[systemd-devel] Docker vs PrivateTmp
Alexander Larsson
alexl at redhat.com
Mon Feb 2 03:51:14 PST 2015
On mån, 2015-02-02 at 12:12 +0100, Lennart Poettering wrote:
> On Fri, 30.01.15 11:02, Alexander Larsson (alexl at redhat.com) wrote:
>
> > I think the problem is that docker daemon makes
> > /var/lib/docker/devicemapper private in the host namespace to handle
> > some scalability issues we found in the kernel. This causes problem not
> > with docker containers (because they unmount all other mounts as per the
> > above), but with other namespace-using apps. For instance, if a service
> > with PrivateTmp is launched, it will inherit the existing mounts
> > in /var/lib/docker/devicemapper at the point of startup, but when these
> > are eventually unmounted in the host namespace this is not propagated
> > into the service (due to it being a private mount, not a slave mount).
> >
> > We could try making this slave instead, but I don't know if that then
> > fixes the scalability issues we had, because they were related to
> > stupidities in the kernel wrt propagating mounts. If it doesn't work,
> > then we have to put docker-daemon in its own namespace.
>
> The daemon should first create its own namespace, and then detach
> propagation, not the other way round. This really isn't "stupidity" in
> the kernel, but in docker's userspace...
The stupidity was the O(n^4) algorithm in the kernel when it was
duplicating all vfsmounts that could possibly be propagated, and then
immediately freeing them when they did not propagate, which interacted
poorly with some lame kernel O(n^2) allocator behaviour.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
He's an oversexed shark-wrestling rock star from the 'hood. She's a
high-kicking cigar-chomping former first lady with the power to see
death. They fight crime!
More information about the systemd-devel
mailing list