[systemd-devel] Docker vs PrivateTmp
Lennart Poettering
lennart at poettering.net
Mon Feb 2 03:12:19 PST 2015
On Fri, 30.01.15 11:02, Alexander Larsson (alexl at redhat.com) wrote:
> I think the problem is that docker daemon makes
> /var/lib/docker/devicemapper private in the host namespace to handle
> some scalability issues we found in the kernel. This causes problem not
> with docker containers (because they unmount all other mounts as per the
> above), but with other namespace-using apps. For instance, if a service
> with PrivateTmp is launched, it will inherit the existing mounts
> in /var/lib/docker/devicemapper at the point of startup, but when these
> are eventually unmounted in the host namespace this is not propagated
> into the service (due to it being a private mount, not a slave mount).
>
> We could try making this slave instead, but I don't know if that then
> fixes the scalability issues we had, because they were related to
> stupidities in the kernel wrt propagating mounts. If it doesn't work,
> then we have to put docker-daemon in its own namespace.
The daemon should first create its own namespace, and then detach
propagation, not the other way round. This really isn't "stupidity" in
the kernel, but in docker's userspace...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list