From 48709e502fbcf7824b136f276484b3d0276813c3 Mon Sep 17 00:00:00 2001
From: Rob Murray <rob.murray@docker.com>
Date: Sun, 16 Nov 2025 00:40:58 +0000
Subject: [PATCH] Split OS-specific container config and volume creation

Daemon.createContainerOSSpecificSettings adds container config for
the OS, and creates volumes. Split those two things.

This will make it possible to call an NRI plugin after the config
is complete, before volumes are created - so the NRI plugin can
adjust a full set of config, including volumes.

Signed-off-by: Rob Murray <rob.murray@docker.com>
---
 daemon/create.go         |  8 ++++++--
 daemon/create_unix.go    | 24 ++++++++++++++----------
 daemon/create_windows.go |  7 ++++++-
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/daemon/create.go b/daemon/create.go
index 8ecabcc274..0173ea0918 100644
--- a/daemon/create.go
+++ b/daemon/create.go
@@ -250,7 +250,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts
 	if err := daemon.registerLinks(ctr); err != nil {
 		return nil, err
 	}
-	if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil {
+	if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.HostConfig); err != nil {
 		return nil, err
 	}
 
@@ -263,8 +263,12 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts
 	if ctr.HostConfig != nil && ctr.HostConfig.NetworkMode == "" {
 		ctr.HostConfig.NetworkMode = networktypes.NetworkDefault
 	}
-
 	daemon.updateContainerNetworkSettings(ctr, endpointsConfigs)
+
+	if err := daemon.createContainerVolumesOS(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil {
+		return nil, err
+	}
+
 	if err := daemon.register(ctx, ctr); err != nil {
 		return nil, err
 	}
diff --git a/daemon/create_unix.go b/daemon/create_unix.go
index ca7b4441d3..534407bc68 100644
--- a/daemon/create_unix.go
+++ b/daemon/create_unix.go
@@ -22,16 +22,7 @@ import (
 )
 
 // createContainerOSSpecificSettings performs host-OS specific container create functionality
-func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
-	if err := daemon.Mount(container); err != nil {
-		return err
-	}
-	defer daemon.Unmount(container)
-
-	if err := container.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil {
-		return err
-	}
-
+func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error {
 	// Set the default masked and readonly paths with regard to the host config options if they are not set.
 	if hostConfig.MaskedPaths == nil && !hostConfig.Privileged {
 		hostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil
@@ -41,6 +32,19 @@ func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, con
 		hostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil
 		container.HostConfig.ReadonlyPaths = hostConfig.ReadonlyPaths
 	}
+	return nil
+}
+
+// createContainerVolumesOS performs host-OS specific volume creation
+func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
+	if err := daemon.Mount(container); err != nil {
+		return err
+	}
+	defer daemon.Unmount(container)
+
+	if err := container.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil {
+		return err
+	}
 
 	for spec := range config.Volumes {
 		destination := filepath.Clean(spec)
diff --git a/daemon/create_windows.go b/daemon/create_windows.go
index 9a495f0ba2..7ba990a5ca 100644
--- a/daemon/create_windows.go
+++ b/daemon/create_windows.go
@@ -11,11 +11,16 @@ import (
 )
 
 // createContainerOSSpecificSettings performs host-OS specific container create functionality
-func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
+func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error {
 	if containertypes.Isolation.IsDefault(hostConfig.Isolation) {
 		// Make sure the host config has the default daemon isolation if not specified by caller.
 		hostConfig.Isolation = daemon.defaultIsolation
 	}
+	return nil
+}
+
+// createContainerVolumesOS performs host-OS specific volume creation
+func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
 	parser := volumemounts.NewParser()
 	for spec := range config.Volumes {