Microsoft has yet to come up with something even half as useful and popular. So far their best effort has been WSL2, and it's working well because it's linux, not because it's windows containers (which is something else).
This is pretty frustrating because they have plenty of money and smart people to throw at it, yet at every turn we get something that just doesn't match what people want and need, instead we get something that might look good on a keynote slide.
NT also had multiple personalities or subsystems before KVM or QEMU were even thought of, yet here we are, a useless feature with no traction and no ecosystem.
The point isn't the features that a thing like cgroups provides, it's the adoption, and that is something you cannot enterprise your way into like you can with desktop software like office.
If you reverse the statement: why is the Job API not used with OCI, Windows Containers or WSL, and was a replacement created (twice no less, WSL1 and WSL2 are very different) and a virtual machine with linux the only real adopted method for containers.
(answer: because everything else that was attempted just failed one way or another, regardless of de academic or enterprise-ish correctness of those attempts)
https://learn.microsoft.com/en-us/virtualization/windowscont...
Maybe if there was some ProjFS-style text I/O for the Job API someone would have made a OCI-like container format, but I suppose even then it would be too different to be embraced like Docker was when it was released. You'd need to have it combined with WinFsp or a FUSE-alike adapter and it might even be possible to have layers and use a union/merge/overlay FS. Putting that side-by-side with containerd and cgroups2, it would still look rather Frankenstein-ish; not very windows-y, and not linux-ish either.
- They're zips (sorta, but you can't make them with any existing zip library)
- They can contain VFS overlays for system directories. Files placed inside the package under the VFS directory will appear at runtime as if they are installed to c:\Windows\System32 and other well known locations, but only for apps within that package. This is built using an equivalent of unionfs called bindflt.
- Apps run inside "app containers" which are at the lower levels composed of job objects and other kernel features. App containers are the basis of all sandboxing on Windows and are the closest equivalent of cgroups.
- Writes to the user's home directory are transparently redirected to a separate directory specific to that package. This allows data to be cleaned on uninstall.
- You can express various integration points in a declarative manifest file, install/uninstall/download them from the CLI, and individual packages have update feeds a bit like a Docker repository.
There are some differences:
- MSIX is designed for desktop apps, not servers.
- There's no concept of layering like Docker has.
- A Docker repository is a relatively heavy serverish thing. MSIX packages can have a stream of updates expressed, but it's done by just publishing an XML file to a web server.
- MSIX doesn't try to wrap an entire Windows userland in the same way that Docker images ship entire copies of Linux userland. It's all about overlay filesystems.
It's technically a correct format, but that's not what you need to get a thriving ecosystem.
Again, it doesn't matter how correct it is, what features it does have or how it compares to all the other attempts from the past, what matters is that unless a developer is in the single scenario where they are forced to use it, they will probably ignore it.
Granted, before we got into the 'microsoft container concepts suck' threat, this article was specifically about win32 app isolation, so if we look at it from that perspective, this is a step up. But that's not where the mindshare or the money is.
You can then either switch to macOS or ChromeOS with similar models already, use one of the mobile OSes, which have used such restrictions for years, or maybe it is finally when the exodus to Linux Desktop takes place.