Merge pull request #35495 from simonferquel/isolation-validation

Added validation of isolation settings on daemon.verifyContainerSettings

daemon/container.go

@@ -329,6 +329,10 @@ func (daemon *Daemon) verifyContainerSettings(platform string, hostConfig *conta
 		return nil, errors.Errorf("invalid restart policy '%s'", p.Name)
 	}
 
+	if !hostConfig.Isolation.IsValid() {
+		return nil, errors.Errorf("invalid isolation '%s' on %s", hostConfig.Isolation, runtime.GOOS)
+	}
+
 	// Now do platform-specific verification
 	return verifyPlatformContainerSettings(daemon, hostConfig, config, update)
 }

daemon/daemon_linux_test.go

@@ -157,3 +157,10 @@ func TestTmpfsDevShmSizeOverride(t *testing.T) {
 		t.Fatal("/dev/shm not found in spec, or size option missing")
 	}
 }
+
+func TestValidateContainerIsolationLinux(t *testing.T) {
+	d := Daemon{}
+
+	_, err := d.verifyContainerSettings("linux", &containertypes.HostConfig{Isolation: containertypes.IsolationHyperV}, nil, false)
+	assert.EqualError(t, err, "invalid isolation 'hyperv' on linux")
+}

daemon/daemon_test.go

@@ -4,6 +4,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	containertypes "github.com/docker/docker/api/types/container"
@@ -16,6 +17,7 @@ import (
 	"github.com/docker/docker/volume/local"
 	"github.com/docker/docker/volume/store"
 	"github.com/docker/go-connections/nat"
+	"github.com/stretchr/testify/assert"
 )
 
 //
@@ -302,3 +304,10 @@ func TestMerge(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateContainerIsolation(t *testing.T) {
+	d := Daemon{}
+
+	_, err := d.verifyContainerSettings(runtime.GOOS, &containertypes.HostConfig{Isolation: containertypes.Isolation("invalid")}, nil, false)
+	assert.EqualError(t, err, "invalid isolation 'invalid' on "+runtime.GOOS)
+}