Allow isolation mode to be configured for swarm services

[Techwolfy]

It is currently impossible to specify a container isolation mode when configuring a swarm service. This isn't relevant for Linux containers, but Windows containers can run with either process (shared kernel) or hyperv (VM) isolation. When using docker swarm to deploy to a mixed-version Windows cluster, it is possible for a container to be scheduled on a node with a different kernel version [1]. A container kernel mismatch isn't significant when running with hyperv isolation but will cause containers using process isolation to fail to start.

As the default isolation mode is process, deployments to mixed-version Windows clusters currently fail if a mismatch occurs. Even if a cluster initially consists of a single version, mixed-version support is necessary to support online upgrades. Setting "exec-opts":["isolation=hyperv"] in C:\ProgramData\docker\config\daemon.json on each node resolves the issue at the cost of additional overhead.

The Docker CLI supports an isolation parameter to control the setting when starting containers locally, but not for Swarm services. Docker-Compose supported this option in versions 2.1-2.3 but dropped it with v3.0's Swarm integration, presumably due to this issue. I've opened issues in each to reinstate the option but neither can proceed unless it is added to the Swarm Service API [2].

[1]: I had trouble finding a concrete answer for this, but MSDN indicates that labels should be used to constrain deployment.

[2]: Related issues: docker/cli#414, docker/compose#5069

[thaJeztah]

Thanks for reporting; it looks like this is a duplicate of #31616, please continue the conversation over there (feel free to add the information you provided here as a comment there 👍 )