docker: add cgroupns task config (#25927)

2026-01-01 16:05:42 +03:00 · 2025-06-11 18:50:44 +01:00
parent 0a3ffe077c
commit f7096fb9d6
5 changed files with 11 additions and 0 deletions
--- a/.changelog/25927.txt
+++ b/.changelog/25927.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+docker: Added support for cgroup namespaces in the task config
+```
--- a/drivers/docker/config.go
+++ b/drivers/docker/config.go
@@ -369,6 +369,7 @@ var (
 		"auth_soft_fail": hclspec.NewAttr("auth_soft_fail", "bool", false),
 		"cap_add":        hclspec.NewAttr("cap_add", "list(string)", false),
 		"cap_drop":       hclspec.NewAttr("cap_drop", "list(string)", false),
+		"cgroupns":       hclspec.NewAttr("cgroupns", "string", false),
 		"command":        hclspec.NewAttr("command", "string", false),
 		"cpuset_cpus":    hclspec.NewAttr("cpuset_cpus", "string", false),
 		"cpu_hard_limit": hclspec.NewAttr("cpu_hard_limit", "bool", false),
@@ -459,6 +460,7 @@ type TaskConfig struct {
 	AuthSoftFail            bool               `codec:"auth_soft_fail"`
 	CapAdd                  []string           `codec:"cap_add"`
 	CapDrop                 []string           `codec:"cap_drop"`
+	CgroupnsMode            string             `codec:"cgroupns"`
 	Command                 string             `codec:"command"`
 	ContainerExistsAttempts uint64             `codec:"container_exists_attempts"`
 	CPUCFSPeriod            int64              `codec:"cpu_cfs_period"`
--- a/drivers/docker/config_test.go
+++ b/drivers/docker/config_test.go
@@ -211,6 +211,7 @@ config {
  cap_drop = ["CAP_SYS_ADMIN", "CAP_SYS_TIME"]
  command = "/bin/bash"
  container_exists_attempts = 10
+  cgroupns = "host"
  cpu_hard_limit = true
  cpu_cfs_period = 20
  devices = [
@@ -361,6 +362,7 @@ config {
 		CapDrop:                 []string{"CAP_SYS_ADMIN", "CAP_SYS_TIME"},
 		Command:                 "/bin/bash",
 		ContainerExistsAttempts: 10,
+		CgroupnsMode:            "host",
 		CPUHardLimit:            true,
 		CPUCFSPeriod:            20,
 		Devices: []DockerDevice{
--- a/drivers/docker/driver.go
+++ b/drivers/docker/driver.go
@@ -1046,6 +1046,7 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 	cpuShares := d.cpuResources(task.Resources.LinuxResources.CPUShares)

 	hostConfig := &containerapi.HostConfig{
+		CgroupnsMode: containerapi.CgroupnsMode(driverConfig.CgroupnsMode),
 		// do not set cgroup parent anymore

 		OomScoreAdj: driverConfig.OOMScoreAdj, // ignored on platforms other than linux
--- a/website/content/docs/drivers/docker.mdx
+++ b/website/content/docs/drivers/docker.mdx
@@ -84,6 +84,9 @@ The `docker` driver supports the following configuration in the job spec. Only
  }
  ```

+- `cgroupns` - (Optional) Cgroup namespace to use. Set to `host` or
+  `private`. If not specified, the driver uses Docker's default. Refer to Docker's [dockerd reference](https://docs.docker.com/reference/cli/dockerd/) for more information.
+
 - `container_exists_attempts` - (Optional) A number of attempts to be made to
  purge a container if during task creation Nomad encounters an existing one in
  non-running state for the same task. Defaults to `5`.