New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing composer specification equivalent for --cgroupns=[host|private]/API1.41 #148
Comments
Thank for you for suggesting this @thediveo 👍 For the benefit of the readers, here's the CLI argument (Docker docs don't seem to have it yet):
|
Docker Desktop 4.3.0 now uses cgroupv2 (https://docs.docker.com/desktop/mac/release-notes/#docker-desktop-430) |
When cgroup v2 is required by default by docker or the OS we need to use the --cgroupns=host to allow the mullvad app to startup correctly. However, the cgroupns switch is not implemented in the docker compose spec, so we have to wait for its implementation. To get around this problem, the main mullvad container is taken out of the docker compose file and we run it on its own in the setup.sh script using docker run with the --cgroupns=host switch. After the container is setup, we then use the docker compose file to setup the rest of the containers. Reference: docker/for-mac#6073 compose-spec/compose-spec#148 docker/compose#8167
This is seriously madness-inducing. |
so much votes on this issue, and nobody took a few minutes to propose a PR ? 😅 |
On hosts with "only" a unified cgroup v2 controller hierarchy (that is, a "pure" cgroups v2 hierarchy) Docker now defaults (unless configured otherwise) to automatically creating private cgroup namespaces for created containers. The rationale here is to reduce leakage of potentially sensitive information about the cgroup hierarchy and configuration of the host, and thus other containers. Still, there are valid usecases to allow only specific containers to use the initial (host) cgroup namespace, especially for system diagnosis containers. For instance, the well-known cAdvisor ("provides container users an understanding of the resource usage and performance characteristics of their running containers").
For such usecases, docker run introduced the CLI flag --cgroupns=[host|private] as of Docker-CE 20.0.0 and API 1.41.
Unfortunately, the current compose specification doesn't provide any means to controlling cgroup namespace creation or sharing. This makes it impossible to use system diagnosis containers, such as cAdvisor, ... on cgroup v2 unified hierarchy-only systems anymore with compose-based deployment tools.
This situation would be solved by adding a cgroup field to service objects that would allow to specify the values of either "private" or "host", mirroring today's CLI flag functionality for handling the cgroup namespace creation for new containers.
Nota bene: mirror docker/compose issue #8167
The text was updated successfully, but these errors were encountered: