When you generate artifacts for Windows workloads, the artifacts are zipped and copied into a Cloud Storage bucket as an intermediate location that you can download. This zip file contains a Dockerfile and several directories and files that are extracted from the source that you then use to build the Windows container.
Before you begin
Before building the Windows container, you should have first:
Determining the URI of the migration artifacts zip file
The migration artifacts are contained in a single zip file named
that you must download as part of building the container image. This step describes
how to determine the URI of the
When the migration completes, you should see a message such as the following when you request status:
migctl migration status my-migration NAME CURRENT-OPERATION PROGRESS STEP STATUS AGE my-migration GenerateArtifacts [1/1] ExtractImage Completed 14m23s
migctl migration get-artifacts my-migration Artifacts are accessible through `gsutil cp gs://PATH/artifacts.zip ./`
gsutilcommand in the next section to download
Building the container image
Using the migration artifacts in the zip file, build a container image that you can then deploy to your GKE cluster.
You must run
docker build on a Windows version that is the same as the version
used by the target container.
Create a Windows Server instance on Compute Engine. For example, use the following command to create an instance:
gcloud beta compute instances create win-builder-1 \ --project=project-name --zone=gcp-zone \ --machine-type=n1-standard-4 --subnet=default --scopes=cloud-platform \ --image=windows-server-1909-dc-core-for-containers-v20200310 --image-project=windows-cloud \ --boot-disk-size=32GB --boot-disk-type=pd-ssd
To account for very long paths during zip operations, set the following registry key and restart the machine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Value: LongPathsEnabled Data: 1
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem -Name LongPathsEnabled -Value 1 -Type DWord Restart-Computer
For more, see Enable Long Paths in Windows 10, Version 1607, and Later
Use gsutil to download the
artifacts.zipfile using the URI you determined above in Determining the URI of the migration artifacts zip file:
gsutil cp gs://<var>PATH</var>/artifacts.zip ./
Using PowerShell, expand
artifacts.zipfile with a command such as the following:
Optionally configure logging to Cloud Logging by editing the
See Configuring logging to Cloud Logging below for more.
Optionally edit the
set_acls.batscript to set ACL permissions for the Windows container.
See Setting ACLs below for more.
Log in to the Container Registry.
docker login gcr.io
Using the Dockerfile included in the zip file, use
docker buildto build an image from the unzipped files.
docker build -t gcr.io/myproject/myimagename:v1.0.0 .\artifacts\
docker pushto push the image to the Container Registry.
docker push gcr.io/myproject/myimagename:v1.0.0
Configuring logging to Cloud Logging
Migrate for Anthos uses the LogMonitor tool to extract logs from a Windows container and forward them to your GKE cluster. These logs are then automatically forwarded to Cloud Logging, which provides a suite of tools to monitor your containers.
By default Migrate for Anthos enables IIS logging to monitor the IIS logs, and also forwards the Application/System event logs to Cloud Logging.
Expanding the generated
artifacts.zip file creates several directories, including
m4a directory. Included in the
m4a directory is the
file that you can edit to control logging.
For more on editing
Authoring a Config File.
Some IIS applications require that you set specific access control lists (ACL)
permissions on files and folders in order for the applications to perform correctly.
Migrate for Anthos automatically scans all migrated IIS applications and adds any specific
permissions defined in the source VM that apply to IIS accounts (the
IIS_IUSRS group) and applies them to the copied files and directories
in the generated container image.
Because Windows container images do not support setting ACLs as part of the Docker
the ACLs are set in a script called
set_acls.bat. Migrate for Anthos automatically
set_acls.bat in the root directory of expanded
Migrate for Anthos then calls
set_acls.bat when you execute the
docker build command.
set_acls.bat to add or remove custom permissions, or edit permission that
are not related to specific IIS users and therefore were not detected by Migrate for Anthos.
The script uses the Windows built-in icacls tool to set permissions.
About the .NET Global Assembly Cache
Migrate for Anthos scans the source image .NET Global Assembly Cache (GAC)
for .NET resources that are installed on the source machine and not available
as part of the official images. Any discovered DLL is copied into the Docker context
and installed as part of the building of the target image by a utility script
All .NET assemblies are copied into the Docker context under the
To remove assemblies from the image, delete them from the