Get rid of docker pause containers with a custom runtime. Closes #15086

hashicorp · Nov 4, 2024 · 93c0eee · 93c0eee
1 parent f75e2c2
commit 93c0eee
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/drivers/docker/config.go b/drivers/docker/config.go
@@ -310,6 +310,8 @@ var (
 		// task containers.  If true, nomad doesn't start docker_logger/logmon processes
 		"disable_log_collection": hclspec.NewAttr("disable_log_collection", "bool", false),
 
+		"new_networking": hclspec.NewAttr("new_networking", "bool", false),
+
 		// windows_allow_insecure_container_admin indicates that on windows,
 		// docker checks the task.user field or, if unset, the container image
 		// manifest after pulling the container, to see if it's running as
@@ -675,6 +677,7 @@ type DriverConfig struct {
 	infraImagePullTimeoutDuration      time.Duration `codec:"-"`
 	ContainerExistsAttempts            uint64        `codec:"container_exists_attempts"`
 	DisableLogCollection               bool          `codec:"disable_log_collection"`
+	NewNetworking                      bool          `codec:"new_networking"`
 	PullActivityTimeout                string        `codec:"pull_activity_timeout"`
 	PidsLimit                          int64         `codec:"pids_limit"`
 	pullActivityTimeoutDuration        time.Duration `codec:"-"`
@@ -828,5 +831,8 @@ func (d *Driver) TaskConfigSchema() (*hclspec.Spec, error) {
 // features this driver supports.
 func (d *Driver) Capabilities() (*drivers.Capabilities, error) {
 	driverCapabilities.DisableLogCollection = d.config != nil && d.config.DisableLogCollection
+	if d.config != nil {
+		driverCapabilities.MustInitiateNetwork = !d.config.NewNetworking
+	}
 	return driverCapabilities, nil
 }
diff --git a/drivers/docker/driver.go b/drivers/docker/driver.go
@@ -990,6 +990,13 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 	if _, ok := d.config.allowRuntimes[containerRuntime]; !ok && containerRuntime != "" {
 		return c, fmt.Errorf("requested runtime %q is not allowed", containerRuntime)
 	}
+	if d.config.NewNetworking {
+		if containerRuntime == "" {
+			containerRuntime = "nomad"
+		} else {
+			return c, fmt.Errorf("new-style networking not compatible with custom runtimess")
+		}
+	}
 
 	// Validate isolation modes on windows
 	if runtime.GOOS != "windows" {
@@ -1038,6 +1045,8 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 
 		Runtime:  containerRuntime,
 		GroupAdd: driverConfig.GroupAdd,
+
+		Annotations: map[string]string{},
 	}
 
 	hostConfig.Resources = containerapi.Resources{
@@ -1285,10 +1294,16 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 	// shared alloc network
 	if hostConfig.NetworkMode == "" {
 		if task.NetworkIsolation != nil && task.NetworkIsolation.Path != "" {
-			// find the previously created parent container to join networks with
-			netMode := fmt.Sprintf("container:%s", task.NetworkIsolation.Labels[dockerNetSpecLabelKey])
-			logger.Debug("configuring network mode for task group", "network_mode", netMode)
-			hostConfig.NetworkMode = containerapi.NetworkMode(netMode)
+			if d.config.NewNetworking {
+				// "host" is not actually true here, it will cause joining the existing namespace
+				hostConfig.NetworkMode = "host"
+				hostConfig.Annotations["network_ns"] = task.NetworkIsolation.Path
+			} else {
+				// find the previously created parent container to join networks with
+				netMode := fmt.Sprintf("container:%s", task.NetworkIsolation.Labels[dockerNetSpecLabelKey])
+				logger.Debug("configuring network mode for task group", "network_mode", netMode)
+				hostConfig.NetworkMode = containerapi.NetworkMode(netMode)
+			}
 		} else {
 			// docker default
 			logger.Debug("networking mode not specified; using default")