On hosts with "only" a unified cgroup v2 controller hierarchy (that is, a "pure" cgroups v2 hierarchy) Docker now defaults (unless configured otherwise) to automatically creating private cgroup namespaces for created containers. The rationale here is to reduce leakage of potentially sensitive information about the cgroup hierarchy and configuration of the host, and thus other containers. Still, there are valid usecases to allow only specific containers to use the initial (host) cgroup namespace, especially for system diagnosis containers. For instance, the well-known cAdvisor ("provides container users an understanding of the resource usage and performance characteristics of their running containers").

For such usecases, docker run introduced the CLI flag --cgroupns=[host|private] as of Docker-CE 20.0.0 and API 1.41.

Unfortunately, the current compose specification doesn't provide any means to controlling cgroup namespace creation or sharing. This makes it impossible to use system diagnosis containers, such as cAdvisor, ... on cgroup v2 unified hierarchy-only systems anymore with compose-based deployment tools.

This situation would be solved by adding a cgroup field to service objects that would allow to specify the values of either "private" or "host", mirroring today's CLI flag functionality for handling the cgroup namespace creation for new containers.

services:
  foo:
    pid: host
    cgroup: host # might be "cgroupns" instead if parity with CLI flag is sought after, but breaks symmetry with pid namespaces.

Nota bene: mirror docker/compose issue #8167