From 92b4902b8d5e048d8c3ec4b80f8327a78218725e Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 11:17:58 +0000 Subject: [PATCH 1/8] Daemon.registerMountPoints: var 'container' -> 'ctr' Signed-off-by: Rob Murray --- daemon/volumes.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/daemon/volumes.go b/daemon/volumes.go index 945e37a2fb..59a277ec20 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -67,7 +67,7 @@ func sortMounts(m []container.Mount) []container.Mount { // 2. Select the volumes mounted from another containers. Overrides previously configured mount point destination. // 3. Select the bind mounts set by the client. Overrides previously configured mount point destinations. // 4. Cleanup old volumes that are about to be reassigned. -func (daemon *Daemon) registerMountPoints(container *container.Container, hostConfig *containertypes.HostConfig, defaultReadOnlyNonRecursive bool) (retErr error) { +func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig *containertypes.HostConfig, defaultReadOnlyNonRecursive bool) (retErr error) { binds := map[string]bool{} mountPoints := map[string]*volumemounts.MountPoint{} parser := volumemounts.NewParser() @@ -80,7 +80,7 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo if m.Volume == nil { continue } - daemon.volumes.Release(ctx, m.Volume.Name(), container.ID) + daemon.volumes.Release(ctx, m.Volume.Name(), ctr.ID) } } }() @@ -89,13 +89,13 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo if v, ok := mountPoints[destination]; ok { log.G(ctx).Debugf("Duplicate mount point '%s'", destination) if v.Volume != nil { - daemon.volumes.Release(ctx, v.Volume.Name(), container.ID) + daemon.volumes.Release(ctx, v.Volume.Name(), ctr.ID) } } } // 1. Read already configured mount points. - for destination, point := range container.MountPoints { + for destination, point := range ctr.MountPoints { mountPoints[destination] = point } @@ -125,7 +125,7 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo } if cp.Source == "" { - v, err := daemon.volumes.Get(ctx, cp.Name, volumeopts.WithGetDriver(cp.Driver), volumeopts.WithGetReference(container.ID)) + v, err := daemon.volumes.Get(ctx, cp.Name, volumeopts.WithGetDriver(cp.Driver), volumeopts.WithGetReference(ctr.ID)) if err != nil { return err } @@ -158,7 +158,7 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo if bind.Type == mounttypes.TypeVolume { // create the volume - v, err := daemon.volumes.Create(ctx, bind.Name, bind.Driver, volumeopts.WithCreateReference(container.ID)) + v, err := daemon.volumes.Create(ctx, bind.Name, bind.Driver, volumeopts.WithCreateReference(ctr.ID)) if err != nil { return err } @@ -212,12 +212,12 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo v, err = daemon.volumes.Create(ctx, mp.Name, mp.Driver, - volumeopts.WithCreateReference(container.ID), + volumeopts.WithCreateReference(ctr.ID), volumeopts.WithCreateOptions(driverOpts), volumeopts.WithCreateLabels(cfg.VolumeOptions.Labels), ) } else { - v, err = daemon.volumes.Create(ctx, mp.Name, mp.Driver, volumeopts.WithCreateReference(container.ID)) + v, err = daemon.volumes.Create(ctx, mp.Name, mp.Driver, volumeopts.WithCreateReference(ctr.ID)) } if err != nil { return err @@ -254,13 +254,13 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo } rwLayerOpts := &layer.CreateRWLayerOpts{ - StorageOpt: container.HostConfig.StorageOpt, + StorageOpt: ctr.HostConfig.StorageOpt, } // Include the destination in the layer name to make it unique for each mount point and container. // This makes sure that the same image can be mounted multiple times with different destinations. // Hex encode the destination to create a safe, unique identifier - layerName := hex.EncodeToString([]byte(container.ID + ",src=" + mp.Source + ",dst=" + mp.Destination)) + layerName := hex.EncodeToString([]byte(ctr.ID + ",src=" + mp.Source + ",dst=" + mp.Destination)) layer, err := daemon.imageService.CreateLayerFromImage(img, layerName, rwLayerOpts) if err != nil { return err @@ -291,19 +291,19 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo mountPoints[mp.Destination] = mp } - container.Lock() + ctr.Lock() // 4. Cleanup old volumes that are about to be reassigned. for _, m := range mountPoints { if parser.IsBackwardCompatible(m) { - if mp, exists := container.MountPoints[m.Destination]; exists && mp.Volume != nil { - daemon.volumes.Release(ctx, mp.Volume.Name(), container.ID) + if mp, exists := ctr.MountPoints[m.Destination]; exists && mp.Volume != nil { + daemon.volumes.Release(ctx, mp.Volume.Name(), ctr.ID) } } } - container.MountPoints = mountPoints + ctr.MountPoints = mountPoints - container.Unlock() + ctr.Unlock() return nil } From e757bbb4ea504156b930c5c30e2dd9434d560bc7 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 11:27:52 +0000 Subject: [PATCH 2/8] Move call to Daemon.registerLinks out of Daemon.setHostConfig The call from Daemon.create -> Daemon.setHostConfig acquired container.Lock, but didn't need to because the container is newly created and solely owned by the caller. The call from Daemon.restore did not acquire the lock. Signed-off-by: Rob Murray --- daemon/container.go | 5 ----- daemon/create.go | 4 +++- daemon/daemon.go | 2 +- daemon/daemon_unix.go | 8 ++++---- daemon/daemon_windows.go | 2 +- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/daemon/container.go b/daemon/container.go index dd7f82dae1..e6018c771c 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -221,11 +221,6 @@ func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig * container.Lock() defer container.Unlock() - // Register any links from the host config before starting the container - if err := daemon.registerLinks(container, hostConfig); err != nil { - return err - } - if hostConfig != nil && hostConfig.NetworkMode == "" { hostConfig.NetworkMode = networktypes.NetworkDefault } diff --git a/daemon/create.go b/daemon/create.go index f68dfff7b8..8ecabcc274 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -247,7 +247,9 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts if err := daemon.setHostConfig(ctr, opts.params.HostConfig, opts.params.DefaultReadOnlyNonRecursive); err != nil { return nil, err } - + if err := daemon.registerLinks(ctr); err != nil { + return nil, err + } if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil { return nil, err } diff --git a/daemon/daemon.go b/daemon/daemon.go index d639b6f0c1..2bb2d8c060 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -592,7 +592,7 @@ func (daemon *Daemon) restore(ctx context.Context, cfg *configStore, containers go func(c *container.Container) { _ = sem.Acquire(context.Background(), 1) - if err := daemon.registerLinks(c, c.HostConfig); err != nil { + if err := daemon.registerLinks(c); err != nil { log.G(ctx).WithField("container", c.ID).WithError(err).Error("failed to register link for container") } diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go index 7b9b68d7d4..724d969d61 100644 --- a/daemon/daemon_unix.go +++ b/daemon/daemon_unix.go @@ -1504,12 +1504,12 @@ func getUnmountOnShutdownPath(config *config.Config) string { // registerLinks registers network links between container and other containers // with the daemon using the specification in hostConfig. -func (daemon *Daemon) registerLinks(container *container.Container, hostConfig *containertypes.HostConfig) error { - if hostConfig == nil || hostConfig.NetworkMode.IsUserDefined() { +func (daemon *Daemon) registerLinks(ctr *container.Container) error { + if ctr.HostConfig == nil || ctr.HostConfig.NetworkMode.IsUserDefined() { return nil } - for _, l := range hostConfig.Links { + for _, l := range ctr.HostConfig.Links { name, alias, err := opts.ParseLink(l) if err != nil { return err @@ -1542,7 +1542,7 @@ func (daemon *Daemon) registerLinks(container *container.Container, hostConfig * if child.HostConfig.NetworkMode.IsHost() { return cerrdefs.ErrInvalidArgument.WithMessage("conflicting options: host type networking can't be used with links. This would result in undefined behavior") } - if err := daemon.registerLink(container, child, alias); err != nil { + if err := daemon.registerLink(ctr, child, alias); err != nil { return err } } diff --git a/daemon/daemon_windows.go b/daemon/daemon_windows.go index 757043d079..5985708ec6 100644 --- a/daemon/daemon_windows.go +++ b/daemon/daemon_windows.go @@ -464,7 +464,7 @@ func initBridgeDriver(controller *libnetwork.Controller, config config.BridgeCon // registerLinks sets up links between containers and writes the // configuration out for persistence. As of Windows TP4, links are not supported. -func (daemon *Daemon) registerLinks(container *container.Container, hostConfig *containertypes.HostConfig) error { +func (daemon *Daemon) registerLinks(container *container.Container) error { return nil } From 4434236088cc71a2e80ad0064df06d0371dc38c3 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 11:47:20 +0000 Subject: [PATCH 3/8] Daemon.setHostConfig - don't set default network mode It's set later in Daemon.create, setHostConfig's only caller. Signed-off-by: Rob Murray --- daemon/container.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/daemon/container.go b/daemon/container.go index e6018c771c..abf5b39b0c 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -221,9 +221,6 @@ func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig * container.Lock() defer container.Unlock() - if hostConfig != nil && hostConfig.NetworkMode == "" { - hostConfig.NetworkMode = networktypes.NetworkDefault - } container.HostConfig = hostConfig return nil } From 48709e502fbcf7824b136f276484b3d0276813c3 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Sun, 16 Nov 2025 00:40:58 +0000 Subject: [PATCH 4/8] Split OS-specific container config and volume creation Daemon.createContainerOSSpecificSettings adds container config for the OS, and creates volumes. Split those two things. This will make it possible to call an NRI plugin after the config is complete, before volumes are created - so the NRI plugin can adjust a full set of config, including volumes. Signed-off-by: Rob Murray --- daemon/create.go | 8 ++++++-- daemon/create_unix.go | 24 ++++++++++++++---------- daemon/create_windows.go | 7 ++++++- 3 files changed, 26 insertions(+), 13 deletions(-) diff --git a/daemon/create.go b/daemon/create.go index 8ecabcc274..0173ea0918 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -250,7 +250,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts if err := daemon.registerLinks(ctr); err != nil { return nil, err } - if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil { + if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.HostConfig); err != nil { return nil, err } @@ -263,8 +263,12 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts if ctr.HostConfig != nil && ctr.HostConfig.NetworkMode == "" { ctr.HostConfig.NetworkMode = networktypes.NetworkDefault } - daemon.updateContainerNetworkSettings(ctr, endpointsConfigs) + + if err := daemon.createContainerVolumesOS(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil { + return nil, err + } + if err := daemon.register(ctx, ctr); err != nil { return nil, err } diff --git a/daemon/create_unix.go b/daemon/create_unix.go index ca7b4441d3..534407bc68 100644 --- a/daemon/create_unix.go +++ b/daemon/create_unix.go @@ -22,16 +22,7 @@ import ( ) // createContainerOSSpecificSettings performs host-OS specific container create functionality -func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { - if err := daemon.Mount(container); err != nil { - return err - } - defer daemon.Unmount(container) - - if err := container.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil { - return err - } - +func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error { // Set the default masked and readonly paths with regard to the host config options if they are not set. if hostConfig.MaskedPaths == nil && !hostConfig.Privileged { hostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil @@ -41,6 +32,19 @@ func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, con hostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil container.HostConfig.ReadonlyPaths = hostConfig.ReadonlyPaths } + return nil +} + +// createContainerVolumesOS performs host-OS specific volume creation +func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { + if err := daemon.Mount(container); err != nil { + return err + } + defer daemon.Unmount(container) + + if err := container.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil { + return err + } for spec := range config.Volumes { destination := filepath.Clean(spec) diff --git a/daemon/create_windows.go b/daemon/create_windows.go index 9a495f0ba2..7ba990a5ca 100644 --- a/daemon/create_windows.go +++ b/daemon/create_windows.go @@ -11,11 +11,16 @@ import ( ) // createContainerOSSpecificSettings performs host-OS specific container create functionality -func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { +func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error { if containertypes.Isolation.IsDefault(hostConfig.Isolation) { // Make sure the host config has the default daemon isolation if not specified by caller. hostConfig.Isolation = daemon.defaultIsolation } + return nil +} + +// createContainerVolumesOS performs host-OS specific volume creation +func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { parser := volumemounts.NewParser() for spec := range config.Volumes { From 22c5c78bfb894cb42ddcd6ad749383d4678c71ca Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 11:28:49 +0000 Subject: [PATCH 5/8] Move Daemon.registerMountPoints out of Daemon.setHostConfig Call registerMountPoints after the rest of the container's configuration has been set up. This will make it possible to call an NRI plugin with the container's config, allowing it to adjust the mounts in that config, before it's used to find volumes etc. Signed-off-by: Rob Murray --- daemon/container.go | 8 +------- daemon/create.go | 5 ++++- daemon/volumes.go | 16 +++++++++------- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/daemon/container.go b/daemon/container.go index abf5b39b0c..5a80103ab2 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -211,13 +211,7 @@ func (daemon *Daemon) setSecurityOptions(cfg *config.Config, container *containe return daemon.parseSecurityOpt(cfg, &container.SecurityOptions, hostConfig) } -func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig, defaultReadOnlyNonRecursive bool) error { - // Do not lock while creating volumes since this could be calling out to external plugins - // Don't want to block other actions, like `docker ps` because we're waiting on an external plugin - if err := daemon.registerMountPoints(container, hostConfig, defaultReadOnlyNonRecursive); err != nil { - return err - } - +func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig) error { container.Lock() defer container.Unlock() diff --git a/daemon/create.go b/daemon/create.go index 0173ea0918..1aadc5d0b6 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -244,7 +244,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts return nil, err } - if err := daemon.setHostConfig(ctr, opts.params.HostConfig, opts.params.DefaultReadOnlyNonRecursive); err != nil { + if err := daemon.setHostConfig(ctr, opts.params.HostConfig); err != nil { return nil, err } if err := daemon.registerLinks(ctr); err != nil { @@ -265,6 +265,9 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts } daemon.updateContainerNetworkSettings(ctr, endpointsConfigs) + if err := daemon.registerMountPoints(ctr, opts.params.DefaultReadOnlyNonRecursive); err != nil { + return nil, err + } if err := daemon.createContainerVolumesOS(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil { return nil, err } diff --git a/daemon/volumes.go b/daemon/volumes.go index 59a277ec20..e5aafa084c 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -10,7 +10,6 @@ import ( "time" "github.com/containerd/log" - containertypes "github.com/moby/moby/api/types/container" mounttypes "github.com/moby/moby/api/types/mount" volumetypes "github.com/moby/moby/api/types/volume" "github.com/moby/moby/v2/daemon/container" @@ -67,7 +66,10 @@ func sortMounts(m []container.Mount) []container.Mount { // 2. Select the volumes mounted from another containers. Overrides previously configured mount point destination. // 3. Select the bind mounts set by the client. Overrides previously configured mount point destinations. // 4. Cleanup old volumes that are about to be reassigned. -func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig *containertypes.HostConfig, defaultReadOnlyNonRecursive bool) (retErr error) { +// +// Do not lock while creating volumes since this could be calling out to external plugins +// Don't want to block other actions, like `docker ps` because we're waiting on an external plugin +func (daemon *Daemon) registerMountPoints(ctr *container.Container, defaultReadOnlyNonRecursive bool) (retErr error) { binds := map[string]bool{} mountPoints := map[string]*volumemounts.MountPoint{} parser := volumemounts.NewParser() @@ -100,7 +102,7 @@ func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig * } // 2. Read volumes from other containers. - for _, v := range hostConfig.VolumesFrom { + for _, v := range ctr.HostConfig.VolumesFrom { containerID, mode, err := parser.ParseVolumesFrom(v) if err != nil { return errdefs.InvalidParameter(err) @@ -137,8 +139,8 @@ func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig * } // 3. Read bind mounts - for _, b := range hostConfig.Binds { - bind, err := parser.ParseMountRaw(b, hostConfig.VolumeDriver) + for _, b := range ctr.HostConfig.Binds { + bind, err := parser.ParseMountRaw(b, ctr.HostConfig.VolumeDriver) if err != nil { return err } @@ -151,7 +153,7 @@ func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig * } // #10618 - _, tmpfsExists := hostConfig.Tmpfs[bind.Destination] + _, tmpfsExists := ctr.HostConfig.Tmpfs[bind.Destination] if binds[bind.Destination] || tmpfsExists { return duplicateMountPointError(bind.Destination) } @@ -185,7 +187,7 @@ func (daemon *Daemon) registerMountPoints(ctr *container.Container, hostConfig * mountPoints[bind.Destination] = bind } - for _, cfg := range hostConfig.Mounts { + for _, cfg := range ctr.HostConfig.Mounts { mp, err := parser.ParseMountSpec(cfg) if err != nil { return errdefs.InvalidParameter(err) From 34925e5be9fe19c87e7fea828316ac0e310f8b06 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 11:51:45 +0000 Subject: [PATCH 6/8] Remove Daemon.setHostConfig The container's constructor, Daemon.newContainer, already has hostConfig and can just assign it directly. Signed-off-by: Rob Murray --- daemon/container.go | 10 +--------- daemon/create.go | 4 ---- 2 files changed, 1 insertion(+), 13 deletions(-) diff --git a/daemon/container.go b/daemon/container.go index 5a80103ab2..b1376a451b 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -143,7 +143,7 @@ func (daemon *Daemon) newContainer(name string, platform ocispec.Platform, confi base.Path = entrypoint base.Args = args // FIXME: de-duplicate from config base.Config = config - base.HostConfig = &containertypes.HostConfig{} + base.HostConfig = hostConfig base.ImageID = imgID base.NetworkSettings = &network.Settings{} base.Name = name @@ -211,14 +211,6 @@ func (daemon *Daemon) setSecurityOptions(cfg *config.Config, container *containe return daemon.parseSecurityOpt(cfg, &container.SecurityOptions, hostConfig) } -func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig) error { - container.Lock() - defer container.Unlock() - - container.HostConfig = hostConfig - return nil -} - // verifyContainerSettings performs validation of the hostconfig and config // structures. func (daemon *Daemon) verifyContainerSettings(daemonCfg *configStore, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) (warnings []string, _ error) { diff --git a/daemon/create.go b/daemon/create.go index 1aadc5d0b6..6a7407769c 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -225,7 +225,6 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts return nil, err } - ctr.HostConfig.StorageOpt = opts.params.HostConfig.StorageOpt ctr.ImageManifest = imgManifest // Set RWLayer for container after mount labels have been set @@ -244,9 +243,6 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts return nil, err } - if err := daemon.setHostConfig(ctr, opts.params.HostConfig); err != nil { - return nil, err - } if err := daemon.registerLinks(ctr); err != nil { return nil, err } From 33032b045493bf408148efdca828d062e6d214f3 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 12:14:34 +0000 Subject: [PATCH 7/8] Daemon.setSecurityOptions: remove redundant param Signed-off-by: Rob Murray --- daemon/container.go | 4 ++-- daemon/create.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/daemon/container.go b/daemon/container.go index b1376a451b..4660584d18 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -205,10 +205,10 @@ func (daemon *Daemon) GetDependentContainers(c *container.Container) []*containe return append(dependentContainers, slices.Collect(maps.Values(daemon.linkIndex.children(c)))...) } -func (daemon *Daemon) setSecurityOptions(cfg *config.Config, container *container.Container, hostConfig *containertypes.HostConfig) error { +func (daemon *Daemon) setSecurityOptions(cfg *config.Config, container *container.Container) error { container.Lock() defer container.Unlock() - return daemon.parseSecurityOpt(cfg, &container.SecurityOptions, hostConfig) + return daemon.parseSecurityOpt(cfg, &container.SecurityOptions, container.HostConfig) } // verifyContainerSettings performs validation of the hostconfig and config diff --git a/daemon/create.go b/daemon/create.go index 6a7407769c..100f70820f 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -221,7 +221,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts } }() - if err := daemon.setSecurityOptions(daemonCfg, ctr, opts.params.HostConfig); err != nil { + if err := daemon.setSecurityOptions(daemonCfg, ctr); err != nil { return nil, err } From 96b8f9c8ca2e15cd425e55fe1499827e9618859c Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Fri, 14 Nov 2025 12:15:21 +0000 Subject: [PATCH 8/8] Daemon.createContainerOSSpecificSettings - remove redundant param Also: - remove the hostConfig param from Daemon.createContainerVolumesOS. - rename var container -> ctr Signed-off-by: Rob Murray --- daemon/create.go | 4 ++-- daemon/create_unix.go | 34 ++++++++++++++++------------------ daemon/create_windows.go | 18 ++++++++---------- 3 files changed, 26 insertions(+), 30 deletions(-) diff --git a/daemon/create.go b/daemon/create.go index 100f70820f..69de35fb3d 100644 --- a/daemon/create.go +++ b/daemon/create.go @@ -246,7 +246,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts if err := daemon.registerLinks(ctr); err != nil { return nil, err } - if err := daemon.createContainerOSSpecificSettings(ctx, ctr, opts.params.HostConfig); err != nil { + if err := daemon.createContainerOSSpecificSettings(ctx, ctr); err != nil { return nil, err } @@ -264,7 +264,7 @@ func (daemon *Daemon) create(ctx context.Context, daemonCfg *config.Config, opts if err := daemon.registerMountPoints(ctr, opts.params.DefaultReadOnlyNonRecursive); err != nil { return nil, err } - if err := daemon.createContainerVolumesOS(ctx, ctr, opts.params.Config, opts.params.HostConfig); err != nil { + if err := daemon.createContainerVolumesOS(ctx, ctr, opts.params.Config); err != nil { return nil, err } diff --git a/daemon/create_unix.go b/daemon/create_unix.go index 534407bc68..0a51f12960 100644 --- a/daemon/create_unix.go +++ b/daemon/create_unix.go @@ -22,27 +22,25 @@ import ( ) // createContainerOSSpecificSettings performs host-OS specific container create functionality -func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error { +func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, ctr *container.Container) error { // Set the default masked and readonly paths with regard to the host config options if they are not set. - if hostConfig.MaskedPaths == nil && !hostConfig.Privileged { - hostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil - container.HostConfig.MaskedPaths = hostConfig.MaskedPaths + if ctr.HostConfig.MaskedPaths == nil && !ctr.HostConfig.Privileged { + ctr.HostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil } - if hostConfig.ReadonlyPaths == nil && !hostConfig.Privileged { - hostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil - container.HostConfig.ReadonlyPaths = hostConfig.ReadonlyPaths + if ctr.HostConfig.ReadonlyPaths == nil && !ctr.HostConfig.Privileged { + ctr.HostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil } return nil } // createContainerVolumesOS performs host-OS specific volume creation -func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { - if err := daemon.Mount(container); err != nil { +func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, ctr *container.Container, config *containertypes.Config) error { + if err := daemon.Mount(ctr); err != nil { return err } - defer daemon.Unmount(container) + defer daemon.Unmount(ctr) - if err := container.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil { + if err := ctr.SetupWorkingDirectory(daemon.idMapping.RootPair()); err != nil { return err } @@ -51,12 +49,12 @@ func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *c // Skip volumes for which we already have something mounted on that // destination because of a --volume-from. - if container.HasMountFor(destination) { - log.G(ctx).WithField("container", container.ID).WithField("destination", spec).Debug("mountpoint already exists, skipping anonymous volume") + if ctr.HasMountFor(destination) { + log.G(ctx).WithField("container", ctr.ID).WithField("destination", spec).Debug("mountpoint already exists, skipping anonymous volume") // Not an error, this could easily have come from the image config. continue } - path, err := container.GetResourcePath(destination) + path, err := ctr.GetResourcePath(destination) if err != nil { return err } @@ -66,18 +64,18 @@ func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *c return fmt.Errorf("cannot mount volume over existing file, file exists %s", path) } - v, err := daemon.volumes.Create(context.TODO(), "", hostConfig.VolumeDriver, volumeopts.WithCreateReference(container.ID)) + v, err := daemon.volumes.Create(context.TODO(), "", ctr.HostConfig.VolumeDriver, volumeopts.WithCreateReference(ctr.ID)) if err != nil { return err } - if err := label.Relabel(v.Mountpoint, container.MountLabel, true); err != nil { + if err := label.Relabel(v.Mountpoint, ctr.MountLabel, true); err != nil { return err } - container.AddMountPointWithVolume(destination, &volumeWrapper{v: v, s: daemon.volumes}, true) + ctr.AddMountPointWithVolume(destination, &volumeWrapper{v: v, s: daemon.volumes}, true) } - return daemon.populateVolumes(ctx, container) + return daemon.populateVolumes(ctx, ctr) } // populateVolumes copies data from the container's rootfs into the volume for non-binds. diff --git a/daemon/create_windows.go b/daemon/create_windows.go index 7ba990a5ca..7d8da37bdf 100644 --- a/daemon/create_windows.go +++ b/daemon/create_windows.go @@ -11,35 +11,33 @@ import ( ) // createContainerOSSpecificSettings performs host-OS specific container create functionality -func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, container *container.Container, hostConfig *containertypes.HostConfig) error { - if containertypes.Isolation.IsDefault(hostConfig.Isolation) { +func (daemon *Daemon) createContainerOSSpecificSettings(ctx context.Context, ctr *container.Container) error { + if containertypes.Isolation.IsDefault(ctr.HostConfig.Isolation) { // Make sure the host config has the default daemon isolation if not specified by caller. - hostConfig.Isolation = daemon.defaultIsolation + ctr.HostConfig.Isolation = daemon.defaultIsolation } return nil } // createContainerVolumesOS performs host-OS specific volume creation -func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error { +func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, ctr *container.Container, config *containertypes.Config) error { parser := volumemounts.NewParser() for spec := range config.Volumes { - mp, err := parser.ParseMountRaw(spec, hostConfig.VolumeDriver) + mp, err := parser.ParseMountRaw(spec, ctr.HostConfig.VolumeDriver) if err != nil { return fmt.Errorf("Unrecognised volume spec: %v", err) } // Skip volumes for which we already have something mounted on that // destination because of a --volume-from. - if container.IsDestinationMounted(mp.Destination) { + if ctr.IsDestinationMounted(mp.Destination) { continue } - volumeDriver := hostConfig.VolumeDriver - // Create the volume in the volume driver. If it doesn't exist, // a new one will be created. - v, err := daemon.volumes.Create(ctx, "", volumeDriver, volumeopts.WithCreateReference(container.ID)) + v, err := daemon.volumes.Create(ctx, "", ctr.HostConfig.VolumeDriver, volumeopts.WithCreateReference(ctr.ID)) if err != nil { return err } @@ -75,7 +73,7 @@ func (daemon *Daemon) createContainerVolumesOS(ctx context.Context, container *c // } // Add it to container.MountPoints - container.AddMountPointWithVolume(mp.Destination, &volumeWrapper{v: v, s: daemon.volumes}, mp.RW) + ctr.AddMountPointWithVolume(mp.Destination, &volumeWrapper{v: v, s: daemon.volumes}, mp.RW) } return nil }