docs: fix default value for dockerd --default-cgroupns to private

[hendrikmaus]

- What I did
Changed the default value in the documentation of dockerd for the option --default-cgroupns to represent the actual behavior.

- How I did it
n\a

- How to verify it

❯ docker run --rm alpine cat /proc/1/cgroup
0::/

❯ docker run --rm --cgroupns=private alpine cat /proc/1/cgroup
0::/

❯ docker run --rm --cgroupns=host alpine cat /proc/1/cgroup
0::/docker/b7c280374fd0ad3791520e7e52c9c80ec0a629f11a3a0877a4a4e3229ec061ee

On:

❯ docker version
Client:
 Cloud integration: v1.0.24
 Version:           20.10.17
 API version:       1.41
 Go version:        go1.17.11
 Git commit:        100c701
 Built:             Mon Jun  6 23:04:45 2022
 OS/Arch:           darwin/arm64
 Context:           default
 Experimental:      true

Server: Docker Desktop 4.10.1 (82475)
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.11
  Git commit:       a89b842
  Built:            Mon Jun  6 23:01:01 2022
  OS/Arch:          linux/arm64
  Experimental:     true
 containerd:
  Version:          1.6.6
  GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc:
  Version:          1.1.2
  GitCommit:        v1.1.2-0-ga916309
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

- Description for the changelog

Fix documented default value of dockerd --default-cgroupns to be private

- A picture of a cute animal (not mandatory but encouraged)

Relates to

• docker run flag for overriding daemon default-cgroupns-mode #1988
• docker run: specify cgroup namespace mode with --cgroupns #2024
• (Missing equivalent for --cgroupns=[host|private] compose#8167)

[thaJeztah]

Thanks for contributing!

Hmm.. thinking what's best hear. The issue with this one is that the default depends on wether the host is using cgroups v2 or cgroups v1. (see moby/moby@19baeac and moby/moby#41071)

On a host with cgroups v2;

dockerd --help | grep cgroupns
      --default-cgroupns-mode string            Default mode for containers cgroup namespace ("host" | "private") (default "private")

On a host with cgroups v1;

dockerd --help | grep cgroupns
      --default-cgroupns-mode string            Default mode for containers cgroup namespace ("host" | "private") (default "host")

On the command-line (--help) output that's not a problem as it will show the actual default, but for the documentation, perhaps we should change it to something like;

(default "host" for cgroups v1, and "private" for cgroups v2)

Perhaps the flag description for docker run / docker create needs some touching up as well (it's not just the daemon flag that defines the default, as that's only to override the automatic selection based on cgroups v1/v2;

cli/cli/command/container/opts.go

Lines 203 to 207 in 38992c2

	flags.StringVar(&copts.cgroupnsMode, "cgroupns", "", `Cgroup namespace to use (host|private)
	'host': Run the container in the Docker host's cgroup namespace
	'private': Run the container in its own private cgroup namespace
	'': Use the cgroup namespace as configured by the
	default-cgroupns-mode option on the daemon (default)`)

Of course, the best option would be to have an actual section describing this option (which appears to be completely missing) 😞

[hendrikmaus]

I adjusted the docs according to your suggestion: (default "host" for cgroups v1, and "private" for cgroups v2).