compose: Missing equivalent for --cgroupns=[host|private]

On hosts with only a unified cgroup v2 controller hierarchy Docker now defaults (unless configured otherwise) to automatically creating private cgroup namespaces for created containers. The rationale here is to reduce leakage of potentially sensitive information about the cgroup hierarchy and configuration of the host, and thus other containers. Still, there are valid usecases to allow only specific containers to use the initial (host) cgroup namespace, especially for system diagnosis containers. For this, docker run introduced the CLI flag --cgroupns=[host|private] as of Docker-CE 20.0.0 and API 1.41.

Unfortunately, docker-compose doesn’t offer any means to use the CLI flag functionality from docker compose files. This makes it impossible to use system diagnosis containers, such as cAdvisor, … on cgroup v2 unified hierarchy-only systems anymore.

This situation would be solved by adding a cgroup field to service objects that would allow to specify the values of either “private” or “host”, mirroring today’s CLI flag functionality for handling the cgroup namespace creation for new containers.

services:
  foo:
    pid: host
    cgroup: host

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 27
Comments: 26

Commits related to this issue

Implemented a temporary fix to make it work when cgroup v2 is required When cgroup v2 is required by default by docker or the OS we need to use the --cgroupns=host to allow the mullvad app to startup... — committed to bernardko/mullvad-proxy by bernardko 2 years ago
Merge pull request #339 from ndeloof/sync_spec close https://github.com/docker/compose/issues/8167 — committed to compose-spec/compose-go by ndeloof a year ago

Most upvoted comments

I think this has become an important limitation for many users since Docker Desktop uses cgroupv2. Any plans of adding this?

+10

carlosabalde on Jan 14, 2022

+1 here. This would be huge. This is getting overwhelming as new docker desktop versions for windows no longer support cgroupv1, and mac is hanging by a thread with the settings.json deprecatedcgroupv1 change.

Staying on an older version of docker desktop for now…but who knows how long that’ll last

I think this has become an important limitation for many users since Docker Desktop uses cgroupv2. Any plans of adding this?

aem12f on Jan 27, 2022

I’ve seen https://github.com/docker/compose/pull/10106 was referenced in the changelog of Docker Compose 2.15.0, so I’ve done a quick check:

❯ /tmp/docker-compose version
Docker Compose version v2.15.0

❯ cat /tmp/docker-compose-test.yml
---
services:
  foo:
    image: ubuntu:jammy
    cgroup: host

❯ /tmp/docker-compose --file /tmp/docker-compose-test.yml ps 
services.foo Additional property cgroup is not allowed

I guess I’m missing something obvious here but I don’t know what. Any ideas?

carlosabalde on Jan 5, 2023

I was able to work around this limitation of compose by setting "default-cgroupns-mode": "host" in daemon.json. Docker’s documentation is misleading, since it claims that “host” is the default value, where in reality it defaults to “private”.

So if you can change the daemon’s defaults, this could be a valid workaround for the meantime.

hendrikmaus on Jul 7, 2022

@EFinish you mix both docker compose v1 ($ docker-compose) and v2 ($ docker compose) in your commands 😃

nervo on Nov 2, 2023

fixed by https://github.com/docker/compose/pull/10106

ndeloof on Dec 20, 2022