From 15eb7fe3793c80cd2d913de4f40f988514278979 Mon Sep 17 00:00:00 2001
From: Misty Stanley-Jones <misty@apache.org>
Date: Tue, 19 Dec 2017 10:27:05 -0800
Subject: [PATCH] Swarm service isolation (#5564)

---
 engine/swarm/services.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/engine/swarm/services.md b/engine/swarm/services.md
index f82fd1cb3e..9cae09b46c 100644
--- a/engine/swarm/services.md
+++ b/engine/swarm/services.md
@@ -474,6 +474,29 @@ To create a service with access to Docker-managed secrets, use the `--secret`
 flag. For more information, see
 [Manage sensitive strings (secrets) for Docker services](secrets.md)
 
+### Customize a service's isolation mode
+
+Docker 17.12 CE and higher allow you to specify a swarm service's isolation
+mode. **This setting applies to Windows hosts only and is ignored for Linux
+hosts.** The isolation mode can be one of the following:
+
+- `default`: Use the default isolation mode configured for the Docker host, as
+  configured by the `-exec-opt` flag or `exec-opts` array in `daemon.json`. If
+  the daemon does not specify an isolation technology, `process` is the default
+  for Windows Server, and `hyperv` is the default (and only) choice for
+  Windows 10.
+
+- `process`: Run the service tasks as a separate process on the host.
+
+  > **Note**: `process` isolation mode is only supported on Windows Server.
+  > Windows 10 only supports `hyperv` isolation mode.
+
+- `hyperv`: Run the service tasks as isolated `hyperv` tasks. This increases
+  overhead but provides more isolation.
+
+You can specify the isolation mode when creating or updating a new service using
+the `--isolation` flag.
+
 ### Control service placement
 
 Swarm services provide a few different ways for you to control scale and