Merge pull request #20207 from Microsoft/jjh/fix18077-v2

Windows: Fix Isolation

api/client/build.go

@@ -66,7 +66,7 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 	flCgroupParent := cmd.String([]string{"-cgroup-parent"}, "", "Optional parent cgroup for the container")
 	flBuildArg := opts.NewListOpts(runconfigopts.ValidateEnv)
 	cmd.Var(&flBuildArg, []string{"-build-arg"}, "Set build-time variables")
-	isolation := cmd.String([]string{"-isolation"}, "", "Container isolation level")
+	isolation := cmd.String([]string{"-isolation"}, "", "Container isolation technology")
 
 	ulimits := make(map[string]*units.Ulimit)
 	flUlimits := runconfigopts.NewUlimitOpt(&ulimits)
@@ -224,7 +224,7 @@ func (cli *DockerCli) CmdBuild(args ...string) error {
 		Remove:         *rm,
 		ForceRemove:    *forceRm,
 		PullParent:     *pull,
-		IsolationLevel: container.IsolationLevel(*isolation),
+		Isolation:      container.Isolation(*isolation),
 		CPUSetCPUs:     *flCPUSetCpus,
 		CPUSetMems:     *flCPUSetMems,
 		CPUShares:      *flCPUShares,

api/server/router/build/build_routes.go

@@ -60,11 +60,11 @@ func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBui
 		options.ShmSize = shmSize
 	}
 
-	if i := container.IsolationLevel(r.FormValue("isolation")); i != "" {
-		if !container.IsolationLevel.IsValid(i) {
+	if i := container.Isolation(r.FormValue("isolation")); i != "" {
+		if !container.Isolation.IsValid(i) {
 			return nil, fmt.Errorf("Unsupported isolation: %q", i)
 		}
-		options.IsolationLevel = i
+		options.Isolation = i
 	}
 
 	var buildUlimits = []*units.Ulimit{}

builder/dockerfile/internals.go

@@ -506,7 +506,7 @@ func (b *Builder) create() (string, error) {
 
 	// TODO: why not embed a hostconfig in builder?
 	hostConfig := &container.HostConfig{
-		Isolation: b.options.IsolationLevel,
+		Isolation: b.options.Isolation,
 		ShmSize:   b.options.ShmSize,
 		Resources: resources,
 	}

daemon/execdriver/driver_windows.go

@@ -53,7 +53,7 @@ type Command struct {
 	Hostname    string   `json:"hostname"`     // Windows sets the hostname in the execdriver
 	LayerFolder string   `json:"layer_folder"` // Layer folder for a command
 	LayerPaths  []string `json:"layer_paths"`  // Layer paths for a command
-	Isolation   string   `json:"isolation"`    // Isolation level for the container
+	Isolation   string   `json:"isolation"`    // Isolation technology for the container
 	ArgsEscaped bool     `json:"args_escaped"` // True if args are already escaped
 	HvPartition bool     `json:"hv_partition"` // True if it's an hypervisor partition
 }

daemon/execdriver/windows/windows.go

@@ -28,11 +28,11 @@ var dummyMode bool
 // This allows the daemon to force kill (HCS terminate) rather than shutdown
 var forceKill bool
 
-// DefaultIsolation allows users to specify a default isolation mode for
+// DefaultIsolation allows users to specify a default isolation technology for
 // when running a container on Windows. For example docker daemon -D
 // --exec-opt isolation=hyperv will cause Windows to always run containers
 // as Hyper-V containers unless otherwise specified.
-var DefaultIsolation container.IsolationLevel = "process"
+var DefaultIsolation container.Isolation = "process"
 
 // Define name and version for windows
 var (
@@ -83,13 +83,13 @@ func NewDriver(root string, options []string) (*Driver, error) {
 			}
 
 		case "isolation":
-			if !container.IsolationLevel(val).IsValid() {
+			if !container.Isolation(val).IsValid() {
 				return nil, fmt.Errorf("Unrecognised exec driver option 'isolation':'%s'", val)
 			}
-			if container.IsolationLevel(val).IsHyperV() {
+			if container.Isolation(val).IsHyperV() {
 				DefaultIsolation = "hyperv"
 			}
-			logrus.Infof("Windows default isolation level: '%s'", val)
+			logrus.Infof("Windows default isolation: '%s'", val)
 		default:
 			return nil, fmt.Errorf("Unrecognised exec driver option %s\n", key)
 		}

daemon/list.go

@@ -246,7 +246,7 @@ func includeContainerInList(container *container.Container, ctx *listContext) it
 		return excludeContainer
 	}
 
-	// Do not include container if the isolation mode doesn't match
+	// Do not include container if isolation doesn't match
 	if excludeContainer == excludeByIsolation(container, ctx) {
 		return excludeContainer
 	}

hack/vendor.sh

@@ -24,7 +24,7 @@ clone git golang.org/x/net 47990a1ba55743e6ef1affd3a14e5bac8553615d https://gith
 clone git golang.org/x/sys eb2c74142fd19a79b3f237334c7384d5167b1b46 https://github.com/golang/sys.git
 clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3
 clone git github.com/docker/go-connections v0.1.3
-clone git github.com/docker/engine-api 9a940e4ead265e18d4feb9e3c515428966a08278
+clone git github.com/docker/engine-api ddfd776c787a013c39d4eb3fa9c44006347e207a
 clone git github.com/RackSec/srslog 6eb773f331e46fbba8eecb8e794e635e75fc04de
 clone git github.com/imdario/mergo 0.2.1
 

runconfig/config.go

@@ -44,8 +44,8 @@ func DecodeContainerConfig(src io.Reader) (*container.Config, *container.HostCon
 		return nil, nil, nil, err
 	}
 
-	// Validate the isolation level
-	if err := ValidateIsolationLevel(hc); err != nil {
+	// Validate isolation
+	if err := ValidateIsolation(hc); err != nil {
 		return nil, nil, nil, err
 	}
 	return w.Config, hc, w.NetworkingConfig, nil

runconfig/config_test.go

@@ -65,7 +65,7 @@ func TestDecodeContainerConfig(t *testing.T) {
 	}
 }
 
-// TestDecodeContainerConfigIsolation validates the isolation level passed
+// TestDecodeContainerConfigIsolation validates isolation passed
 // to the daemon in the hostConfig structure. Note this is platform specific
 // as to what level of container isolation is supported.
 func TestDecodeContainerConfigIsolation(t *testing.T) {
@@ -77,17 +77,30 @@ func TestDecodeContainerConfigIsolation(t *testing.T) {
 		}
 	}
 
-	// Blank isolation level (== default)
+	// Blank isolation (== default)
 	if _, _, _, err := callDecodeContainerConfigIsolation(""); err != nil {
 		t.Fatal("Blank isolation should have succeeded")
 	}
 
-	// Default isolation level
+	// Default isolation
 	if _, _, _, err := callDecodeContainerConfigIsolation("default"); err != nil {
 		t.Fatal("default isolation should have succeeded")
 	}
 
-	// Hyper-V Containers isolation level (Valid on Windows only)
+	// Process isolation (Valid on Windows only)
+	if runtime.GOOS == "windows" {
+		if _, _, _, err := callDecodeContainerConfigIsolation("process"); err != nil {
+			t.Fatal("process isolation should have succeeded")
+		}
+	} else {
+		if _, _, _, err := callDecodeContainerConfigIsolation("process"); err != nil {
+			if !strings.Contains(err.Error(), `invalid --isolation: "process"`) {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// Hyper-V Containers isolation (Valid on Windows only)
 	if runtime.GOOS == "windows" {
 		if _, _, _, err := callDecodeContainerConfigIsolation("hyperv"); err != nil {
 			t.Fatal("hyperv isolation should have succeeded")
@@ -102,7 +115,7 @@ func TestDecodeContainerConfigIsolation(t *testing.T) {
 }
 
 // callDecodeContainerConfigIsolation is a utility function to call
-// DecodeContainerConfig for validating isolation levels
+// DecodeContainerConfig for validating isolation
 func callDecodeContainerConfigIsolation(isolation string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
 	var (
 		b   []byte
@@ -112,7 +125,7 @@ func callDecodeContainerConfigIsolation(isolation string) (*container.Config, *c
 		Config: &container.Config{},
 		HostConfig: &container.HostConfig{
 			NetworkMode: "none",
-			Isolation:   container.IsolationLevel(isolation)},
+			Isolation:   container.Isolation(isolation)},
 	}
 	if b, err = json.Marshal(w); err != nil {
 		return nil, nil, nil, fmt.Errorf("Error on marshal %s", err.Error())

runconfig/hostconfig_unix.go

@@ -70,10 +70,10 @@ func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
 	return nil
 }
 
-// ValidateIsolationLevel performs platform specific validation of the
-// isolation level in the hostconfig structure. Linux only supports "default"
+// ValidateIsolation performs platform specific validation of
+// isolation in the hostconfig structure. Linux only supports "default"
 // which is LXC container isolation
-func ValidateIsolationLevel(hc *container.HostConfig) error {
+func ValidateIsolation(hc *container.HostConfig) error {
 	// We may not be passed a host config, such as in the case of docker commit
 	if hc == nil {
 		return nil

runconfig/hostconfig_windows.go

@@ -34,10 +34,10 @@ func ValidateNetMode(c *container.Config, hc *container.HostConfig) error {
 	return nil
 }
 
-// ValidateIsolationLevel performs platform specific validation of the
-// isolation level in the hostconfig structure. Windows supports 'default' (or
+// ValidateIsolation performs platform specific validation of the
+// isolation in the hostconfig structure. Windows supports 'default' (or
 // blank), 'process', or 'hyperv'.
-func ValidateIsolationLevel(hc *container.HostConfig) error {
+func ValidateIsolation(hc *container.HostConfig) error {
 	// We may not be passed a host config, such as in the case of docker commit
 	if hc == nil {
 		return nil

runconfig/opts/parse.go

@@ -91,7 +91,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*container.Config, *container.Host
 		flCgroupParent      = cmd.String([]string{"-cgroup-parent"}, "", "Optional parent cgroup for the container")
 		flVolumeDriver      = cmd.String([]string{"-volume-driver"}, "", "Optional volume driver for the container")
 		flStopSignal        = cmd.String([]string{"-stop-signal"}, signal.DefaultStopSignal, fmt.Sprintf("Signal to stop a container, %v by default", signal.DefaultStopSignal))
-		flIsolation         = cmd.String([]string{"-isolation"}, "", "Container isolation level")
+		flIsolation         = cmd.String([]string{"-isolation"}, "", "Container isolation technology")
 		flShmSize           = cmd.String([]string{"-shm-size"}, "", "Size of /dev/shm, default value is 64MB")
 	)
 
@@ -408,7 +408,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*container.Config, *container.Host
 		ReadonlyRootfs: *flReadonlyRootfs,
 		LogConfig:      container.LogConfig{Type: *flLoggingDriver, Config: loggingOpts},
 		VolumeDriver:   *flVolumeDriver,
-		Isolation:      container.IsolationLevel(*flIsolation),
+		Isolation:      container.Isolation(*flIsolation),
 		ShmSize:        shmSize,
 		Resources:      resources,
 		Tmpfs:          tmpfs,

vendor/src/github.com/docker/engine-api/client/image_build.go

@@ -74,8 +74,8 @@ func imageBuildOptionsToQuery(options types.ImageBuildOptions) (url.Values, erro
 		query.Set("pull", "1")
 	}
 
-	if !container.IsolationLevel.IsDefault(options.IsolationLevel) {
-		query.Set("isolation", string(options.IsolationLevel))
+	if !container.Isolation.IsDefault(options.Isolation) {
+		query.Set("isolation", string(options.Isolation))
 	}
 
 	query.Set("cpusetcpus", options.CPUSetCPUs)

vendor/src/github.com/docker/engine-api/client/transport/client_mock.go

@@ -3,7 +3,9 @@
 package transport
 
 import (
+	"bytes"
 	"crypto/tls"
+	"io/ioutil"
 	"net/http"
 )
 
@@ -24,3 +26,12 @@ func NewMockClient(tlsConfig *tls.Config, doer func(*http.Request) (*http.Respon
 func (m mockClient) Do(req *http.Request) (*http.Response, error) {
 	return m.do(req)
 }
+
+func ErrorMock(statusCode int, message string) func(req *http.Request) (*http.Response, error) {
+	return func(req *http.Request) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: statusCode,
+			Body:       ioutil.NopCloser(bytes.NewReader([]byte(message))),
+		}, nil
+	}
+}

vendor/src/github.com/docker/engine-api/types/client.go

@@ -127,7 +127,7 @@ type ImageBuildOptions struct {
 	Remove         bool
 	ForceRemove    bool
 	PullParent     bool
-	IsolationLevel container.IsolationLevel
+	Isolation      container.Isolation
 	CPUSetCPUs     string
 	CPUSetMems     string
 	CPUShares      int64

vendor/src/github.com/docker/engine-api/types/container/host_config.go

@@ -12,13 +12,13 @@ import (
 // NetworkMode represents the container network stack.
 type NetworkMode string
 
-// IsolationLevel represents the isolation level of a container. The supported
+// Isolation represents the isolation technology of a container. The supported
 // values are platform specific
-type IsolationLevel string
+type Isolation string
 
-// IsDefault indicates the default isolation level of a container. On Linux this
+// IsDefault indicates the default isolation technology of a container. On Linux this
 // is the native driver. On Windows, this is a Windows Server Container.
-func (i IsolationLevel) IsDefault() bool {
+func (i Isolation) IsDefault() bool {
 	return strings.ToLower(string(i)) == "default" || string(i) == ""
 }
 
@@ -233,8 +233,8 @@ type HostConfig struct {
 	ShmSize         int64              // Total shm memory usage
 
 	// Applicable to Windows
-	ConsoleSize [2]int         // Initial console size
-	Isolation   IsolationLevel // Isolation level of the container (eg default, hyperv)
+	ConsoleSize [2]int    // Initial console size
+	Isolation   Isolation // Isolation technology of the container (eg default, hyperv)
 
 	// Contains container's resources (cgroups, ulimits)
 	Resources

vendor/src/github.com/docker/engine-api/types/container/hostconfig_unix.go

@@ -4,8 +4,8 @@ package container
 
 import "strings"
 
-// IsValid indicates is an isolation level is valid
-func (i IsolationLevel) IsValid() bool {
+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
 	return i.IsDefault()
 }
 

vendor/src/github.com/docker/engine-api/types/container/hostconfig_windows.go

@@ -21,17 +21,17 @@ func (n NetworkMode) IsUserDefined() bool {
 }
 
 // IsHyperV indicates the use of a Hyper-V partition for isolation
-func (i IsolationLevel) IsHyperV() bool {
+func (i Isolation) IsHyperV() bool {
 	return strings.ToLower(string(i)) == "hyperv"
 }
 
 // IsProcess indicates the use of process isolation
-func (i IsolationLevel) IsProcess() bool {
+func (i Isolation) IsProcess() bool {
 	return strings.ToLower(string(i)) == "process"
 }
 
-// IsValid indicates is an isolation level is valid
-func (i IsolationLevel) IsValid() bool {
+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
 	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
 }
 
@@ -65,10 +65,10 @@ func ValidateNetMode(c *Config, hc *HostConfig) error {
 	return nil
 }
 
-// ValidateIsolationLevel performs platform specific validation of the
-// isolation level in the hostconfig structure. Windows supports 'default' (or
+// ValidateIsolationperforms platform specific validation of the
+// isolation technology in the hostconfig structure. Windows supports 'default' (or
 // blank), 'process', or 'hyperv'.
-func ValidateIsolationLevel(hc *HostConfig) error {
+func ValidateIsolation(hc *HostConfig) error {
 	// We may not be passed a host config, such as in the case of docker commit
 	if hc == nil {
 		return nil

vendor/src/github.com/docker/engine-api/types/types.go

@@ -238,8 +238,8 @@ type Info struct {
 	ClusterAdvertise   string
 }
 
-// PluginsInfo is temp struct holds Plugins name
-// registered with docker daemon. It used by Info struct
+// PluginsInfo is a temp struct holding Plugins name
+// registered with docker daemon. It is used by Info struct
 type PluginsInfo struct {
 	// List of Volume plugins registered
 	Volume []string