[systemd-devel] Docker vs PrivateTmp

Lars Kellogg-Stedman lars at redhat.com
Sun Jan 18 20:38:12 PST 2015 

On Sun, Jan 18, 2015 at 08:50:35PM -0500, Colin Walters wrote:
> On Sat, Jan 17, 2015, at 11:02 PM, Lars Kellogg-Stedman wrote:
> > Hello all,
> > 
> > With systemd 216 on Fedora 21 (kernel 3.17.8), I have run into an odd
> > behavior concerning the PrivateTmp directive, and I am looking for
> > help identifying this as:
> > 
> > - Everything Is Working As Designed, Citizen
> > - A bug in Docker (some mount flag is being set incorrectly?)
> 
> This should be fixed by:
> http://pkgs.fedoraproject.org/cgit/docker-io.git/commit/?id=6c9e373ee06cb1aee07d3cae426c46002663010d
> 
> i.e. having docker.service use MountFlags=private, so its mounts
> aren't visible to other processes.

Colin,

Thanks for the pointer.

It seems as if using MountFlags=private is going to cause a new set of
problems:

Imagine that I am a system administrator using Docker to containerize
services.  I want to serve set up a webserver container on my Docker
host, so I mount the web content from a remote server:

    mount my-fancy-server:/vol/content /content

And then expose that as a Docker volume:

    docker run -v /content:/content webserver

This will fail mysteriously, because with MountFlags=private, the
mount of my-fancy-server:/vol/content on /content won't be visible to
Docker containers.  I will spend fruitless hours trying to figure out
why such a seemingly simple operation is failing.

I think we actually want MountFlags=slave, which will permit mounts
from the global namespace to propagate into the service namespace
without permitting propagation in the other direction.  It seems like
this would the Least Surprising behavior.

-- 
Lars Kellogg-Stedman <lars at redhat.com> | larsks @ {freenode,twitter,github}
Cloud Engineering / OpenStack          | http://blog.oddbit.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150118/6a65ba47/attachment.sig>

More information about the systemd-devel mailing list