[Proposal] System-level filtering on docker containers

[rogaha]

Problem statement

As a developer and sysadmin, I would like to run containers that are treated as system containers and therefore they should filtered from docker ps. It would be interesting for use-cases such as:

1. analytics/monitoring containers
2. logging containers
3. service discovery containers

Proposed solution

Add a new flag --system to the docker ps / docker service ps / docker ps commands. Such containers should be filtered by default, but you can list them if explicitly asked for (e.g. docker ps --system -a).

Benefits

• Prevent users from deleting important containers
• Facilitate container management
• Ability to easily distinguish system containers from normal user containers

Example

docker run -i -t --system --name sysdig --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro  sysdig/sysdig

/cc @anusha-ragunathan @cpuguy83

[AkihiroSuda]

Isn't this already implemented as labels?

i.e.
docker run --label com.example.examplenamespace.system
docker ps --filter label=com.example.examplenamespace.system

[rogaha]

@AkihiroSuda if I use labels users can still docker docker rm -f 'docker ps -aq' and delete everything by mistake. I would like to be filtered by default as they are a different "class" of containers.

[thaJeztah]

Related issue; #9878

[anusha-ragunathan]

Also related is #18724

[michaelkrog]

We also need the ability to do locking.

We have built a GUI for developers to create projects and deploy them as services in Docker. The GUI can show all services in the Swarm – including those that supply infrastructure. We have built our own locking mechanism via labels but it doesn't prevent those making changes to the cluster from deleting important services by accident.

[thaJeztah]

Relevant pull request in containerd containerd/containerd#963