Add isolation mode on service update/create and compose files

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
docker · Nov 16, 2017 · 5a009e8 · 5a009e8
1 parent 9022ea5
commit 5a009e8
Show file tree

Hide file tree

Showing 15 changed files with 740 additions and 1 deletion.
diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go
@@ -457,6 +457,33 @@ func convertExtraHostsToSwarmHosts(extraHosts []string) []string {
 	return hosts
 }
 
+type isolationOpts struct {
+	value  *container.Isolation
+	source string
+}
+
+func (o *isolationOpts) Set(value string) error {
+	o.source = value
+	tv := container.Isolation(value)
+	o.value = &tv
+	return nil
+}
+
+func (o *isolationOpts) Type() string {
+	return "isolation"
+}
+
+func (o *isolationOpts) String() string {
+	return o.source
+}
+
+func (o *isolationOpts) Value() container.Isolation {
+	if o.value == nil {
+		return container.IsolationEmpty
+	}
+	return *o.value
+}
+
 type serviceOptions struct {
 	detach bool
 	quiet  bool
@@ -505,6 +532,8 @@ type serviceOptions struct {
 	healthcheck healthCheckOptions
 	secrets     opts.SecretOpt
 	configs     opts.ConfigOpt
+
+	isolation isolationOpts
 }
 
 func newServiceOptions() *serviceOptions {
@@ -614,6 +643,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 				Hosts:           convertExtraHostsToSwarmHosts(options.hosts.GetAll()),
 				StopGracePeriod: options.ToStopGracePeriod(flags),
 				Healthcheck:     healthConfig,
+				Isolation:       options.isolation.Value(),
 			},
 			Networks:      networks,
 			Resources:     options.resources.ToResourceRequirements(),
@@ -784,6 +814,8 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
 
 	flags.StringVar(&opts.stopSignal, flagStopSignal, "", "Signal to stop the container")
 	flags.SetAnnotation(flagStopSignal, "version", []string{"1.28"})
+	flags.Var(&opts.isolation, flagIsolation, "Service container isolation mode")
+	flags.SetAnnotation(flagIsolation, "version", []string{"1.35"})
 }
 
 const (
@@ -879,4 +911,5 @@ const (
 	flagConfig                  = "config"
 	flagConfigAdd               = "config-add"
 	flagConfigRemove            = "config-rm"
+	flagIsolation               = "isolation"
 )
diff --git a/cli/command/service/update.go b/cli/command/service/update.go
@@ -269,6 +269,14 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 		}
 	}
 
+	updateIsolation := func(flag string, field *container.Isolation) error {
+		if flags.Changed(flag) {
+			val := flags.Lookup(flag).Value.(*isolationOpts).Value()
+			*field = val
+		}
+		return nil
+	}
+
 	cspec := spec.TaskTemplate.ContainerSpec
 	task := &spec.TaskTemplate
 
@@ -288,6 +296,9 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 	updateString(flagWorkdir, &cspec.Dir)
 	updateString(flagUser, &cspec.User)
 	updateString(flagHostname, &cspec.Hostname)
+	if err := updateIsolation(flagIsolation, &cspec.Isolation); err != nil {
+		return err
+	}
 	if err := updateMounts(flags, &cspec.Mounts); err != nil {
 		return err
 	}

diff --git a/cli/command/service/update_test.go b/cli/command/service/update_test.go
@@ -518,3 +518,32 @@ func TestUpdateStopSignal(t *testing.T) {
 	updateService(nil, nil, flags, spec)
 	assert.Equal(t, "SIGWINCH", cspec.StopSignal)
 }
+
+func TestUpdateIsolationValid(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "process")
+	require.NoError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	require.NoError(t, err)
+	assert.Equal(t, container.IsolationProcess, spec.TaskTemplate.ContainerSpec.Isolation)
+}
+
+func TestUpdateIsolationInvalid(t *testing.T) {
+	// validation depends on daemon os / version so validation should be done on the daemon side
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "test")
+	require.NoError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	require.NoError(t, err)
+	assert.Equal(t, container.Isolation("test"), spec.TaskTemplate.ContainerSpec.Isolation)
+}
diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go
@@ -149,6 +149,7 @@ func Service(
 				Configs:         configs,
 				ReadOnly:        service.ReadOnly,
 				Privileges:      &privileges,
+				Isolation:       service.Isolation,
 			},
 			LogDriver:     logDriver,
 			Resources:     resources,

diff --git a/cli/compose/convert/service_test.go b/cli/compose/convert/service_test.go
@@ -424,3 +424,12 @@ func TestConvertFileObjectDefaults(t *testing.T) {
 	}
 	assert.Equal(t, expected, swarmRef)
 }
+
+func TestServiceConvertsIsolation(t *testing.T) {
+	src := composetypes.ServiceConfig{
+		Isolation: "hyperv",
+	}
+	result, err := Service("1.35", Namespace{name: "foo"}, src, nil, nil, nil, nil)
+	require.NoError(t, err)
+	assert.Equal(t, container.IsolationHyperV, result.TaskTemplate.ContainerSpec.Isolation)
+}
diff --git a/cli/compose/loader/loader.go b/cli/compose/loader/loader.go
@@ -12,6 +12,7 @@ import (
 	"github.com/docker/cli/cli/compose/template"
 	"github.com/docker/cli/cli/compose/types"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/go-connections/nat"
 	units "github.com/docker/go-units"
@@ -249,6 +250,7 @@ func createTransformHook() mapstructure.DecodeHookFuncType {
 		reflect.TypeOf(types.HostsList{}):                        transformListOrMappingFunc(":", false),
 		reflect.TypeOf(types.ServiceVolumeConfig{}):              transformServiceVolumeConfig,
 		reflect.TypeOf(types.BuildConfig{}):                      transformBuildConfig,
+		reflect.TypeOf(container.Isolation("")):                  transformIsolation,
 	}
 
 	return func(_ reflect.Type, target reflect.Type, data interface{}) (interface{}, error) {
@@ -725,6 +727,14 @@ func transformSize(value interface{}) (interface{}, error) {
 	panic(errors.Errorf("invalid type for size %T", value))
 }
 
+func transformIsolation(value interface{}) (interface{}, error) {
+	str, ok := value.(string)
+	if !ok {
+		return value, errors.Errorf("invalid type %T for isolation", value)
+	}
+	return container.Isolation(strings.ToLower(str)), nil
+}
+
 func toServicePortConfigs(value string) ([]interface{}, error) {
 	var portConfigs []interface{}
 

diff --git a/cli/compose/loader/loader_test.go b/cli/compose/loader/loader_test.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -1454,5 +1455,37 @@ func TestLoadVolumesWarnOnDeprecatedExternalNameVersion33(t *testing.T) {
 	}
 	assert.Equal(t, expected, volumes)
 	assert.Equal(t, "", buf.String())
+}
 
+func TestLoadV35(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: process
+configs:
+  super:
+    external: true
+`)
+	require.NoError(t, err)
+	require.Len(t, actual.Services, 1)
+	assert.Equal(t, container.IsolationProcess, actual.Services[0].Isolation)
+}
+
+func TestLoadV35InvalidIsolation(t *testing.T) {
+	// validation should be done only on the daemon side
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: invalid
+configs:
+  super:
+    external: true
+`)
+	require.NoError(t, err)
+	require.Len(t, actual.Services, 1)
+	assert.Equal(t, container.Isolation("invalid"), actual.Services[0].Isolation)
 }
diff --git a/cli/compose/schema/bindata.go b/cli/compose/schema/bindata.go