feat: Add cgroupnsmode option (#237)

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

api/handlers/container/create.go

@@ -187,6 +187,16 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 	if req.HostConfig.SecurityOpt != nil {
 		securityOpt = req.HostConfig.SecurityOpt
 	}
+	var cgroupnsMode string
+	if req.HostConfig.CgroupnsMode != "" {
+		if !req.HostConfig.CgroupnsMode.Valid() {
+			response.JSON(w, http.StatusBadRequest, response.NewErrorFromMsg("invalid cgroup namespace mode, valid values are: 'private' or 'host'"))
+			return
+		}
+		cgroupnsMode = string(req.HostConfig.CgroupnsMode)
+	} else {
+		cgroupnsMode = defaults.CgroupnsMode()
+	}
 
 	globalOpt := ncTypes.GlobalCommandOptions(*h.Config)
 	createOpt := ncTypes.ContainerCreateOptions{
@@ -222,13 +232,13 @@ func (h *handler) create(w http.ResponseWriter, r *http.Request) {
 		CPUShares:            uint64(req.HostConfig.CPUShares), // CPU shares (relative weight)
 		CPUQuota:             CpuQuota,                         // CPUQuota limits the CPU CFS (Completely Fair Scheduler) quota
 		CPUPeriod:            uint64(req.HostConfig.CPUPeriod),
-		Memory:               memory,                  // memory limit (in bytes)
-		MemorySwap:           memorySwap,              // Total memory usage (memory + swap); set `-1` to enable unlimited swap
-		MemoryReservation:    memoryReservation,       // Memory soft limit (in bytes)
-		MemorySwappiness64:   memorySwappiness,        // Tuning container memory swappiness behaviour
-		Ulimit:               ulimits,                 // List of ulimits to be set in the container
-		PidsLimit:            pidLimit,                // PidsLimit specifies the tune container pids limit
-		Cgroupns:             defaults.CgroupnsMode(), // nerdctl default.
+		Memory:               memory,            // memory limit (in bytes)
+		MemorySwap:           memorySwap,        // Total memory usage (memory + swap); set `-1` to enable unlimited swap
+		MemoryReservation:    memoryReservation, // Memory soft limit (in bytes)
+		MemorySwappiness64:   memorySwappiness,  // Tuning container memory swappiness behaviour
+		Ulimit:               ulimits,           // List of ulimits to be set in the container
+		PidsLimit:            pidLimit,          // PidsLimit specifies the tune container pids limit
+		Cgroupns:             cgroupnsMode,      // Cgroupns specifies the cgroup namespace to use
 		BlkioWeight:          req.HostConfig.BlkioWeight,
 		BlkioWeightDevice:    weightDevicesToStrings(req.HostConfig.BlkioWeightDevice),
 		BlkioDeviceReadBps:   throttleDevicesToStrings(req.HostConfig.BlkioDeviceReadBps),

api/handlers/container/create_test.go

@@ -974,6 +974,42 @@ var _ = Describe("Container Create API ", func() {
 			Expect(rr.Body).Should(MatchJSON(jsonResponse))
 		})
 
+		It("should set CgroupnsMode option", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"CgroupnsMode": "host"
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// expected create options
+			createOpt.Cgroupns = "host"
+
+			service.EXPECT().Create(gomock.Any(), "test-image", nil, equalTo(createOpt), equalTo(netOpt)).Return(
+				cid, nil)
+
+			// handler should return success message with 201 status code.
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusCreated))
+			Expect(rr.Body).Should(MatchJSON(jsonResponse))
+		})
+
+		It("should reject invalid CgroupnsMode values", func() {
+			body := []byte(`{
+				"Image": "test-image",
+				"HostConfig": {
+					"CgroupnsMode": "invalid"
+				}
+			}`)
+			req, _ := http.NewRequest(http.MethodPost, "/containers/create", bytes.NewReader(body))
+
+			// handler should return bad request with error message
+			h.create(rr, req)
+			Expect(rr).Should(HaveHTTPStatus(http.StatusBadRequest))
+			Expect(rr.Body.String()).Should(ContainSubstring("invalid cgroup namespace mode"))
+		})
+
 		Context("translate port mappings", func() {
 			It("should return empty if port mappings is nil", func() {
 				Expect(translatePortMappings(nil)).Should(BeEmpty())

api/types/container_types.go

@@ -72,15 +72,15 @@ type ContainerHostConfig struct {
 	Annotations map[string]string `json:",omitempty"` // Arbitrary non-identifying metadata attached to container and provided to the runtime
 
 	// Applicable to UNIX platforms
-	CapAdd  []string // List of kernel capabilities to add to the container
-	CapDrop []string // List of kernel capabilities to remove from the container
-	// TODO: CgroupnsMode CgroupnsMode // Cgroup namespace mode to use for the container
-	DNS        []string `json:"Dns"`        // List of DNS server to lookup
-	DNSOptions []string `json:"DnsOptions"` // List of DNSOption to look for
-	DNSSearch  []string `json:"DnsSearch"`  // List of DNSSearch to look for
-	ExtraHosts []string // List of extra hosts
-	GroupAdd   []string // List of additional groups that the container process will run as
-	IpcMode    string   // IPC namespace to use for the container
+	CapAdd       []string     // List of kernel capabilities to add to the container
+	CapDrop      []string     // List of kernel capabilities to remove from the container
+	CgroupnsMode CgroupnsMode // Cgroup namespace mode to use for the container
+	DNS          []string     `json:"Dns"`        // List of DNS server to lookup
+	DNSOptions   []string     `json:"DnsOptions"` // List of DNSOption to look for
+	DNSSearch    []string     `json:"DnsSearch"`  // List of DNSSearch to look for
+	ExtraHosts   []string     // List of extra hosts
+	GroupAdd     []string     // List of additional groups that the container process will run as
+	IpcMode      string       // IPC namespace to use for the container
 	// TODO: Cgroup          CgroupSpec        // Cgroup to use for the container
 	// TODO: Links           []string          // List of links (in the name:alias form)
 	OomKillDisable bool // specifies whether to disable OOM Killer
@@ -271,3 +271,18 @@ type StatsJSON struct {
 }
 
 type Ulimit = units.Ulimit
+
+// CgroupnsMode represents the cgroup namespace mode of the container.
+type CgroupnsMode string
+
+// cgroup namespace modes for containers.
+const (
+	CgroupnsModeEmpty   CgroupnsMode = ""
+	CgroupnsModePrivate CgroupnsMode = "private"
+	CgroupnsModeHost    CgroupnsMode = "host"
+)
+
+// Valid indicates whether the cgroup namespace mode is valid.
+func (c CgroupnsMode) Valid() bool {
+	return c == CgroupnsModePrivate || c == CgroupnsModeHost
+}

e2e/tests/container_create.go

@@ -1412,6 +1412,46 @@ func ContainerCreate(opt *option.Option) {
 			Expect(ok).Should(BeTrue())
 			Expect(annotations["com.example.key"]).Should(Equal("test-value"))
 		})
+
+		It("should create a container with CgroupnsMode set to host", func() {
+			// Define options
+			options.Cmd = []string{"sleep", "Infinity"}
+			options.HostConfig.CgroupnsMode = "host"
+
+			// Create container
+			statusCode, ctr := createContainer(uClient, url, testContainerName, options)
+			Expect(statusCode).Should(Equal(http.StatusCreated))
+			Expect(ctr.ID).ShouldNot(BeEmpty())
+
+			// Start container
+			command.Run(opt, "start", testContainerName)
+
+			// Inspect using native format to verify cgroup namespace configuration
+			nativeResp := command.Stdout(opt, "inspect", "--mode=native", testContainerName)
+			var nativeInspect []map[string]interface{}
+			err := json.Unmarshal(nativeResp, &nativeInspect)
+			Expect(err).Should(BeNil())
+			Expect(nativeInspect).Should(HaveLen(1))
+
+			// Navigate to the namespaces section
+			spec, ok := nativeInspect[0]["Spec"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			linux, ok := spec["linux"].(map[string]interface{})
+			Expect(ok).Should(BeTrue())
+			namespaces, ok := linux["namespaces"].([]interface{})
+			Expect(ok).Should(BeTrue())
+
+			// For host mode, cgroup namespace should not be present in the namespaces list
+			foundCgroupNS := false
+			for _, ns := range namespaces {
+				namespace := ns.(map[string]interface{})
+				if namespace["type"] == "cgroup" {
+					foundCgroupNS = true
+					break
+				}
+			}
+			Expect(foundCgroupNS).Should(BeFalse())
+		})
 	})
 }