docker run: specify cgroup namespace mode with --cgroupns

[rgulewich]

- What I did

This adds the --cgroupns=host|private option to docker run to allow setting the cgroup namespace mode. Fixes #1988

- How I did it

Largely by copying the code for userns and ipc modes.

- How to verify it

docker run --cgroupns=private against a daemon that's running with --default-cgroupns-mode=host.

- Description for the changelog

docker run: allow specifying cgroup namespace mode with --cgroupns

- A picture of a cute animal (not mandatory but encouraged)

[AkihiroSuda]

Looks good, but CI failing

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "1988-run-cgroupns-mode" git@github.com:rgulewich/cli.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842358791888
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@2079e74). Click here to learn what that means.
The diff coverage is 80%.

@@            Coverage Diff            @@
##             master    #2024   +/-   ##
=========================================
  Coverage          ?   56.79%           
=========================================
  Files             ?      311           
  Lines             ?    21849           
  Branches          ?        0           
=========================================
  Hits              ?    12410           
  Misses            ?     8523           
  Partials          ?      916

[rgulewich]

Looks good, but CI failing

@AkihiroSuda - Fixed CI failures related to my changes - TestSigProxyWithTTY() is failling, but as far as I can tell, the failure is unrelated.

[kolyshkin]

TestSigProxyWithTTY() is failling

@rgulewich might be fixed by #2016, could you please rebase?

[rgulewich]

@kolyshkin - That did it, thanks!

[kolyshkin]

Perhaps rewrite this to not depend on bash? Also, looks like a single grep is sufficient, e.g.

grep -q ':memory:/$' /proc/1/cgroup

[kolyshkin]

@rgulewich ^^

[rgulewich]

Updated - PTAL.

[rgulewich]

@kolyshkin ^^

[thaJeztah]

Thanks! left some comments inline

[thaJeztah]

Might be slightly easier to read if the descriptions are aligned;

      --cgroupns string                Cgroup namespace to use
                                       'host':    Run the container in the Docker host's cgroup namespace
                                       'private': Run the container in its own private cgroup namespace
                                       '':        Use the default Docker daemon cgroup namespace specified by the "--default-cgroupns-mode" option (default)

[thaJeztah]

Should we describe the default here as well?

[thaJeztah]

Thinking about this; I'm a bit on the fence if we should validate this on the client side, or just leave it to the daemon to return an error if an invalid value was provided. OTOH, these values likely won't change in future, so perhaps it's ok

@kolyshkin wdyt?

[thaJeztah]

I think it's ok for now, given that it likely won't change in future, but I'll open a follow-up issue after this is merged to discuss this

[albers]

bash completion LGTM, thanks.

[AkihiroSuda]

needs rebase

[thaJeztah]

thanks for updating! (and sorry for the delay 😞) I left one comment about the docker-compose schema version (hoping #2073 will be merged soon), and a suggestion for the flag description output for --help.

Otherwise looks good to me!

[thaJeztah]

I think it's ok for now, given that it likely won't change in future, but I'll open a follow-up issue after this is merged to discuss this

[rgulewich]

@thaJeztah - Updated with your changes. Mind taking a look?

[rgulewich]

@thaJeztah / @kolyshkin - Mind taking a look? Thanks!

[AkihiroSuda]

@thaJeztah PTAL?

[AkihiroSuda]

needs rebase

[rgulewich]

Rebased. @thaJeztah, mind taking a look?

[AkihiroSuda]

ping @thaJeztah

[thaJeztah]

LGTM

[silvin-lubecki]

Looks Good To Me 🐯

[AkihiroSuda]

CI failure seems unrelated

=== Failed

=== FAIL: e2e/image TestPushWithContentTrustUnreachableServer (0.37s)

    push_test.go:323: assertion failed: 

        Command:  docker tag registry:5000/alpine:3.6 registry:5000/trust-push-unreachable:latest

        ExitCode: 1

        Error:    exit status 1

        Stdout:   

        Stderr:   error during connect: Post http://docker/v1.40/images/registry:5000/alpine:3.6/tag?repo=registry%3A5000%2Ftrust-push-unreachable&tag=latest: command [ssh -o ControlMaster=auto -o ControlPath=/root/.docker/%r@%h:%p -l penguin 172.20.0.2 -- docker system dial-stdio] has exited with exit status 255, please make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=

        

        

        Failures:

        ExitCode was 1 expected 0

        Expected no error

[AkihiroSuda]

CI green

[thaJeztah]

Whoop! Let's merge!

@AkihiroSuda if you're able to assist with #2303 (that's related to CI being really flaky currently)