated pipelines, ensuring every image update is vetted for security before release.

Key Features That Boost Its Value

Feature	Benefit
Continuous vulnerability scanning	Keeps your images secure over time, not just at build time
Filtering options	Focus on critical or fixable CVEs, ignore unchanged packages, etc.
Markdown/Text reports	Easy to integrate into documentation or dashboards
Multi-stage build analysis	Understand security across complex Dockerfiles

Bottom Line

If you’re serious about container security, Docker Scout Compare isn’t just helpful—it’s becoming essential. It gives developers and security teams a clear view of what’s changing and whether those changes introduce risk.

The heart of change: compare old vs new, precisely

You built a new image. What did you add? What did you remove? What got better—or worse?
Here are some Docker scout compare CLI commands:

# Compare prod vs new build

docker scout compare –to myapp:prod myapp:sha-123

# Focus on meaningful risk changes (ignore base image CVEs)

docker scout compare –to myapp:prod myapp:sha-123 –ignore-base

# Show only high/critical that are fixable

docker scout compare –to myapp:prod myapp:sha-123 –only-severity high,critical –only-fixed

# Fail when security gets worse (perfect for CI)

docker scout compare –to myapp:prod myapp:sha-123 –exit-on vulnerability

Here you find more about Docker Scout Compare

In my case I will do a Docker Scout compare between these two images:

docker scout compare –to azure-cli-patched:latest mcr.microsoft.com/azure-cli:azurelinux3.0

Compare results between the two images.

Compare results between the two images, here you see the Fixed vulnerability differences.

Conclusion

Final Thoughts: Docker Scout Compare CLI & Security

In today’s fast-paced development landscape, security can’t be an afterthought—it must be woven into every stage of the software lifecycle. Docker Scout Compare CLI empowers teams to do just that by offering a clear, actionable view of how container images evolve and what risks they may introduce. Its ability to pinpoint new vulnerabilities, track dependency changes, and integrate seamlessly into CI/CD pipelines makes it a vital tool for modern DevSecOps.

By embracing Docker Scout Compare, organizations move from reactive patching to proactive prevention—turning container security from a bottleneck into a strategic advantage.

Dear Community Members, Friends, and Colleagues,

As I mark my 15th anniversary in the Microsoft MVP program, I’m filled with immense gratitude, humility, and pride. What began as a passion for sharing knowledge and building connections has blossomed into a deeply rewarding journey—one shaped by innovation, collaboration, and the extraordinary people who make this community thrive.

Over these 15 years, I’ve had the privilege to learn from brilliant minds, contribute to inspiring projects, and witness the transformative power of technology firsthand. Whether through speaking engagements, blog posts, mentoring, or hands-on technical work, being part of the MVP program has continually deepened my commitment to empowering others and fostering open, inclusive collaboration.

To the community: thank you for challenging, supporting, and celebrating with me. Your curiosity, creativity, and kindness are what keep this ecosystem alive and forward-looking.

To Microsoft: thank you for the honor and trust. The MVP program is a unique platform that amplifies voices, nurtures growth, and builds bridges—not just between developers and users, but between ideas and action.

While this milestone is a moment to reflect, it’s also a reminder that there’s always more to explore, create, and share. I look forward to continuing this journey together—with the same spark, but even greater purpose.

With heartfelt appreciation,
James

Here are some photos with Awesome people that I have met during these years:

Here you see Vijay Tewari in the middle who nominated me for the first time
Damian Flynn on the left and me on the right are Microsoft MVPs for Virtual Machine Manager (VMM)
at that time in 2011.

Here you see Tina Stenderup-Larsen in the middle, she is amazing! A Great Microsoft Community Program Manager
supporting all the MVPs in the Nordics & Benelux doing an Awesome Job!
On the right is Robert Smit a Great Dutch MVP and friend.

Mister OMS alias Scripting Guy Ed Wilson.

When there is a Microsoft Windows Server event, there is Jeff Woolsey 
“The three Musketeers”

Meeting Brad Anderson, he had great lunch breaks interviews in his car
with Awesome people.

The Azure Stack Guys on the 25th MVP Global Summit

Mister PowerShell Jeffrey Snover at the MVP Summit having fun

Scott Guthrie meeting him at the Red Shirt Tour in Amsterdam.

Great to meet Yuri Diogenes in 2018 with his book Azure Security Center.
I know him from the early days with Microsoft Security, like ISA Server

Mister Azure, CTO Mark Russinovich meeting at the MVP Global Summit in Redmond.
a Great Technical Fellow with Awesome Azure Adaptive Cloud Solution Talks!

Mister DevOps himself Donovan Brown in Amsterdam for DevOps Days

My friend Rick Claus Mister MS Ignite.

Mister Azure Corey Sanders at the MVP Summit.

Mister Channel 9, MSIgnite, AI Specialist Seth Juarez
He is a funny guy.

Meeting Scott Hanselman in the Netherlands together with MVP Andre van den Berg.
Scott is Awesome in developer innovations and technologies.
Following Azure Friday from the beginning.

Windows Insider friends for ever meeting Scott Hanselman.
With on the left MVP Erik Moreau.

Windows Insiders for Ever
Here together with Dona Sarkar here in the Netherlands

Windows Insider Friends having fun with Ugly Sweater meeting.
On the right my friend Maison da Silva and on the upper right Erik Moreau and Andre van den Berg.
Friends for Life

Microsoft Global MVP 15 Years Award disc is in the House
on Monday the 14th of July 2025.

Thank you All

In today’s cloud-native landscape, container security is paramount. IT professionals must strike a balance between agility and security, ensuring that applications run smoothly without exposing vulnerabilities. One way to achieve this is through Docker hardened images, which enhance security by reducing attack surfaces, enforcing best practices, and integrating with Microsoft Azure Container Registry (ACR) for seamless deployment.

Why Hardened Docker Images?

A hardened Docker image is optimized for security, containing only the necessary components to run an application while removing unnecessary libraries, binaries, and configurations. This approach reduces the risk of known exploits and ensures compliance with security standards. Key benefits include:

• Reduced Attack Surface: Eliminating unnecessary components minimizes entry points for attackers.
• Improved Compliance: Meets security benchmarks like CIS, NIST, and DISA STIG.
• Enhanced Stability: Smaller images mean fewer dependencies, reducing vulnerabilities.
• Better Performance: Optimized images lead to faster deployments and lower resource consumption.

Leveraging Azure Container Registry for Secure Image Management

Microsoft Azure Container Registry (ACR) plays a critical role in securely storing, managing, and distributing hardened images. IT professionals benefit from features such as:

• Automated Image Scanning: Built-in vulnerability assessment tools like Microsoft Defender for Cloud detect security risks.
• Content Trust & Signing: Ensures only authorized images are deployed.
• Geo-replication: Enables efficient global distribution of container images.
• Private Registry Access: Provides secure authentication via Azure Active Directory.

Microsoft Azure Container Registry

Hardened Images in Azure Container Solutions

By deploying hardened images through Azure Kubernetes Service (AKS), Azure Container Apps, and Azure Functions, organizations strengthen security in cloud-native applications while leveraging Azure’s scalability and flexibility. This translates to:

• Improved Security Posture: Reducing exposure to common container-based threats.
• Streamlined Operations: Consistent, automated deployment pipelines.
• Efficient Cost Management: Optimized images lower compute and storage costs.

Strengthening Security with Docker Scout

Docker Scout is a powerful security tool designed to detect vulnerabilities in container images. It integrates seamlessly with Docker CLI, allowing IT professionals to:

• Scan Images for CVEs (Common Vulnerabilities and Exposures): Identify security risks before deployment.
• Receive Actionable Insights: Prioritized remediation recommendations based on severity.
• Automate Security Checks: Continuous monitoring ensures compliance with security standards.
• Integrate with Azure Container Registry (ACR): Scan images stored in ACR for proactive security management.

How It Works with Azure Container Solutions

By incorporating Docker Scout with Azure Container Registry (ACR), IT teams can establish a robust security workflow:

1. Build & Harden Docker Images – Optimize base images to minimize attack surfaces.
2. Scan with Docker Scout – Detect vulnerabilities in both public and private repositories.
3. Push Secure Images to ACR – Ensure only validated, hardened images are stored.
4. Deploy on Azure Container Solutions – Use AKS, Azure App Service, or Azure Functions with improved security confidence.
5. Monitor & Automate Security Updates – Continuous scanning helps maintain container integrity.

Best Practices for IT Professionals

To maximize security, IT teams should adopt the following best practices:

1. Use Minimal Base Images (Alpine, Distroless) to reduce attack surfaces.
2. Regularly Update & Scan Images to patch vulnerabilities.
3. Implement Role-Based Access Controls (RBAC) for container registries.
4. Adopt Infrastructure as Code (IaC) to enforce secure configurations.
5. Monitor & Audit Logs for anomalous activity detection.
6. Automate Docker Scout scans in CI/CD pipelines.
7. Enforce image signing & verification using Azure Key Vault.
8. Regularly update base images & dependencies to mitigate risks.
9. Apply role-based access controls (RBAC) within Azure Container Registry

Conclusion

Secure containerization starts with hardened Docker images and robust registry management. Azure Container Registry offers IT professionals the tools to maintain security while leveraging cloud efficiencies. By integrating these strategies within Azure’s ecosystem, organizations can build resilient and scalable solutions for modern workloads.
Docker Scout combined with Azure Container Registry provides IT professionals a strong security foundation for cloud-native applications. By integrating proactive vulnerability scanning into the development workflow, organizations can minimize risks while maintaining agility in container deployments.
When you work with artificial intelligence (AI) and Containers working with Model Context Protocol (MCP)
Security by Design comes first before you begin.
Here you find more information about MCP protocol via Docker documentation

 

 

50 years of Microsoft

A Legacy of Innovation and Transformation

Half a century ago, on April 4th, 1975, two young visionaries, Bill Gates and Paul Allen, co-founded Microsoft with a bold ambition: to make computing accessible and essential for everyone. What began as a small software company has grown into a global technology leader, continuously transforming industries and empowering billions of lives. As we celebrate Microsoft’s 50-year journey, let’s explore its milestones, innovations, and impact, including its contributions to datacenters, Windows Server, Hyper-V, Azure, and the leadership of its CEOs.

The Early Years: Coding the Future

Microsoft’s first big breakthrough came with the creation of an operating system for the fledgling personal computer market. In 1980, the company introduced MS-DOS, laying the groundwork for the revolutionary Windows operating system, launched in 1985. This graphical interface transformed computing, making it accessible to both businesses and individuals.

Guiding Microsoft Through Its Evolution: The CEOs Who Shaped the Company

Microsoft’s trajectory has been shaped by its visionary leadership. From the founders to the present, each CEO has left an indelible mark:

1. Bill Gates (1975–2000): As co-founder and first CEO, Gates spearheaded the company’s initial growth, launching pivotal products like MS-DOS, Windows, and Office. His focus on innovation and accessibility built the foundation of Microsoft’s success.
2. Steve Ballmer (2000–2014): During his tenure, Ballmer led Microsoft through massive expansion, particularly in enterprise solutions and cloud computing. He introduced Windows Server and laid the groundwork for services like Azure. Ballmer’s energy and passion defined his leadership style and kept Microsoft competitive in a rapidly changing market.
3. Satya Nadella (2014–Present): Nadella ushered in a cloud-first, AI-driven era, transforming Microsoft’s culture and business model. His emphasis on inclusivity, empathy, and sustainability revitalized the company. Under his leadership, Azure became one of the world’s leading cloud platforms, and Microsoft made transformative acquisitions like LinkedIn, GitHub, and Activision Blizzard.

Lake Bill on Redmond Campus

Redefining Enterprise Technology: Datacenters, Windows Server, and Virtualization

As businesses increasingly relied on technology, Microsoft expanded its offerings to support enterprise needs. Windows Server, introduced in 1993, became a cornerstone for server management and networking. It evolved over the decades, incorporating features such as Active Directory, high availability, and security enhancements.

Microsoft played a pivotal role in virtualization with Hyper-V, launched in 2008. Hyper-V allowed organizations to maximize resource efficiency and reduce costs by running multiple virtual machines on a single physical server. Modern datacenters powered by Microsoft’s hardware and software solutions now form the backbone of its cloud services.

Embracing the Cloud: The Azure Revolution

Microsoft’s Azure cloud platform, launched in 2010, redefined computing. It enabled organizations to access scalable infrastructure, deploy applications globally, and harness artificial intelligence with ease. Azure spans over 60 regions worldwide, making it one of the most comprehensive cloud platforms. Its ecosystem includes hybrid cloud solutions, advanced analytics, and IoT technologies.

Gaming, Devices, and Consumer Innovation

Microsoft entered the gaming industry with the Xbox in 2001, creating a thriving gaming ecosystem. Beyond gaming, the company innovated with devices like the Surface lineup, combining sleek design with productivity. Its integration of hardware and software demonstrated Microsoft’s versatility.

Shaping the Future: AI, Sustainability, and Datacenters

Microsoft continues to lead in artificial intelligence with tools like Microsoft Copilot. Its pledge to be carbon-negative by 2030 highlights environmental responsibility, with sustainable datacenter operations playing a central role.

Conclusion: A Legacy Built to Inspire

Microsoft’s 50-year journey is a testament to the power of innovation and visionary leadership. From Bill Gates to Steve Ballmer to Satya Nadella, each CEO has steered the company to new heights. With contributions ranging from datacenters and Windows Server to Hyper-V and Azure, Microsoft’s impact has been profound. As the company looks ahead, it remains dedicated to empowering people and organizations to achieve more, ensuring the next 50 years are as groundbreaking as the last.

Here’s to Microsoft—a company built to inspire and shape the future.

at Building 92 of the Microsoft Campus in Redmond.

 

Docker Desktop for Windows update 4.39.0

Introduction
Docker Desktop 4.39.0 is here, bringing a host of new features designed to enhance developer productivity, streamline workflows, and improve security. This release continues Docker’s commitment to providing efficient, secure, and reliable tools for building, sharing, and running applications.

Key Features in Docker Desktop 4.39.0

1. Docker AI Agent with Model Context Protocol (MCP) and Kubernetes Support
   • The Docker AI Agent, introduced in previous versions, has been upgraded to support MCP and Kubernetes. MCP enables AI-powered applications to access external data sources, perform operations with third-party services, and interact with local filesystems. Kubernetes support allows the AI Agent to manage namespaces, deploy services, and analyze pod logs.
2. General Availability of Docker Desktop CLI
   • The Docker Desktop CLI is now officially available, offering developers a powerful command-line interface for managing containers, images, and volumes. The new docker desktop logs command simplifies log management.
3. Platform Flag for Multi-Platform Image Management
   • Docker Desktop now supports the –platform flag on docker load and docker save commands, enabling seamless import and export of multi-platform images.
4. Enhanced Containerization Across Programming Languages
   • The Docker AI Agent can now containerize applications written in JavaScript, Python, Go, C#, and more. It analyzes projects to identify services, programming languages, and package managers, making containerization effortless.
5. Security Improvements
   • Docker Desktop 4.39.0 addresses critical vulnerabilities, such as CVE-2025-1696, ensuring proxy authentication credentials are no longer exposed in plaintext.

Docker Scout Security

Why These Features Matter

• Developer Productivity: The upgraded Docker AI Agent simplifies container management and troubleshooting, saving developers time and effort.
• Multi-Platform Flexibility: The –platform flag ensures compatibility across diverse environments, making Docker Desktop a versatile tool for modern development.
• Enhanced Security: By addressing vulnerabilities, Docker Desktop 4.39.0 reinforces its position as a secure platform for application development.

Conclusion
Docker Desktop 4.39.0 is a significant step forward, offering smarter tools, improved security, and greater flexibility for developers. Whether you’re managing Kubernetes clusters or containerizing applications, this release has something for everyone.

For more details, you can explore the official Docker blog or the release notes

 

In the dynamic world of cloud computing, Microsoft continues to innovate with solutions that empower organizations to manage hybrid and multi-cloud environments effectively. One such groundbreaking solution is Azure Container Storage enabled by Azure Arc. This technology is designed to simplify and enhance the management of persistent storage for Kubernetes clusters, providing a unified and adaptive approach to cloud storage.

What is Azure Container Storage Enabled by Azure Arc?

Azure Container Storage enabled by Azure Arc is a first-party storage system designed for Arc-connected Kubernetes clusters. It serves as a native persistent storage solution, offering high availability, fault tolerance, and seamless data synchronization to Azure Blob Storage. This system is crucial for making Kubernetes clusters stateful, especially for Azure IoT Operations and other Arc services.

Key Features and Benefits

1. High Availability and Fault Tolerance: When configured as a 3-node cluster, Azure Container Storage enabled by Azure Arc replicates data between nodes (triplication) to ensure high availability and tolerance to single node failures.
2. Data Synchronization to Azure: Data written to volumes is automatically tiered to Azure Blob Storage, including block blob, ADLSgen-2, or OneLake. This ensures that data is securely stored and easily accessible in the cloud.
3. Low Latency Operations: Arc services, such as Azure IoT Operations, can expect low latency for read and write operations, making it ideal for real-time applications.
4. Simple Connection: Customers can easily connect to an Azure Container Storage enabled by Azure Arc volume using a CSI driver to start making Persistent Volume Claims against their storage.
5. Flexibility in Deployment: Azure Container Storage enabled by Azure Arc can be deployed as part of Azure IoT Operations or as a standalone solution, providing flexibility to meet various deployment needs.
6. Platform Neutrality: This storage system can run on any Arc Kubernetes supported platform, including Ubuntu + CNCF K3s/K8s, Windows IoT + AKS-EE, and Azure Stack HCI + AKS-HCI and Azure Local.

Microsoft Azure Local solution

 

Azure Container Storage Offerings

Azure Container Storage enabled by Azure Arc offers two main storage options:

1. Cache Volumes: The original offering, providing a reliable and fault-tolerant file system for Arc-connected Kubernetes clusters.
2. Edge Volumes: The newest offering, which includes Local Shared Edge Volumes and Cloud Ingest Edge Volumes. Local Shared Edge Volumes provide highly available, failover-capable storage local to your Kubernetes cluster, while Cloud Ingest Edge Volumes facilitate limitless data ingestion from edge to Blob storage.

Use Cases and Applications

Azure Container Storage enabled by Azure Arc is particularly beneficial for organizations with hybrid and multi-cloud environments. It supports various use cases, including:

• IoT Applications: Ensuring data integrity and synchronization in disconnected environments, making it ideal for IoT operations.
• Edge Computing: Providing local storage for scratch space, temporary storage, and locally persistent data unsuitable for cloud destinations.
• Data Ingestion: Facilitating seamless data transfer from edge to cloud, optimizing local resource utilization and reducing storage requirements.

Conclusion

Azure Container Storage enabled by Azure Arc represents the future of hybrid cloud storage, offering seamless onboarding, unified management, and adaptive capabilities. By leveraging this technology, organizations can overcome the challenges of hybrid and multi-cloud environments, streamline operations, and drive innovation.

Whether you’re just starting your cloud journey or looking to optimize your existing infrastructure, Azure Container Storage enabled by Azure Arc provides the tools and guidance you need to succeed. Embrace the power of this transformative solution and unlock new possibilities for your organization.

Jumpstart Drops is a good begin in your test environment, before you begin in production. Here you find a Jump start drop about “Create an Azure Container Storage enabled by Azure Arc Edge Volumes with CloudSync” by Anthony Joint.

More information:

Introducing Azure Local by Cosmos Darwin

Microsoft Adaptive Cloud

Announcement! Edge Storage Accelerator YouTube video. 

What is Microsoft Azure Arc Services?

Docker Desktop main screen

In the ever-evolving world of software development, Docker Desktop for Windows has emerged as an indispensable tool for developers. This powerful platform simplifies the process of building, sharing, and running applications within containers, offering a host of features and benefits that streamline workflows and enhance productivity. Let’s dive into what makes Docker Desktop for Windows a must-have for developers.

Easy Installation and Setup

One of the standout features of Docker Desktop for Windows is its straightforward installation process. With just a few clicks, developers can have Docker up and running on their Windows machines. The intuitive setup ensures that even those new to Docker can get started without a hitch.

Integrated GUI

Docker Desktop comes with a user-friendly Graphical User Interface (GUI) that makes managing containers, images, and settings a breeze. The GUI provides a visual representation of your Docker environment, allowing you to easily monitor and control your containers without needing to rely solely on command-line instructions.

Seamless Integration with WSL 2

For developers working with both Windows and Linux containers, Docker Desktop offers seamless integration with Windows Subsystem for Linux 2 (WSL 2). This integration allows you to switch between Linux and Windows containers effortlessly, leveraging the best of both worlds. WSL 2 provides a lightweight Linux kernel that runs alongside your Windows OS, ensuring optimal performance and compatibility.

Resource Management

Docker Desktop includes robust resource management features, enabling developers to allocate CPU, memory, and disk resources to their containers. This ensures that your development environment remains responsive and efficient, even when running multiple containers simultaneously.

Automatic Updates

Docker Desktop Automatically check for updates.

Keeping your Docker environment up-to-date is crucial for security and performance. Docker Desktop simplifies this process with automatic updates, ensuring that you always have the latest features and security patches without manual intervention.

Docker Compose Integration

Docker Compose is a powerful tool for defining and running multi-container Docker applications. Docker Desktop integrates seamlessly with Docker Compose, allowing developers to easily manage complex applications with multiple services. This integration simplifies the orchestration of containers, making it easier to develop, test, and deploy applications.

Kubernetes Support

For developers looking to dive into the world of Kubernetes, Docker Desktop offers built-in support for Kubernetes. This feature allows you to run a single-node Kubernetes cluster on your local machine, providing a convenient environment for learning and experimentation. With Kubernetes support, you can develop and test containerized applications before deploying them to a production cluster.

Volume Management

Docker Desktop Volumes management

Managing data within containers is made simple with Docker Desktop’s volume management capabilities. You can easily create, manage, and share volumes between containers, ensuring that your data persists across container restarts and updates.

Benefits for Developers

Enhanced Productivity

Docker Desktop Dev Environments

Docker Desktop streamlines the development process by providing a consistent environment across different stages of development. This consistency reduces the “it works on my machine” problem, ensuring that applications run smoothly from development to production.

Simplified Collaboration

With Docker Desktop, sharing your development environment with team members is as simple as sharing a Docker image. This ensures that everyone on your team is working with the same setup, reducing discrepancies and improving collaboration.

Flexibility and Portability

Docker containers are inherently portable, allowing you to run your applications on any system that supports Docker. This flexibility is particularly beneficial for developers working in diverse environments or deploying applications across different platforms.

Improved Security

Docker Desktop Scout

Docker Desktop provides a secure environment for running containers, isolating applications from the host system and each other. This isolation reduces the risk of security vulnerabilities and ensures that your development environment remains protected.

Conclusion

Docker Desktop for Windows is a game-changer for developers, offering a comprehensive suite of features that enhance productivity, simplify collaboration, and improve security. Whether you’re a seasoned developer or just starting with containerization, Docker Desktop provides the tools you need to build, share, and run applications with ease. Embrace the power of Docker Desktop and take your development workflow to the next level.

Here you find more information about Docker Desktop:

The Website of Docker Desktop

Docker Desktop Documentation

Skill up with Docker

Whalecome to the Docker Community

Docker in VSCode

Happy coding!

Once upon a time, in a world where technology and holiday cheer intertwined, there was a bustling community of developers eagerly awaiting the latest updates from the Microsoft Windows 11 and Windows Server Insider programs. As the festive season approached, the air was filled with excitement and anticipation.

In the heart of this community were the Microsoft MVPs (Most Valuable Professionals) and Docker Captains, who were known for their expertise and passion for technology. They decided to come together to create something truly magical for developers around the world.

One snowy evening, as the MVPs and Docker Captains gathered around a virtual fireplace, they began to brainstorm ideas. “What if we could combine the power of Windows 11, Windows Server, and Docker Containers to create a seamless development experience?” suggested one MVP, their eyes twinkling with excitement.

The idea quickly gained momentum, and soon, the group was hard at work. They envisioned a world where developers could effortlessly build, test, and deploy applications using the latest features of Windows 11 and Windows Server, all within the flexible and scalable environment of Docker Containers.

With the help of the Insider programs, they gained early access to cutting-edge features and updates. The MVPs and Docker Captains worked tirelessly, sharing their knowledge and expertise to create a series of tutorials, guides, and sample projects. These resources were designed to help developers harness the full potential of Windows 11, Windows Server, and Docker Containers.

As the holiday season progressed, the community began to see the fruits of their labor. Developers from all corners of the globe started to adopt the new tools and techniques, marveling at the ease and efficiency they brought to their workflows. The combination of Windows 11’s sleek interface, Windows Server’s robust capabilities, and Docker Containers’ flexibility created a harmonious symphony of technology.

To celebrate their success, the MVPs and Docker Captains organized a virtual holiday party. Developers joined from far and wide, sharing stories of their experiences and the innovative projects they had created. The virtual room was filled with laughter, camaraderie, and a shared sense of accomplishment.

As the night drew to a close, one of the Docker Captains raised a toast. “Here’s to the power of collaboration, the spirit of innovation, and the joy of the holiday season. May we continue to push the boundaries of technology and inspire developers everywhere.”

And so, the story of the Microsoft Windows 11 and Windows Server Insider Christmas, made possible by the dedication and expertise of the MVPs and Docker Captains, became a cherished tale in the developer community. It was a reminder that, with passion and teamwork, even the most ambitious dreams could come true.

Happy holidays, and may your coding adventures be merry and bright!

Mark Russinovich and Scott Hanselman on Stage talking about Copilot, ChatGPT and AI

Scott and Mark learn responsible AI

Always check the output of AI

Microsoft Azure Local 

NEW Microsoft Introducing disconnected Operations (Preview)

Azure Local with disconnected Operations
Awesome!

NSG with Azure Local

Security in Azure Local video

 

Defender for Cloud

Get Started Today

Azure Linux 3.0 on AKS kubernetes in Preview

QuickStart

AKS Automatic
Dynamic System Node pool in Preview

More Buit-in policies for AKS

Auto-Instrumentation with Application Insights
Preview in January 2025

Enhanced Risk & Attack Path Analysis for Containers

Microsoft Azure Container Registry – Image Auto Patching in Private Preview
Security on Vulnerabilities

Network Isolated Cluster in Public Preview
Here you find Best practices for cluster isolation in Azure Kubernetes Service (AKS)

Microsoft Container Vulnerabilities Management

Container Vulnerabilities Assessment throughout the software development lifecycle.

Defender for Cloud Container Security
Continuously reduce risks.

Attack path and remediation on your AKS Kubernetes Cluster Inside overview

Container Security posture from Code to runtime is important!

Microsoft Azure Kubernetes Fleet Manager Auto-Upgrade

Microsoft AKS Static Egress Gateway for Pod-level Access Control.

Block pod access to the Azure Instance Metadata Service (IMDS) endpoint (preview)

Trusted launch for Azure Kubernetes Service (AKS)

Seccomp Default Public Preview

Node Auto Provisioning GA January 2025

Comprehensive Security Controls overview

Experience Security Copilot Today

My Conclusion

Always start small with New innovative features like Azure Copilot or making your Adaptive Cloud first in a test environment.
Do your own experiences, testing and make your Secure architecture designs for your production. Keep it simple because it can be quick complex with a lot of dependencies. Microsoft works hard to make your life more easy in this changing IT landscape
I like to thank all the people who supported the Microsoft Ignite 2024 event, it was Awesome with a lot of Great News.

Here you find the Microsoft Ignite 2024 Book of News.

 

Microsoft Azure Adaptive Cloud approach enabled by Azure Arc.

Adaptive Cloud approach Key Services and Products.

Operate everywhere with AI-enhanced management and security

AI-enhanced Central Management & Security

Get Started with Azure Arc Jumpstart here

Welcome to the heart of our mission at Azure Arc Jumpstart, where we strive to transform your learning experience into a smooth and empowering journey. Our commitment is rooted in the principles that drive us forward:

1. Enabling immediate engagement: Arc Jumpstart is designed to offer a seamless “zero to hero” experience. We understand the value of your time, and our goal is to enable you to dive right into Azure Arc, eliminating barriers and complexities.

2. Comprehensive guidance: We provide more than just guides; we offer comprehensive, step-by-step instructions tailored for various independent Azure Arc scenarios. Our content is meticulously detailed, incorporating extensive automation, vivid screenshots, and insightful code samples. This ensures that your learning journey is not just informative but also visually enriching and deeply engaging.

3. Unparalleled user experience: Our dedication lies in delivering a rich and immersive experience. We go beyond the basics, curating a user-centric environment that resonates with both beginners and seasoned professionals. Whether you’re setting up your environment on-premises or in the cloud, our guides empower you to focus on Azure Arc’s core values without being bogged down by technical intricacies.

4. Embracing platform flexibility: We recognize the diversity of your infrastructure, and our mission is to provide a platform-agnostic approach. Arc Jumpstart accommodates your infrastructure, whether it resides on-premises or in the cloud. Our focus is to ensure that regardless of your setup, you can harness the true potential of the Azure Arc platform effortlessly.

Investments to further the Adaptive Cloud Approach

Introducing Microsoft Azure Local enabled by Azure Arc

Scott Hanselman about Visual Studio and Copilot

More AI development in Visual Studio or VSCode

Microsoft Windows 365 Link

This is Awesome, my next question is:
How fast will this solution be on Mobile?

Windows Hotpatch will be Available Spring 2025
for Windows 11 and Windows 365.

Windows Resilient Security Platform

Quick Machine Recovery in Insider program early 2025.

Microsoft working together with Cybersecurity & Infrastructure Security Agency

Smart App Control only Verified apps are allowed.

Windows Hello for Business Update with support for passkey.

Administrator Protection.

Personal Data Encryption to Windows Enterprise
Only decrypted via Windows Hello

Microsoft 365 in File Explorer

Windows Search is Cool
Coming in 2025

My Conclusion

Make your own test environment and become a Windows Insider to be one of the first to test these Awesome New features!
You can make this of course in Microsoft Azure Cloud or in your own Azure Local environment
There are so much possibilities, to keep yourself up-to-date with this changing IT landscape.

 

 

Mark Russinovich Microsoft Azure CTO Starting and Running 10.000 Containers in Azure in just 90 seconds!
That is unbelievable

Here you find my screenshots and links of the Microsoft Ignite 2024 session with Mark Russinovich.
First a quick introduction about Microsoft Azure Boost in this video.

Microsoft Azure Boost more IOPS and Throughput

Before and After Azure Boost Local Storage improvements.

Can you believe it, these are no typo’s 6.6 M IOPS !

Azure Boost Networking

Network driver Update in Azure Boost.

Software Defined Networking (SDN) Today

SDN Accelerating offloads with DPU

 

Secure 1.6 Tbps+ to storage over WAN
Can you believe it

Microsoft announcing Azure Container Instances NGroups (Preview)

Cloud Native Apps are more than just Kubernetes

Radius in the Cloud

New Azure Container Solutions

Security Trusted Execution Environments (TEE)

When you missed Mark Russinovich at Ignite 2024 session, you can watch it on-demand here

My Conclusion

Not only with Microsoft Copilot, Azure AI or Open-AI is the IT landscape changing, but the Adaptive Cloud is evolving very quick and hardware, Software Defined is getting faster and faster but also scaling in Datacenters.

This Jeremy Winter Talking about Power-efficient Datacenter Infrastructure.

Power-efficient datacenter infrastructure is very important for Microsoft, and what I see is More Software solutions with less hardware.
Software defined and AI solutions are changing the IT Cloud Landscape also in a Hybrid way with On-premises Datacenters.
10 years ago IT workloads was 80% on-premises datacenters and 20% in the Cloud, Today this is Changed to maybe 30% on-premises and 70% in the Cloud of companies IT solutions.  Here you can Learn more at Microsoft Learn Ignite 2024

Photo of the Day Rick Claus at the Microsoft MVP – RD Wall at MS Ignite 2024

Keynote by CEO Satya Nadella

Love this Windows 365 Link Device (Preview)

The world’s Computer

Microsoft Azure Local announcement

Microsoft Azure Integrated HSM

for Security first

Microsoft Azure Boost DPU Chip

Microsoft adopts NVIDIA Blackwell to power the next frontier of AI supercomputing

Security is a Team Effort

Microsoft Security Exposure Management

Scott Guthrie on Stage with the Most Developer Tools

Microsoft Azure AI Foundry Announcement 

Microsoft SQL Server 2025 Preview Announcement by Scott

Microsoft SQL Overview Slide with Fabric

Jeremy Winter about Azure and staying ahead of evolving threats at every layer

Microsoft Windows Server 2025 Hyper-V

This was my first day impression of Microsoft Ignite 2024 Event, It was Awesome to see and hear all the News!

Here you find the Microsoft Ignite 2024 Book of News

Let’s go for Day 2 of Microsoft Ignite 2024

 

Docker Scout Command Line Reference

Docker Scout is a tool designed to enhance the security of your software supply chain by analyzing your container images. It creates a detailed inventory of the components within your images, known as a Software Bill of Materials (SBOM). This SBOM is then checked against a continuously updated vulnerability database to identify any security weaknesses.

Docker Scout is versatile and can be used with Docker Desktop, Docker Hub, the Docker CLI, and the Docker Scout Dashboard. It also integrates with third-party systems like container registries and CI platforms. Essentially, it helps you proactively manage and mitigate vulnerabilities in your container images, ensuring your applications are more secure before they hit production.

Container Images in the Cloud

When you pulled the Image into Docker, you want to know is it secure before using it.
Here is Docker Scout Security in place.

With Docker Scout we will analyze the Container Image.

Scan vulnerabilities results is 0 and can be used

SBOM with 135 packages and no vulnerabilities found.

Now I can run my Kali Linux Container after Security vulnerability check with Docker Scout.

But there are also images available which have vulnerabilities in the SBOM in some of the packages because they are not up-to-date and behind patching for example. This is why Docker Scout is a very handy security tool to keep your images secure and warn you if security remediation is needed. So don’t pull and run container images fast because you are in a hurry, first check your container image with Docker Scout!

This Container is also pulled from the Cloud and has vulnerabilities because software packages are not up-to-date in the Container image.

Important vulnerabilities found by Docker Scout analyzer!
Click on View Packages and CVEs

The vulnerabilities in this Container image.
You can go deeper into the CVEs.

Here you see the links to the CVEs

Here you see the Fix version of the vulnerability

Click on the CVE-2024-5535 link for more info.

Remediation with Docker Scout is currently in Beta at the moment when I’m writing this blogpost. Here you find more information on docker docs

 

Conclusion

I always say Security by Design. Docker Scout supports you to keep your Container images as secure as possible before your containers are in a running state.
Keep your images in your Cloud registries up-to-date and clean from vulnerabilities in your packages (SBOM). I really like how docker is improving the product in a secure way with Docker Scout and make it easy to understand for DevOps, developers and security people to keep compliance in place and why it’s important not to run public images right away from the Cloud because of the risks.  Here you find more information about Docker Scout:

Docker Scout documentation

Docker Scout integration with other Systems or Container repositories

Get started with Policy Evaluation in Docker Scout

Docker Scout Demo and Q&A

 

 

CBL-Mariner Linux is a lightweight operating system, containing only the packages needed for a cloud environment. CBL-Mariner can be customized through custom packages and tools, to fit the requirements of your application. CBL-Mariner undergoes Azure validation tests, is compatible with Azure agents, and is built and tested by the Azure Edge & Platform to power various use cases, ranging from Azure services to powering IoT infrastructure. CBL-Mariner is the internally recommended Linux distribution for use with Microsoft cloud services and related products.

In the following steps we are going to install CBL-Mariner 2.0 on Hyper-V as a virtual Docker Container Host.
First you have to download CBL-Mariner 2.0 (Azure Linux) ISO here

Enable Secure Boot Template: Microsoft UEFI Certificate Authority

When you have made your Virtual Machine on Microsoft Hyper-V, you have to change the Security Boot Template from Microsoft Windows to Microsoft UEFI Certificate Authority and then you can boot from the ISO.

Select the Installation Experience
I used the Graphical Installer,
Select Next.

Default is the installation type: CBL-Mariner Core

I selected Installation type: CBL-Mariner Full

Read and Accept the CBL-Mariner Eula.

Here you can Partition your Storage.

 

Enter the Computer hostname and Create a User account.

Install Now.

Installing CBL-Mariner 2.0 on the VM.

And yes It’s fast

Login with your new created user account.

It’s a habbit of my to update always the OS before doing other installations, so in the next steps we are going to upgrade to the latest updates since the ISO is released. Then we are going to install Azure-CLI and Docker Host for Containers.

Type the Command: Sudo dnf upgrade

The OS is now asking a couple of times if it’s OK to install.

Installing of Packages to update the System.

Upgrade of CBL-Mariner 2.0 is Completed.

Installing Microsoft Azure-CLI on CBL-Mariner 2.0

The Azure Command-Line Interface (CLI) is a cross-platform command-line tool to connect to Azure and execute administrative commands on Azure resources. It allows the execution of commands through a terminal using interactive command-line prompts or a script. Here you can find more about Microsoft Azure-CLI

 

First, we install the ca-certificates
then
we install Microsoft Azure-CLI 

       type Y if this is OK.

Azure-CLI is installed.

The Latest Microsoft Azure-CLI is running on your up-to-date CBL-Mariner VM.

Type command: cat /etc/os-release
and you can see the exact version of CBL-Mariner 2.0

Installing Docker Container host on CBL-Mariner 2.0

Docker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security lets you run many containers simultaneously on a given host. Containers are lightweight and contain everything needed to run the application, so you don’t need to rely on what’s installed on the host. You can share containers while you work, and be sure that everyone you share with gets the same container that works in the same way.

Docker provides tooling and a platform to manage the lifecycle of your containers:

• Develop your application and its supporting components using containers.
• The container becomes the unit for distributing and testing your application.
• When you’re ready, deploy your application into your production environment, as a container or an orchestrated service. This works the same whether your production environment is a local data center, a cloud provider, or a hybrid of the two.

Now we are going to install the Docker Container host software on Microsoft CBL-Mariner 2.0 (Azure Linux):

Type Command: sudo tdnf install moby-engine moby-cli ca-certificates -y

Type command: sudo systemctl enable docker.service

Type command: sudo systemctl start docker.service
and then
type command: sudo systemctl status docker.service

Now you can pull or create your containers from here for example:
Type Command: docker run -it -d –name my_container ubuntu bash

Here I’m inside the Ubuntu Linux Container running on CBL-Mariner 2.0 with Docker Container Host.

Docker Container Ubuntu image.

More information about Microsoft CBL-Mariner 2.0 you can find here:

Microsoft CBL-Mariner 2.0 (Azure Linux) on Github

Microsoft CBL-Mariner 2.0 (Azure Linux) Security

Microsoft CBL-Mariner 2.0 (Azure Linux) Toolkit docs

Conclusion

Running Microsoft CBL-Mariner 2.0 (Azure Linux) on Azure Stack HCI Hyper-V Cluster or in Microsoft Azure Cloud can be very powerfull as a lightweight Linux operating system at the Edge. Now we did running Docker Container Host on CBL-Mariner 2.0 (AzureLinux) but you can also install Microsoft Azure Arc agent to use this Operating System in a Adaptive Cloud way for Azure Hybrid Management and security. Try it yourself first in your test lab and when you have build a great security by design solution, use it in production for your business.

Join Containers in the Cloud LinkedIn Community Group for Free

What a Year 2022!!

I like to thank you Community for Supporting, Sharing and Reading New Microsoft technologies on my Blog, Twitter, Facebook and
LinkedIn Community Groups I wish you all happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true !

I’m very proud and Honored  on the Microsoft Global MVP Awards 2022-2023 !

• MVP Award for Cloud and Datacenter Management
• MVP Award for Windows Insiders
• MVP Award for Azure Hybrid

Thank you Microsoft Product Groups, MVP Award Program, Windows Insider Team, Azure Hybrid Team, Windows Server and Azure Stack HCI Team for all your support, NDA PGI sessions, and for the Awesome software, Features, solutions you are building
Wish you all Happy Holidays, Merry Christmas and a Healthy New Year 2023 may the Best Wishes comes true !

Here are some Great links for Reading and Sharing :

JOIN these LinkedIn Community Groups for free and Share New Microsoft Technologies Together:

Windows Admin Center Community Group

Containers in the Cloud Community Group

Microsoft Azure Monitor & Security for Hybrid IT Community Group

Azure Hybrid Community Group

Azure DevOps Community Group

What I really love is the Microsoft Tech Community platform

---

For Microsoft Azure Hybrid:

Azure Arc Jumpstart site

Azure Hybrid and Multi Cloud documentation

Microsoft Azure Arc Community monthly Meetup (GitHub)

Follow on Twitter for Azure Hybrid:

Microsoft Windows Insiders Blog

Windows Insider Team on YouTube

The Windows Insider Program Team is really active on Twitter:
@WindowsInsider

@JenMsft

@NorthFaceHiker

@brandonleblanc

@amanda_lango

---

Get started with the Windows Server Insider program

What’s New in Windows Server 2022

Overview of Windows Admin Center

What’s New in SQL Server 2022

---