tmwgithub
diff --git a/‎api/server/router/container/container_routes.go‎
Lines changed: 5 additions & 0 deletions b/‎api/server/router/container/container_routes.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎api/swagger.yaml‎
Lines changed: 13 additions & 0 deletions b/‎api/swagger.yaml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎api/types/container/host_config.go‎
Lines changed: 27 additions & 3 deletions b/‎api/types/container/host_config.go‎
Lines changed: 27 additions & 3 deletions
diff --git a/‎cmd/dockerd/config_unix.go‎
Lines changed: 1 addition & 0 deletions b/‎cmd/dockerd/config_unix.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎daemon/config/config_unix.go‎
Lines changed: 17 additions & 1 deletion b/‎daemon/config/config_unix.go‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎daemon/daemon.go‎
Lines changed: 20 additions & 22 deletions b/‎daemon/daemon.go‎
Lines changed: 20 additions & 22 deletions
diff --git a/‎daemon/daemon_unix.go‎
Lines changed: 22 additions & 0 deletions b/‎daemon/daemon_unix.go‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎daemon/info.go‎
Lines changed: 4 additions & 0 deletions b/‎daemon/info.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎daemon/info_unix.go‎
Lines changed: 5 additions & 0 deletions b/‎daemon/info_unix.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎daemon/info_windows.go‎
Lines changed: 4 additions & 0 deletions b/‎daemon/info_windows.go‎
Lines changed: 4 additions & 0 deletions
@@ -489,6 +489,11 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		if hostConfig.IpcMode.IsEmpty() {
 			hostConfig.IpcMode = container.IpcMode("shareable")
 		}
+
+		// Older clients expect the default to be "host"
+		if hostConfig.CgroupnsMode.IsEmpty() {
+			hostConfig.CgroupnsMode = container.CgroupnsMode("host")
+		}
 	}
 
 	if hostConfig != nil && hostConfig.PidsLimit != nil && *hostConfig.PidsLimit <= 0 {
 
@@ -707,6 +707,19 @@ definitions:
             description: "A list of kernel capabilities to drop from the container. Conflicts with option 'Capabilities'"
             items:
               type: "string"
+          CgroupnsMode:
+            type: "string"
+            enum:
+              - "private"
+              - "host"
+            description: |
+                    cgroup namespace mode for the container. Possible values are:
+
+                    - `"private"`: the container runs in its own private cgroup namespace
+                    - `"host"`: use the host system's cgroup namespace
+
+                    If not specified, the daemon default is used, which can either be `"private"`
+                    or `"host"`, depending on daemon version, kernel support and configuration.
           Dns:
             type: "array"
             description: "A list of DNS servers for the container to use."
 
@@ -10,6 +10,29 @@ import (
 	"github.com/docker/go-units"
 )
 
+// CgroupnsMode represents the cgroup namespace mode of the container
+type CgroupnsMode string
+
+// IsPrivate indicates whether the container uses its own private cgroup namespace
+func (c CgroupnsMode) IsPrivate() bool {
+	return c == "private"
+}
+
+// IsHost indicates whether the container shares the host's cgroup namespace
+func (c CgroupnsMode) IsHost() bool {
+	return c == "host"
+}
+
+// IsEmpty indicates whether the container cgroup namespace mode is unset
+func (c CgroupnsMode) IsEmpty() bool {
+	return c == ""
+}
+
+// Valid indicates whether the cgroup namespace mode is valid
+func (c CgroupnsMode) Valid() bool {
+	return c.IsEmpty() || c.IsPrivate() || c.IsHost()
+}
+
 // Isolation represents the isolation technology of a container. The supported
 // values are platform specific
 type Isolation string
@@ -382,9 +405,10 @@ type HostConfig struct {
 	CapAdd          strslice.StrSlice // List of kernel capabilities to add to the container
 	CapDrop         strslice.StrSlice // List of kernel capabilities to remove from the container
 	Capabilities    []string          `json:"Capabilities"` // List of kernel capabilities to be available for container (this overrides the default set)
-	DNS             []string          `json:"Dns"`          // List of DNS server to lookup
-	DNSOptions      []string          `json:"DnsOptions"`   // List of DNSOption to look for
-	DNSSearch       []string          `json:"DnsSearch"`    // List of DNSSearch to look for
+	CgroupnsMode    CgroupnsMode      // Cgroup namespace mode to use for the container
+	DNS             []string          `json:"Dns"`        // List of DNS server to lookup
+	DNSOptions      []string          `json:"DnsOptions"` // List of DNSOption to look for
+	DNSSearch       []string          `json:"DnsSearch"`  // List of DNSSearch to look for
 	ExtraHosts      []string          // List of extra hosts
 	GroupAdd        []string          // List of additional groups that the container process will run as
 	IpcMode         IpcMode           // IPC namespace to use for the container
 
@@ -64,5 +64,6 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	// rootless needs to be explicitly specified for running "rootful" dockerd in rootless dockerd (#38702)
 	// Note that defaultUserlandProxyPath and honorXDG are configured according to the value of rootless.RunningWithRootlessKit, not the value of --rootless.
 	flags.BoolVar(&conf.Rootless, "rootless", rootless.RunningWithRootlessKit(), "Enable rootless mode; typically used with RootlessKit (experimental)")
+	flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", config.DefaultCgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" | "private")`)
 	return nil
 }
@@ -11,6 +11,8 @@ import (
 )
 
 const (
+	// DefaultCgroupNamespaceMode is the default for a container's CgroupnsMode, if not set otherwise
+	DefaultCgroupNamespaceMode = "host" // TODO: change to private
 	// DefaultIpcMode is default for container's IpcMode, if not set otherwise
 	DefaultIpcMode = "private"
 )
@@ -37,6 +39,7 @@ type Config struct {
 	ShmSize              opts.MemBytes            `json:"default-shm-size,omitempty"`
 	NoNewPrivileges      bool                     `json:"no-new-privileges,omitempty"`
 	IpcMode              string                   `json:"default-ipc-mode,omitempty"`
+	CgroupNamespaceMode  string                   `json:"default-cgroupns-mode,omitempty"`
 	// ResolvConf is the path to the configuration of the host resolver
 	ResolvConf string `json:"resolv-conf,omitempty"`
 	Rootless   bool   `json:"rootless,omitempty"`
@@ -84,9 +87,22 @@ func verifyDefaultIpcMode(mode string) error {
 	return nil
 }
 
+func verifyDefaultCgroupNsMode(mode string) error {
+	cm := containertypes.CgroupnsMode(mode)
+	if !cm.Valid() {
+		return fmt.Errorf("Default cgroup namespace mode (%v) is invalid. Use \"host\" or \"private\".", cm) // nolint: golint
+	}
+
+	return nil
+}
+
 // ValidatePlatformConfig checks if any platform-specific configuration settings are invalid.
 func (conf *Config) ValidatePlatformConfig() error {
-	return verifyDefaultIpcMode(conf.IpcMode)
+	if err := verifyDefaultIpcMode(conf.IpcMode); err != nil {
+		return err
+	}
+
+	return verifyDefaultCgroupNsMode(conf.CgroupNamespaceMode)
 }
 
 // IsRootless returns conf.Rootless
 
@@ -81,27 +81,26 @@ var (
 
 // Daemon holds information about the Docker daemon.
 type Daemon struct {
-	ID                      string
-	repository              string
-	containers              container.Store
-	containersReplica       container.ViewDB
-	execCommands            *exec.Store
-	imageService            *images.ImageService
-	idIndex                 *truncindex.TruncIndex
-	configStore             *config.Config
-	statsCollector          *stats.Collector
-	defaultLogConfig        containertypes.LogConfig
-	RegistryService         registry.Service
-	EventsService           *events.Events
-	netController           libnetwork.NetworkController
-	volumes                 *volumesservice.VolumesService
-	discoveryWatcher        discovery.Reloader
-	root                    string
-	seccompEnabled          bool
-	apparmorEnabled         bool
-	cgroupNamespacesEnabled bool
-	shutdown                bool
-	idMapping               *idtools.IdentityMapping
+	ID                string
+	repository        string
+	containers        container.Store
+	containersReplica container.ViewDB
+	execCommands      *exec.Store
+	imageService      *images.ImageService
+	idIndex           *truncindex.TruncIndex
+	configStore       *config.Config
+	statsCollector    *stats.Collector
+	defaultLogConfig  containertypes.LogConfig
+	RegistryService   registry.Service
+	EventsService     *events.Events
+	netController     libnetwork.NetworkController
+	volumes           *volumesservice.VolumesService
+	discoveryWatcher  discovery.Reloader
+	root              string
+	seccompEnabled    bool
+	apparmorEnabled   bool
+	shutdown          bool
+	idMapping         *idtools.IdentityMapping
 	// TODO: move graphDrivers field to an InfoService
 	graphDrivers map[string]string // By operating system
 
@@ -1021,7 +1020,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
 	d.idMapping = idMapping
 	d.seccompEnabled = sysInfo.Seccomp
 	d.apparmorEnabled = sysInfo.AppArmor
-	d.cgroupNamespacesEnabled = sysInfo.CgroupNamespaces
 
 	d.linkIndex = newLinkIndex()
 
 
@@ -356,6 +356,15 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
 		hostConfig.IpcMode = containertypes.IpcMode(m)
 	}
 
+	// Set default cgroup namespace mode, if unset for container
+	if hostConfig.CgroupnsMode.IsEmpty() {
+		m := config.DefaultCgroupNamespaceMode
+		if daemon.configStore != nil {
+			m = daemon.configStore.CgroupNamespaceMode
+		}
+		hostConfig.CgroupnsMode = containertypes.CgroupnsMode(m)
+	}
+
 	adaptSharedNamespaceContainer(daemon, hostConfig)
 
 	var err error
@@ -675,6 +684,19 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
 		}
 	}
 
+	if !hostConfig.CgroupnsMode.Valid() {
+		return warnings, fmt.Errorf("invalid cgroup namespace mode: %v", hostConfig.CgroupnsMode)
+	}
+	if hostConfig.CgroupnsMode.IsPrivate() {
+		if !sysInfo.CgroupNamespaces {
+			warnings = append(warnings, "Your kernel does not support cgroup namespaces.  Cgroup namespace setting discarded.")
+		}
+
+		if hostConfig.Privileged {
+			return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces.  You must run the container in the host cgroup namespace when running privileged mode")
+		}
+	}
+
 	return warnings, nil
 }
 
 
@@ -178,6 +178,10 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 	if daemon.Rootless() {
 		securityOptions = append(securityOptions, "name=rootless")
 	}
+	if daemon.cgroupNamespacesEnabled(sysInfo) {
+		securityOptions = append(securityOptions, "name=cgroupns")
+	}
+
 	v.SecurityOptions = securityOptions
 }
 
 
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/dockerversion"
 	"github.com/docker/docker/pkg/sysinfo"
 	"github.com/pkg/errors"
@@ -247,6 +248,10 @@ func parseRuncVersion(v string) (version string, commit string, err error) {
 	return version, commit, err
 }
 
+func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
+	return sysInfo.CgroupNamespaces && containertypes.CgroupnsMode(daemon.configStore.CgroupNamespaceMode).IsPrivate()
+}
+
 // Rootless returns true if daemon is running in rootless mode
 func (daemon *Daemon) Rootless() bool {
 	return daemon.configStore.Rootless
 
@@ -14,6 +14,10 @@ func (daemon *Daemon) fillPlatformVersion(v *types.Version) {}
 func fillDriverWarnings(v *types.Info) {
 }
 
+func (daemon *Daemon) cgroupNamespacesEnabled(sysInfo *sysinfo.SysInfo) bool {
+	return false
+}
+
 // Rootless returns true if daemon is running in rootless mode
 func (daemon *Daemon) Rootless() bool {
 	return false
Original file line number	Diff line number	Diff line change
`@@ -489,6 +489,11 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo`
`489`	`489`	`if hostConfig.IpcMode.IsEmpty() {`
`490`	`490`	`hostConfig.IpcMode = container.IpcMode("shareable")`
`491`	`491`	`}`
	`492`	`+`
	`493`	`+ // Older clients expect the default to be "host"`
	`494`	`+ if hostConfig.CgroupnsMode.IsEmpty() {`
	`495`	`+ hostConfig.CgroupnsMode = container.CgroupnsMode("host")`
	`496`	`+ }`
`492`	`497`	`}`
`493`	`498`
`494`	`499`	`if hostConfig != nil && hostConfig.PidsLimit != nil && *hostConfig.PidsLimit <= 0 {`
Original file line number	Diff line number	Diff line change
`@@ -64,5 +64,6 @@ func installConfigFlags(conf config.Config, flags pflag.FlagSet) error {`
`64`	`64`	`// rootless needs to be explicitly specified for running "rootful" dockerd in rootless dockerd (#38702)`
`65`	`65`	`// Note that defaultUserlandProxyPath and honorXDG are configured according to the value of rootless.RunningWithRootlessKit, not the value of --rootless.`
`66`	`66`	`flags.BoolVar(&conf.Rootless, "rootless", rootless.RunningWithRootlessKit(), "Enable rootless mode; typically used with RootlessKit (experimental)")`
	`67`	+ flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", config.DefaultCgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" \| "private")`)
`67`	`68`	`return nil`
`68`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,10 @@ func (daemon Daemon) fillSecurityOptions(v types.Info, sysInfo *sysinfo.SysInf`
`178`	`178`	`if daemon.Rootless() {`
`179`	`179`	`securityOptions = append(securityOptions, "name=rootless")`
`180`	`180`	`}`
	`181`	`+ if daemon.cgroupNamespacesEnabled(sysInfo) {`
	`182`	`+ securityOptions = append(securityOptions, "name=cgroupns")`
	`183`	`+ }`
	`184`	`+`
`181`	`185`	`v.SecurityOptions = securityOptions`
`182`	`186`	`}`
`183`	`187`