[systemd-devel] Docker vs PrivateTmp

Daniel J Walsh dwalsh at redhat.com
Mon Jan 19 05:39:18 PST 2015

On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote:
> On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote:
>> I think we actually want MountFlags=slave, which will permit mounts
>> from the global namespace to propagate into the service namespace
>> without permitting propagation in the other direction.  It seems like
>> this would the Least Surprising behavior.
> ...which would be the default if docker.service were itself using
> PrivateTmp=true, because from systemd.exec:
>     Note that the file system namespace related options (PrivateTmp=,
>     PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
>     InaccessibleDirectories= and ReadWriteDirectories=) require that mount
>     and unmount propagation from the unit's file system namespace is
>     disabled, and hence downgrade shared to slave.
> So either explicitly setting MountFlags=slave, or setting
> PrivateTmp=true if that doesn't cause any issues of which I am not
> aware.
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Vincent what do you think about MountFlags=slave?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150119/c152b600/attachment.html>

More information about the systemd-devel mailing list