moby
diff --git a/‎api/server/router/container/container_routes.go‎
Lines changed: 6 additions & 3 deletions b/‎api/server/router/container/container_routes.go‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎daemon/config/config_unix.go‎
Lines changed: 1 addition & 1 deletion b/‎daemon/config/config_unix.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎daemon/container_operations_unix.go‎
Lines changed: 1 addition & 1 deletion b/‎daemon/container_operations_unix.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/api/version-history.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/api/version-history.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎integration/container/ipcmode_linux_test.go‎
Lines changed: 28 additions & 0 deletions b/‎integration/container/ipcmode_linux_test.go‎
Lines changed: 28 additions & 0 deletions
@@ -474,11 +474,14 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 		}
 		// Ignore KernelMemoryTCP because it was added in API 1.40.
 		hostConfig.KernelMemoryTCP = 0
-	}
 
-	// Ignore Capabilities because it was added in API 1.40.
-	if hostConfig != nil && versions.LessThan(version, "1.40") {
+		// Ignore Capabilities because it was added in API 1.40.
 		hostConfig.Capabilities = nil
+
+		// Older clients (API < 1.40) expects the default to be shareable, make them happy
+		if hostConfig.IpcMode.IsEmpty() {
+			hostConfig.IpcMode = container.IpcMode("shareable")
+		}
 	}
 
 	ccr, err := s.backend.ContainerCreate(types.ContainerCreateConfig{
 
@@ -12,7 +12,7 @@ import (
 
 const (
 	// DefaultIpcMode is default for container's IpcMode, if not set otherwise
-	DefaultIpcMode = "shareable" // TODO: change to private
+	DefaultIpcMode = "private"
 )
 
 // Config defines the configuration of a docker daemon.
 
@@ -72,7 +72,7 @@ func (daemon *Daemon) getIpcContainer(id string) (*container.Container, error) {
 	// Check the container ipc is shareable
 	if st, err := os.Stat(container.ShmPath); err != nil || !st.IsDir() {
 		if err == nil || os.IsNotExist(err) {
-			return nil, errors.New(errMsg + ": non-shareable IPC")
+			return nil, errors.New(errMsg + ": non-shareable IPC (hint: use IpcMode:shareable for the donor container)")
 		}
 		// stat() failed?
 		return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath)
 
@@ -61,6 +61,9 @@ keywords: "API, Docker, rcli, REST, documentation"
 * `POST /containers/create` now takes a `Capabilities` field to set the list of
   kernel capabilities to be available for the container (this overrides the default
   set).
+* `POST /containers/create` on Linux now creates a container with `HostConfig.IpcMode=private`
+  by default, if IpcMode is not explicitly specified. The per-daemon default can be changed
+  back to `shareable` by using `DefaultIpcMode` daemon configuration parameter.
 * `POST /containers/{id}/update` now accepts a `PidsLimit` field to tune a container's
   PID limit. Set `0` or `-1` for unlimited. Leave `null` to not change the current value.
 
 
@@ -11,8 +11,11 @@ import (
 
 	"github.com/docker/docker/api/types"
 	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
 	"github.com/docker/docker/integration/internal/container"
 	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/request"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
 	"gotest.tools/fs"
@@ -292,3 +295,28 @@ func TestDaemonIpcModeShareableFromConfig(t *testing.T) {
 
 	testDaemonIpcFromConfig(t, "shareable", true)
 }
+
+// TestIpcModeOlderClient checks that older client gets shareable IPC mode
+// by default, even when the daemon default is private.
+func TestIpcModeOlderClient(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.40"), "requires a daemon with DefaultIpcMode: private")
+	t.Parallel()
+
+	ctx := context.Background()
+
+	// pre-check: default ipc mode in daemon is private
+	c := testEnv.APIClient()
+	cID := container.Create(t, ctx, c, container.WithAutoRemove)
+
+	inspect, err := c.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(string(inspect.HostConfig.IpcMode), "private"))
+
+	// main check: using older client creates "shareable" container
+	c = request.NewAPIClient(t, client.WithVersion("1.39"))
+	cID = container.Create(t, ctx, c, container.WithAutoRemove)
+
+	inspect, err = c.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(string(inspect.HostConfig.IpcMode), "shareable"))
+}
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`const (`
`14`	`14`	`// DefaultIpcMode is default for container's IpcMode, if not set otherwise`
`15`		`- DefaultIpcMode = "shareable" // TODO: change to private`
	`15`	`+ DefaultIpcMode = "private"`
`16`	`16`	`)`
`17`	`17`
`18`	`18`	`// Config defines the configuration of a docker daemon.`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ func (daemon Daemon) getIpcContainer(id string) (container.Container, error) {`
`72`	`72`	`// Check the container ipc is shareable`
`73`	`73`	`if st, err := os.Stat(container.ShmPath); err != nil \|\| !st.IsDir() {`
`74`	`74`	`if err == nil \|\| os.IsNotExist(err) {`
`75`		`- return nil, errors.New(errMsg + ": non-shareable IPC")`
	`75`	`+ return nil, errors.New(errMsg + ": non-shareable IPC (hint: use IpcMode:shareable for the donor container)")`
`76`	`76`	`}`
`77`	`77`	`// stat() failed?`
`78`	`78`	`return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath)`