Add isolation mode on service update/create and compose files

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
This commit is contained in:
Simon Ferquel 2017-11-17 15:31:13 +01:00
parent 787e30d57a
commit 47cf2ea683
14 changed files with 135 additions and 2 deletions

View File

@ -505,6 +505,8 @@ type serviceOptions struct {
healthcheck healthCheckOptions healthcheck healthCheckOptions
secrets opts.SecretOpt secrets opts.SecretOpt
configs opts.ConfigOpt configs opts.ConfigOpt
isolation string
} }
func newServiceOptions() *serviceOptions { func newServiceOptions() *serviceOptions {
@ -614,6 +616,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
Hosts: convertExtraHostsToSwarmHosts(options.hosts.GetAll()), Hosts: convertExtraHostsToSwarmHosts(options.hosts.GetAll()),
StopGracePeriod: options.ToStopGracePeriod(flags), StopGracePeriod: options.ToStopGracePeriod(flags),
Healthcheck: healthConfig, Healthcheck: healthConfig,
Isolation: container.Isolation(options.isolation),
}, },
Networks: networks, Networks: networks,
Resources: options.resources.ToResourceRequirements(), Resources: options.resources.ToResourceRequirements(),
@ -784,6 +787,8 @@ func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValu
flags.StringVar(&opts.stopSignal, flagStopSignal, "", "Signal to stop the container") flags.StringVar(&opts.stopSignal, flagStopSignal, "", "Signal to stop the container")
flags.SetAnnotation(flagStopSignal, "version", []string{"1.28"}) flags.SetAnnotation(flagStopSignal, "version", []string{"1.28"})
flags.StringVar(&opts.isolation, flagIsolation, "", "Service container isolation mode")
flags.SetAnnotation(flagIsolation, "version", []string{"1.35"})
} }
const ( const (
@ -879,4 +884,5 @@ const (
flagConfig = "config" flagConfig = "config"
flagConfigAdd = "config-add" flagConfigAdd = "config-add"
flagConfigRemove = "config-rm" flagConfigRemove = "config-rm"
flagIsolation = "isolation"
) )

View File

@ -269,6 +269,14 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
} }
} }
updateIsolation := func(flag string, field *container.Isolation) error {
if flags.Changed(flag) {
val, _ := flags.GetString(flag)
*field = container.Isolation(val)
}
return nil
}
cspec := spec.TaskTemplate.ContainerSpec cspec := spec.TaskTemplate.ContainerSpec
task := &spec.TaskTemplate task := &spec.TaskTemplate
@ -288,6 +296,9 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
updateString(flagWorkdir, &cspec.Dir) updateString(flagWorkdir, &cspec.Dir)
updateString(flagUser, &cspec.User) updateString(flagUser, &cspec.User)
updateString(flagHostname, &cspec.Hostname) updateString(flagHostname, &cspec.Hostname)
if err := updateIsolation(flagIsolation, &cspec.Isolation); err != nil {
return err
}
if err := updateMounts(flags, &cspec.Mounts); err != nil { if err := updateMounts(flags, &cspec.Mounts); err != nil {
return err return err
} }

View File

@ -518,3 +518,32 @@ func TestUpdateStopSignal(t *testing.T) {
updateService(nil, nil, flags, spec) updateService(nil, nil, flags, spec)
assert.Equal(t, "SIGWINCH", cspec.StopSignal) assert.Equal(t, "SIGWINCH", cspec.StopSignal)
} }
func TestUpdateIsolationValid(t *testing.T) {
flags := newUpdateCommand(nil).Flags()
err := flags.Set("isolation", "process")
require.NoError(t, err)
spec := swarm.ServiceSpec{
TaskTemplate: swarm.TaskSpec{
ContainerSpec: &swarm.ContainerSpec{},
},
}
err = updateService(context.Background(), nil, flags, &spec)
require.NoError(t, err)
assert.Equal(t, container.IsolationProcess, spec.TaskTemplate.ContainerSpec.Isolation)
}
func TestUpdateIsolationInvalid(t *testing.T) {
// validation depends on daemon os / version so validation should be done on the daemon side
flags := newUpdateCommand(nil).Flags()
err := flags.Set("isolation", "test")
require.NoError(t, err)
spec := swarm.ServiceSpec{
TaskTemplate: swarm.TaskSpec{
ContainerSpec: &swarm.ContainerSpec{},
},
}
err = updateService(context.Background(), nil, flags, &spec)
require.NoError(t, err)
assert.Equal(t, container.Isolation("test"), spec.TaskTemplate.ContainerSpec.Isolation)
}

View File

@ -149,6 +149,7 @@ func Service(
Configs: configs, Configs: configs,
ReadOnly: service.ReadOnly, ReadOnly: service.ReadOnly,
Privileges: &privileges, Privileges: &privileges,
Isolation: container.Isolation(service.Isolation),
}, },
LogDriver: logDriver, LogDriver: logDriver,
Resources: resources, Resources: resources,

View File

@ -424,3 +424,12 @@ func TestConvertFileObjectDefaults(t *testing.T) {
} }
assert.Equal(t, expected, swarmRef) assert.Equal(t, expected, swarmRef)
} }
func TestServiceConvertsIsolation(t *testing.T) {
src := composetypes.ServiceConfig{
Isolation: "hyperv",
}
result, err := Service("1.35", Namespace{name: "foo"}, src, nil, nil, nil, nil)
require.NoError(t, err)
assert.Equal(t, container.IsolationHyperV, result.TaskTemplate.ContainerSpec.Isolation)
}

View File

@ -1454,5 +1454,37 @@ func TestLoadVolumesWarnOnDeprecatedExternalNameVersion33(t *testing.T) {
} }
assert.Equal(t, expected, volumes) assert.Equal(t, expected, volumes)
assert.Equal(t, "", buf.String()) assert.Equal(t, "", buf.String())
}
func TestLoadV35(t *testing.T) {
actual, err := loadYAML(`
version: "3.5"
services:
foo:
image: busybox
isolation: process
configs:
super:
external: true
`)
require.NoError(t, err)
require.Len(t, actual.Services, 1)
assert.Equal(t, "process", actual.Services[0].Isolation)
}
func TestLoadV35InvalidIsolation(t *testing.T) {
// validation should be done only on the daemon side
actual, err := loadYAML(`
version: "3.5"
services:
foo:
image: busybox
isolation: invalid
configs:
super:
external: true
`)
require.NoError(t, err)
require.Len(t, actual.Services, 1)
assert.Equal(t, "invalid", actual.Services[0].Isolation)
} }

File diff suppressed because one or more lines are too long

View File

@ -154,6 +154,7 @@
"hostname": {"type": "string"}, "hostname": {"type": "string"},
"image": {"type": "string"}, "image": {"type": "string"},
"ipc": {"type": "string"}, "ipc": {"type": "string"},
"isolation": {"type": "string"},
"labels": {"$ref": "#/definitions/list_or_dict"}, "labels": {"$ref": "#/definitions/list_or_dict"},
"links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true}, "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},

View File

@ -84,3 +84,16 @@ func TestValidatePlacement(t *testing.T) {
assert.NoError(t, Validate(config, "3.3")) assert.NoError(t, Validate(config, "3.3"))
} }
func TestValidateIsolation(t *testing.T) {
config := dict{
"version": "3.5",
"services": dict{
"foo": dict{
"image": "busybox",
"isolation": "some-isolation-value",
},
},
}
assert.NoError(t, Validate(config, "3.5"))
}

View File

@ -126,6 +126,7 @@ type ServiceConfig struct {
User string User string
Volumes []ServiceVolumeConfig Volumes []ServiceVolumeConfig
WorkingDir string `mapstructure:"working_dir"` WorkingDir string `mapstructure:"working_dir"`
Isolation string `mapstructure:"isolation"`
} }
// BuildConfig is a type for build // BuildConfig is a type for build

View File

@ -3305,6 +3305,7 @@ _docker_service_update_and_create() {
--health-start-period --health-start-period
--health-timeout --health-timeout
--hostname --hostname
--isolation
--label -l --label -l
--limit-cpu --limit-cpu
--limit-memory --limit-memory
@ -3493,6 +3494,10 @@ _docker_service_update_and_create() {
__docker_nospace __docker_nospace
return return
;; ;;
--isolation)
__docker_complete_isolation
return
;;
--log-driver) --log-driver)
__docker_complete_log_drivers __docker_complete_log_drivers
return return

View File

@ -1955,6 +1955,7 @@ __docker_service_subcommand() {
"($help)--health-retries=[Consecutive failures needed to report unhealthy]:retries:(1 2 3 4 5)" "($help)--health-retries=[Consecutive failures needed to report unhealthy]:retries:(1 2 3 4 5)"
"($help)--health-timeout=[Maximum time to allow one check to run]:time: " "($help)--health-timeout=[Maximum time to allow one check to run]:time: "
"($help)--hostname=[Service container hostname]:hostname: " \ "($help)--hostname=[Service container hostname]:hostname: " \
"($help)--isolation=[Service container isolation mode]:isolation:(default process hyperv)" \
"($help)*--label=[Service labels]:label: " "($help)*--label=[Service labels]:label: "
"($help)--limit-cpu=[Limit CPUs]:value: " "($help)--limit-cpu=[Limit CPUs]:value: "
"($help)--limit-memory=[Limit Memory]:value: " "($help)--limit-memory=[Limit Memory]:value: "

View File

@ -42,6 +42,7 @@ Options:
--help Print usage --help Print usage
--host list Set one or more custom host-to-IP mappings (host:ip) --host list Set one or more custom host-to-IP mappings (host:ip)
--hostname string Container hostname --hostname string Container hostname
--isolation string Service container isolation mode
-l, --label list Service labels -l, --label list Service labels
--limit-cpu decimal Limit CPUs --limit-cpu decimal Limit CPUs
--limit-memory bytes Limit Memory --limit-memory bytes Limit Memory
@ -875,6 +876,22 @@ $ docker inspect --format="{{.Config.Hostname}}" 2e7a8a9c4da2-wo41w8hg8qanxwjwsg
x3ti0erg11rjpg64m75kej2mz-hosttempl x3ti0erg11rjpg64m75kej2mz-hosttempl
``` ```
### Specify isolation mode (Windows)
By default, tasks scheduled on Windows nodes are run using the default isolation mode
configured for this particular node. To force a specific isolation mode, you can use
the `--isolation` flag:
```bash
$ docker service create --name myservice --isolation=process microsoft/nanoserver
```
Supported isolation modes on Windows are:
- `default`: use default settings specified on the node running the task
- `process`: use process isolation (Windows server only)
- `hyperv`: use Hyper-V isolation
## Related commands ## Related commands
* [service inspect](service_inspect.md) * [service inspect](service_inspect.md)

View File

@ -53,6 +53,7 @@ Options:
--host-rm list Remove a custom host-to-IP mapping (host:ip) --host-rm list Remove a custom host-to-IP mapping (host:ip)
--hostname string Container hostname --hostname string Container hostname
--image string Service image tag --image string Service image tag
--isolation string Service container isolation mode
--label-add list Add or update a service label --label-add list Add or update a service label
--label-rm list Remove a label by its key --label-rm list Remove a label by its key
--limit-cpu decimal Limit CPUs --limit-cpu decimal Limit CPUs
@ -258,6 +259,12 @@ $ docker service update \
Some flags of `service update` support the use of templating. Some flags of `service update` support the use of templating.
See [`service create`](./service_create.md#templating) for the reference. See [`service create`](./service_create.md#templating) for the reference.
### Specify isolation mode (Windows)
`service update` supports the same `--isolation` flag as `service create`
See [`service create`](./service_create.md) for the reference.
## Related commands ## Related commands
* [service create](service_create.md) * [service create](service_create.md)