daemon: Ensure buildkit created container's isolation mode consistent with daemon's config

- Introduced DefaultIsolation method in the Daemon to return the daemon configured isolation mode for Windows.

Signed-off-by: Vigilans <vigilans@foxmail.com>

daemon/command/daemon.go

@@ -424,6 +424,7 @@ func initBuildkit(ctx context.Context, d *daemon.Daemon, cdiCache *cdi.Cache) (_
 		Snapshotter:         d.ImageService().StorageDriver(),
 		ContainerdAddress:   cfg.ContainerdAddr,
 		ContainerdNamespace: cfg.ContainerdNamespace,
+		HyperVIsolation:     d.DefaultIsolation().IsHyperV(),
 		Callbacks: exporter.BuildkitCallbacks{
 			Exported: d.ImageExportedByBuildkit,
 			Named:    d.ImageNamedByBuildkit,

daemon/daemon.go

@@ -205,6 +205,11 @@ func (daemon *Daemon) UsesSnapshotter() bool {
 	return daemon.usesSnapshotter
 }
 
+// DefaultIsolation returns the default isolation mode for the daemon to run in (only applicable on Windows).
+func (daemon *Daemon) DefaultIsolation() containertypes.Isolation {
+	return daemon.defaultIsolation
+}
+
 func (daemon *Daemon) loadContainers(ctx context.Context) (map[string]map[string]*container.Container, error) {
 	var mapLock sync.Mutex
 	driverContainers := make(map[string]map[string]*container.Container)

daemon/internal/builder-next/builder.go

@@ -98,6 +98,7 @@ type Opt struct {
 	Snapshotter         string
 	ContainerdAddress   string
 	ContainerdNamespace string
+	HyperVIsolation     bool
 	Callbacks           exporter.BuildkitCallbacks
 	CDICache            *cdi.Cache
 }

daemon/internal/builder-next/controller.go

@@ -161,6 +161,7 @@ func newSnapshotterController(ctx context.Context, rt http.RoundTripper, opt Opt
 		cdiManager,
 		opt.ContainerdAddress,
 		opt.ContainerdNamespace,
+		opt.HyperVIsolation,
 	)
 	if err != nil {
 		return nil, err

daemon/internal/builder-next/executor_linux.go

@@ -22,7 +22,7 @@ import (
 
 const networkName = "bridge"
 
-func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap user.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager, _, _ string) (executor.Executor, error) {
+func newExecutor(root, cgroupParent string, net *libnetwork.Controller, dnsConfig *oci.DNSConfig, rootless bool, idmap user.IdentityMapping, apparmorProfile string, cdiManager *cdidevices.Manager, _, _ string, _ bool) (executor.Executor, error) {
 	netRoot := filepath.Join(root, "net")
 	networkProviders := map[pb.NetMode]network.Provider{
 		pb.NetMode_UNSET: &bridgeProvider{Controller: net, Root: netRoot},
@@ -88,6 +88,7 @@ func newExecutorGD(root, cgroupParent string, net *libnetwork.Controller, dnsCon
 		cdiManager,
 		"",
 		"",
+		false,
 	)
 }
 

daemon/internal/builder-next/executor_others.go

@@ -10,6 +10,6 @@ import (
 	"github.com/moby/sys/user"
 )
 
-func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ user.IdentityMapping, _ string, _ *cdidevices.Manager, _, _ string) (executor.Executor, error) {
+func newExecutor(_, _ string, _ *libnetwork.Controller, _ *oci.DNSConfig, _ bool, _ user.IdentityMapping, _ string, _ *cdidevices.Manager, _, _ string, _ bool) (executor.Executor, error) {
 	return &stubExecutor{}, nil
 }

daemon/internal/builder-next/executor_windows.go

@@ -31,6 +31,7 @@ func newExecutor(
 	cdiManager *cdidevices.Manager,
 	containerdAddr string,
 	containerdNamespace string,
+	hypervIsolation bool,
 ) (executor.Executor, error) {
 	netRoot := filepath.Join(root, "net")
 	np := map[pb.NetMode]network.Provider{
@@ -50,6 +51,7 @@ func newExecutor(
 		DNSConfig:        dns,
 		CDIManager:       cdiManager,
 		NetworkProviders: np,
+		HyperVIsolation:  hypervIsolation,
 	}
 	return containerdexecutor.New(executorOpts), nil
 }