Allow isolation mode to be configured for swarm services #34375
Labels
area/swarm
kind/feature
Functionality or other elements that the project doesn't currently have. Features are new and shiny
platform/windows
It is currently impossible to specify a container isolation mode when configuring a swarm service. This isn't relevant for Linux containers, but Windows containers can run with either
process
(shared kernel) orhyperv
(VM) isolation. When usingdocker swarm
to deploy to a mixed-version Windows cluster, it is possible for a container to be scheduled on a node with a different kernel version [1]. A container kernel mismatch isn't significant when running withhyperv
isolation but will cause containers usingprocess
isolation to fail to start.As the default isolation mode is
process
, deployments to mixed-version Windows clusters currently fail if a mismatch occurs. Even if a cluster initially consists of a single version, mixed-version support is necessary to support online upgrades. Setting"exec-opts":["isolation=hyperv"]
inC:\ProgramData\docker\config\daemon.json
on each node resolves the issue at the cost of additional overhead.The Docker CLI supports an
isolation
parameter to control the setting when starting containers locally, but not for Swarm services. Docker-Compose supported this option in versions 2.1-2.3 but dropped it with v3.0's Swarm integration, presumably due to this issue. I've opened issues in each to reinstate the option but neither can proceed unless it is added to the Swarm Service API [2].[1]: I had trouble finding a concrete answer for this, but MSDN indicates that labels should be used to constrain deployment.
[2]: Related issues: docker/cli#414, docker/compose#5069
The text was updated successfully, but these errors were encountered: