diff --git a/.changelog/25927.txt b/.changelog/25927.txt new file mode 100644 index 000000000..f78938508 --- /dev/null +++ b/.changelog/25927.txt @@ -0,0 +1,3 @@ +```release-note:improvement +docker: Added support for cgroup namespaces in the task config +``` diff --git a/drivers/docker/config.go b/drivers/docker/config.go index 8dc2e7a85..0579d1184 100644 --- a/drivers/docker/config.go +++ b/drivers/docker/config.go @@ -369,6 +369,7 @@ var ( "auth_soft_fail": hclspec.NewAttr("auth_soft_fail", "bool", false), "cap_add": hclspec.NewAttr("cap_add", "list(string)", false), "cap_drop": hclspec.NewAttr("cap_drop", "list(string)", false), + "cgroupns": hclspec.NewAttr("cgroupns", "string", false), "command": hclspec.NewAttr("command", "string", false), "cpuset_cpus": hclspec.NewAttr("cpuset_cpus", "string", false), "cpu_hard_limit": hclspec.NewAttr("cpu_hard_limit", "bool", false), @@ -459,6 +460,7 @@ type TaskConfig struct { AuthSoftFail bool `codec:"auth_soft_fail"` CapAdd []string `codec:"cap_add"` CapDrop []string `codec:"cap_drop"` + CgroupnsMode string `codec:"cgroupns"` Command string `codec:"command"` ContainerExistsAttempts uint64 `codec:"container_exists_attempts"` CPUCFSPeriod int64 `codec:"cpu_cfs_period"` diff --git a/drivers/docker/config_test.go b/drivers/docker/config_test.go index f9b1d2a90..6b16f88fc 100644 --- a/drivers/docker/config_test.go +++ b/drivers/docker/config_test.go @@ -211,6 +211,7 @@ config { cap_drop = ["CAP_SYS_ADMIN", "CAP_SYS_TIME"] command = "/bin/bash" container_exists_attempts = 10 + cgroupns = "host" cpu_hard_limit = true cpu_cfs_period = 20 devices = [ @@ -361,6 +362,7 @@ config { CapDrop: []string{"CAP_SYS_ADMIN", "CAP_SYS_TIME"}, Command: "/bin/bash", ContainerExistsAttempts: 10, + CgroupnsMode: "host", CPUHardLimit: true, CPUCFSPeriod: 20, Devices: []DockerDevice{ diff --git a/drivers/docker/driver.go b/drivers/docker/driver.go index 69ac9fb4b..102d0947d 100644 --- a/drivers/docker/driver.go +++ b/drivers/docker/driver.go @@ -1046,6 +1046,7 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T cpuShares := d.cpuResources(task.Resources.LinuxResources.CPUShares) hostConfig := &containerapi.HostConfig{ + CgroupnsMode: containerapi.CgroupnsMode(driverConfig.CgroupnsMode), // do not set cgroup parent anymore OomScoreAdj: driverConfig.OOMScoreAdj, // ignored on platforms other than linux diff --git a/website/content/docs/drivers/docker.mdx b/website/content/docs/drivers/docker.mdx index dbd535502..146c335eb 100644 --- a/website/content/docs/drivers/docker.mdx +++ b/website/content/docs/drivers/docker.mdx @@ -84,6 +84,9 @@ The `docker` driver supports the following configuration in the job spec. Only } ``` +- `cgroupns` - (Optional) Cgroup namespace to use. Set to `host` or + `private`. If not specified, the driver uses Docker's default. Refer to Docker's [dockerd reference](https://docs.docker.com/reference/cli/dockerd/) for more information. + - `container_exists_attempts` - (Optional) A number of attempts to be made to purge a container if during task creation Nomad encounters an existing one in non-running state for the same task. Defaults to `5`.