docker · vdemeester · Nov 17, 2017 · Nov 17, 2017 · Nov 17, 2017 · dnephin
diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go
@@ -505,6 +505,8 @@ type serviceOptions struct {
 	healthcheck healthCheckOptions
 	secrets     opts.SecretOpt
 	configs     opts.ConfigOpt
+
+	isolation string
 }
 
 func newServiceOptions() *serviceOptions {
@@ -614,6 +616,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 				Hosts:           convertExtraHostsToSwarmHosts(options.hosts.GetAll()),
 				StopGracePeriod: options.ToStopGracePeriod(flags),
 				Healthcheck:     healthConfig,
+				Isolation:       container.Isolation(options.isolation),
 			},
 			Networks:      networks,
 			Resources:     options.resources.ToResourceRequirements(),
@@ -784,6 +787,8 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
 
 	flags.StringVar(&opts.stopSignal, flagStopSignal, "", "Signal to stop the container")
 	flags.SetAnnotation(flagStopSignal, "version", []string{"1.28"})
+	flags.StringVar(&opts.isolation, flagIsolation, "", "Service container isolation mode")
+	flags.SetAnnotation(flagIsolation, "version", []string{"1.35"})
 }
 
 const (
@@ -879,4 +884,5 @@ const (
 	flagConfig                  = "config"
 	flagConfigAdd               = "config-add"
 	flagConfigRemove            = "config-rm"
+	flagIsolation               = "isolation"
 )
diff --git a/cli/command/service/update.go b/cli/command/service/update.go
@@ -269,6 +269,14 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 		}
 	}
 
+	updateIsolation := func(flag string, field *container.Isolation) error {
+		if flags.Changed(flag) {
+			val, _ := flags.GetString(flag)
+			*field = container.Isolation(val)
+		}
+		return nil
+	}
+
 	cspec := spec.TaskTemplate.ContainerSpec
 	task := &spec.TaskTemplate
 
@@ -288,6 +296,9 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 	updateString(flagWorkdir, &cspec.Dir)
 	updateString(flagUser, &cspec.User)
 	updateString(flagHostname, &cspec.Hostname)
+	if err := updateIsolation(flagIsolation, &cspec.Isolation); err != nil {
+		return err
+	}
 	if err := updateMounts(flags, &cspec.Mounts); err != nil {
 		return err
 	}

diff --git a/cli/command/service/update_test.go b/cli/command/service/update_test.go
@@ -518,3 +518,32 @@ func TestUpdateStopSignal(t *testing.T) {
 	updateService(nil, nil, flags, spec)
 	assert.Equal(t, "SIGWINCH", cspec.StopSignal)
 }
+
+func TestUpdateIsolationValid(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "process")
+	require.NoError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	require.NoError(t, err)
+	assert.Equal(t, container.IsolationProcess, spec.TaskTemplate.ContainerSpec.Isolation)
+}
+
+func TestUpdateIsolationInvalid(t *testing.T) {
+	// validation depends on daemon os / version so validation should be done on the daemon side
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "test")
+	require.NoError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	require.NoError(t, err)
+	assert.Equal(t, container.Isolation("test"), spec.TaskTemplate.ContainerSpec.Isolation)
+}
diff --git a/cli/compose/convert/service.go b/cli/compose/convert/service.go
@@ -149,6 +149,7 @@ func Service(
 				Configs:         configs,
 				ReadOnly:        service.ReadOnly,
 				Privileges:      &privileges,
+				Isolation:       container.Isolation(service.Isolation),
 			},
 			LogDriver:     logDriver,
 			Resources:     resources,

diff --git a/cli/compose/convert/service_test.go b/cli/compose/convert/service_test.go
@@ -424,3 +424,12 @@ func TestConvertFileObjectDefaults(t *testing.T) {
 	}
 	assert.Equal(t, expected, swarmRef)
 }
+
+func TestServiceConvertsIsolation(t *testing.T) {
+	src := composetypes.ServiceConfig{
+		Isolation: "hyperv",
+	}
+	result, err := Service("1.35", Namespace{name: "foo"}, src, nil, nil, nil, nil)
+	require.NoError(t, err)
+	assert.Equal(t, container.IsolationHyperV, result.TaskTemplate.ContainerSpec.Isolation)
+}
diff --git a/cli/compose/loader/loader_test.go b/cli/compose/loader/loader_test.go
@@ -1454,5 +1454,37 @@ func TestLoadVolumesWarnOnDeprecatedExternalNameVersion33(t *testing.T) {
 	}
 	assert.Equal(t, expected, volumes)
 	assert.Equal(t, "", buf.String())
+}
 
+func TestLoadV35(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: process
+configs:
+  super:
+    external: true
+`)
+	require.NoError(t, err)
+	require.Len(t, actual.Services, 1)
+	assert.Equal(t, "process", actual.Services[0].Isolation)
+}
+
+func TestLoadV35InvalidIsolation(t *testing.T) {
+	// validation should be done only on the daemon side
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: invalid
+configs:
+  super:
+    external: true
+`)
+	require.NoError(t, err)
+	require.Len(t, actual.Services, 1)
+	assert.Equal(t, "invalid", actual.Services[0].Isolation)
 }
diff --git a/cli/compose/schema/bindata.go b/cli/compose/schema/bindata.go