[systemd-devel] Docker vs PrivateTmp
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 19 05:39:18 PST 2015
On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote:
> On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote:
>> I think we actually want MountFlags=slave, which will permit mounts
>> from the global namespace to propagate into the service namespace
>> without permitting propagation in the other direction. It seems like
>> this would the Least Surprising behavior.
> ...which would be the default if docker.service were itself using
> PrivateTmp=true, because from systemd.exec:
>
> Note that the file system namespace related options (PrivateTmp=,
> PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
> InaccessibleDirectories= and ReadWriteDirectories=) require that mount
> and unmount propagation from the unit's file system namespace is
> disabled, and hence downgrade shared to slave.
>
> So either explicitly setting MountFlags=slave, or setting
> PrivateTmp=true if that doesn't cause any issues of which I am not
> aware.
>
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Vincent what do you think about MountFlags=slave?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150119/c152b600/attachment.html>
More information about the systemd-devel
mailing list