@@ -78,6 +78,16 @@ func adjustForAPIVersion(cliVersion string, service *swarm.ServiceSpec) {

 	if cliVersion == "" {

 		return

 	}

+	if versions.LessThan(cliVersion, "1.46") {

+		if service.TaskTemplate.ContainerSpec != nil {

+			for i, mount := range service.TaskTemplate.ContainerSpec.Mounts {

+				if mount.TmpfsOptions != nil {

+					mount.TmpfsOptions.Options = nil

+					service.TaskTemplate.ContainerSpec.Mounts[i] = mount

+				}

+			}

+		}

+	}

 	if versions.LessThan(cliVersion, "1.40") {

 		if service.TaskTemplate.ContainerSpec != nil {

 			// Sysctls for docker swarm services weren't supported before

@@ -4,6 +4,7 @@ import (

 	"reflect"

 	"testing"

+	"github.com/docker/docker/api/types/mount"

 	"github.com/docker/docker/api/types/swarm"

 	"github.com/docker/go-units"

 )

@@ -45,6 +46,18 @@ func TestAdjustForAPIVersion(t *testing.T) {

 						Hard: 200,

 					},

 				},

+				Mounts: []mount.Mount{

+					{

+						Type:   mount.TypeTmpfs,

+						Source: "/foo",

+						Target: "/bar",

+						TmpfsOptions: &mount.TmpfsOptions{

+							Options: [][]string{

+								[]string{"exec"},

+							},

+						},

+					},

+				},

 			},

 			Placement: &swarm.Placement{

 				MaxReplicas: 222,

@@ -57,6 +70,19 @@ func TestAdjustForAPIVersion(t *testing.T) {

 		},

 	}

+	adjustForAPIVersion("1.46", spec)

+	if !reflect.DeepEqual(

+		spec.TaskTemplate.ContainerSpec.Mounts[0].TmpfsOptions.Options,

+		[][]string{[]string{"exec"}},

+	) {

+		t.Error("TmpfsOptions.Options was stripped from spec")

+	}

+

+	adjustForAPIVersion("1.45", spec)

+	if len(spec.TaskTemplate.ContainerSpec.Mounts[0].TmpfsOptions.Options) != 0 {

+		t.Error("TmpfsOptions.Options not stripped from spec")

+	}

+

 	// first, does calling this with a later version correctly NOT strip

 	// fields? do the later version first, so we can reuse this spec in the

 	// next test.

@@ -442,6 +442,24 @@ definitions:

           Mode:

             description: "The permission mode for the tmpfs mount in an integer."

             type: "integer"

+          Options:

+            description: |

+              The options to be passed to the tmpfs mount. An array of arrays.

+              Flag options should be provided as 1-length arrays. Other types

+              should be provided as as 2-length arrays, where the first item is

+              the key and the second the value.

+            type: "array"

+            properties:

+              items:

+                type: "array"

+                items:

+                  type: "array"

+                  minItems: 1

+                  maxItems: 2

+                  items:

+                    type: "string"

+            example:

+              [["noexec"]]

   RestartPolicy:

     description: |

@@ -119,7 +119,11 @@ type TmpfsOptions struct {

 	SizeBytes int64 `json:",omitempty"`

 	// Mode of the tmpfs upon creation

 	Mode os.FileMode `json:",omitempty"`

-

+	// Options to be passed to the tmpfs mount. An array of arrays. Flag

+	// options should be provided as 1-length arrays. Other types should be

+	// provided as 2-length arrays, where the first item is the key and the

+	// second the value.

+	Options [][]string `json:",omitempty"`

 	// TODO(stevvooe): There are several more tmpfs flags, specified in the

 	// daemon, that are accepted. Only the most basic are added for now.

 	//

@@ -2,6 +2,7 @@ package convert // import "github.com/docker/docker/daemon/cluster/convert"

 import (

 	"context"

+	"encoding/json"

 	"fmt"

 	"strings"

@@ -136,6 +137,7 @@ func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec {

 			mount.TmpfsOptions = &mounttypes.TmpfsOptions{

 				SizeBytes: m.TmpfsOptions.SizeBytes,

 				Mode:      m.TmpfsOptions.Mode,

+				Options:   tmpfsOptionsFromGRPC(m.TmpfsOptions.Options),

 			}

 		}

 		containerSpec.Mounts = append(containerSpec.Mounts, mount)

@@ -423,6 +425,7 @@ func containerToGRPC(c *types.ContainerSpec) (*swarmapi.ContainerSpec, error) {

 			mount.TmpfsOptions = &swarmapi.Mount_TmpfsOptions{

 				SizeBytes: m.TmpfsOptions.SizeBytes,

 				Mode:      m.TmpfsOptions.Mode,

+				Options:   tmpfsOptionsToGRPC(m.TmpfsOptions.Options),

 			}

 		}

@@ -566,3 +569,32 @@ func ulimitsToGRPC(u []*units.Ulimit) []*swarmapi.ContainerSpec_Ulimit {

 	return ulimits

 }

+

+func tmpfsOptionsToGRPC(options [][]string) string {

+	// The shape of the swarmkit API that tmpfs options are a string. The shape

+	// of the docker API has them as a more structured array of arrays of

+	// strings. To smooth this over, we will marshall the array-of-arrays to

+	// json then pass that as the string.

+

+	// Marshalling json can create an error, but only in specific cases which

+	// are not relevant. We can ignore the possibility.

+	jsonBytes, _ := json.Marshal(options)

+	return string(jsonBytes)

+}

+

+func tmpfsOptionsFromGRPC(options string) [][]string {

+	// See tmpfsOptionsToGRPC for the reasoning. We undo what we did.

+	var unstring [][]string

+	// We can't return errors from here, so just don't ever pass anything that

+	// could result in an error.

+	//

+	// Duh.

+	//

+	// If there is something erroneous, then an empty return value will result,

+	// which should not be catastrophic. Because we control the data that is

+	// marshalled (in tmpfsOptionsToGRPC), we can more-or-less ensure that only

+	// valid data is unmarshalled here. If someone does something like muck

+	// with the GRPC API directly, then they get footgun, no apologies.

+	_ = json.Unmarshal([]byte(options), &unstring)

+	return unstring

+}

new file mode 100644

@@ -0,0 +1,30 @@

+package convert // import "github.com/docker/docker/daemon/cluster/convert"

+

+import (

+	"testing"

+

+	"gotest.tools/v3/assert"

+)

+

+func TestTmpfsOptionsToGRPC(t *testing.T) {

+	options := [][]string{

+		[]string{"noexec"},

+		[]string{"uid", "12345"},

+	}

+

+	expected := `[["noexec"],["uid","12345"]]`

+	actual := tmpfsOptionsToGRPC(options)

+	assert.Equal(t, expected, actual)

+}

+

+func TestTmpfsOptionsFromGRPC(t *testing.T) {

+	options := `[["noexec"],["uid","12345"]]`

+

+	expected := [][]string{

+		[]string{"noexec"},

+		[]string{"uid", "12345"},

+	}

+	actual := tmpfsOptionsFromGRPC(options)

+

+	assert.DeepEqual(t, expected, actual)

+}

@@ -2,6 +2,7 @@ package container // import "github.com/docker/docker/daemon/cluster/executor/co

 import (

 	"context"

+	"encoding/json"

 	"errors"

 	"fmt"

 	"net"

@@ -360,9 +361,14 @@ func convertMount(m api.Mount) enginemount.Mount {

 	}

 	if m.TmpfsOptions != nil {

+		var options [][]string

+		// see daemon/cluster/convert/container.go, tmpfsOptionsFromGRPC for

+		// details on error handling.

+		_ = json.Unmarshal([]byte(m.TmpfsOptions.Options), &options)

 		mount.TmpfsOptions = &enginemount.TmpfsOptions{

 			SizeBytes: m.TmpfsOptions.SizeBytes,

 			Mode:      m.TmpfsOptions.Mode,

+			Options:   options,

 		}

 	}

@@ -4,8 +4,10 @@ import (

 	"testing"

 	"github.com/docker/docker/api/types/container"

+	"github.com/docker/docker/api/types/mount"

 	swarmapi "github.com/moby/swarmkit/v2/api"

 	"gotest.tools/v3/assert"

+	is "gotest.tools/v3/assert/cmp"

 )

 func TestIsolationConversion(t *testing.T) {

@@ -117,6 +119,7 @@ func TestCredentialSpecConversion(t *testing.T) {

 			to: []string{"credentialspec=registry://testing"},

 		},

 	}

+

 	for _, c := range cases {

 		c := c

 		t.Run(c.name, func(t *testing.T) {

@@ -139,3 +142,75 @@ func TestCredentialSpecConversion(t *testing.T) {

 		})

 	}

 }

+

+func TestTmpfsConversion(t *testing.T) {

+	cases := []struct {

+		name string

+		from []swarmapi.Mount

+		to   []mount.Mount

+	}{

+		{

+			name: "tmpfs-exec",

+			from: []swarmapi.Mount{

+				{

+					Source: "/foo",

+					Target: "/bar",

+					Type:   swarmapi.MountTypeTmpfs,

+					TmpfsOptions: &swarmapi.Mount_TmpfsOptions{

+						Options: "[[\"exec\"]]",

+					},

+				},

+			},

+			to: []mount.Mount{

+				{

+					Source: "/foo",

+					Target: "/bar",

+					Type:   mount.TypeTmpfs,

+					TmpfsOptions: &mount.TmpfsOptions{

+						Options: [][]string{[]string{"exec"}},

+					},

+				},

+			},

+		},

+		{

+			name: "tmpfs-noexec",

+			from: []swarmapi.Mount{

+				{

+					Source: "/foo",

+					Target: "/bar",

+					Type:   swarmapi.MountTypeTmpfs,

+					TmpfsOptions: &swarmapi.Mount_TmpfsOptions{

+						Options: "[[\"noexec\"]]",

+					},

+				},

+			},

+			to: []mount.Mount{

+				{

+					Source: "/foo",

+					Target: "/bar",

+					Type:   mount.TypeTmpfs,

+					TmpfsOptions: &mount.TmpfsOptions{

+						Options: [][]string{[]string{"noexec"}},

+					},

+				},

+			},

+		},

+	}

+

+	for _, c := range cases {

+		t.Run(c.name, func(t *testing.T) {

+			task := swarmapi.Task{

+				Spec: swarmapi.TaskSpec{

+					Runtime: &swarmapi.TaskSpec_Container{

+						Container: &swarmapi.ContainerSpec{

+							Image:  "alpine:latest",

+							Mounts: c.from,

+						},

+					},

+				},

+			}

+			config := containerConfig{task: &task}

+			assert.Check(t, is.DeepEqual(c.to, config.hostConfig(nil).Mounts))

+		})

+	}

+}

@@ -30,6 +30,8 @@ keywords: "API, Docker, rcli, REST, documentation"

 * `POST /images/{name}/push` now supports a `platform` parameter (JSON encoded

   OCI Platform type) that allows selecting a specific platform manifest from

   the multi-platform image.

+* `POST /containers/create` now takes `Options` as part of `HostConfig.Mounts.TmpfsOptions` to set options for tmpfs mounts.

+* `POST /services/create` now takes `Options` as part of `ContainerSpec.Mounts.TmpfsOptions`, to set options for tmpfs mounts.

 ### Deprecated Config fields in `GET /images/{name}/json` response

@@ -204,6 +204,30 @@ func linuxValidMountMode(mode string) bool {

 	return true

 }

+var validTmpfsOptions = map[string]bool{

+	"exec":   true,

+	"noexec": true,

+}

+

+func validateTmpfsOptions(rawOptions [][]string) ([]string, error) {

+	var options []string

+	for _, opt := range rawOptions {

+		if len(opt) < 1 || len(opt) > 2 {

+			return nil, errors.New("invalid option array length")

+		}

+		if _, ok := validTmpfsOptions[opt[0]]; !ok {

+			return nil, errors.New("invalid option: " + opt[0])

+		}

+

+		if len(opt) == 1 {

+			options = append(options, opt[0])

+		} else {

+			options = append(options, fmt.Sprintf("%s=%s", opt[0], opt[1]))

+		}

+	}

+	return options, nil

+}

+

 func (p *linuxParser) ReadWrite(mode string) bool {

 	if !linuxValidMountMode(mode) {

 		return false

@@ -406,6 +430,15 @@ func (p *linuxParser) ConvertTmpfsOptions(opt *mount.TmpfsOptions, readOnly bool

 		rawOpts = append(rawOpts, fmt.Sprintf("size=%d%s", size, suffix))

 	}

+

+	if opt != nil && len(opt.Options) > 0 {

+		tmpfsOpts, err := validateTmpfsOptions(opt.Options)

+		if err != nil {

+			return "", err

+		}

+		rawOpts = append(rawOpts, tmpfsOpts...)

+	}

+

 	return strings.Join(rawOpts, ","), nil

 }

@@ -238,6 +238,7 @@ func TestConvertTmpfsOptions(t *testing.T) {

 		readOnly             bool

 		expectedSubstrings   []string

 		unexpectedSubstrings []string

+		err                  bool

 	}

 	cases := []testCase{

 		{

@@ -252,10 +253,26 @@ func TestConvertTmpfsOptions(t *testing.T) {

 			expectedSubstrings:   []string{"ro"},

 			unexpectedSubstrings: []string{},

 		},

+		{

+			opt:                  mount.TmpfsOptions{Options: [][]string{{"exec"}}},

+			readOnly:             true,

+			expectedSubstrings:   []string{"ro", "exec"},

+			unexpectedSubstrings: []string{"noexec"},

+		},

+		{

+			opt: mount.TmpfsOptions{Options: [][]string{{"INVALID"}}},

+			err: true,

+		},

 	}

 	p := NewLinuxParser()

 	for _, tc := range cases {

 		data, err := p.ConvertTmpfsOptions(&tc.opt, tc.readOnly)

+		if tc.err {

+			if err == nil {

+				t.Fatalf("expected error for %+v, got nil", tc.opt)

+			}

+			continue

+		}

 		if err != nil {

 			t.Fatalf("could not convert %+v (readOnly: %v) to string: %v",

 				tc.opt, tc.readOnly, err)