[systemd-devel] Docker vs PrivateTmp
Vincent Batts
vbatts at redhat.com
Mon Jan 19 06:48:38 PST 2015
On 19/01/15 08:39 -0500, Daniel J Walsh wrote:
>
>On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote:
>> On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote:
>>> I think we actually want MountFlags=slave, which will permit mounts
>>> from the global namespace to propagate into the service namespace
>>> without permitting propagation in the other direction. It seems like
>>> this would the Least Surprising behavior.
>> ...which would be the default if docker.service were itself using
>> PrivateTmp=true, because from systemd.exec:
>>
>> Note that the file system namespace related options (PrivateTmp=,
>> PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
>> InaccessibleDirectories= and ReadWriteDirectories=) require that mount
>> and unmount propagation from the unit's file system namespace is
>> disabled, and hence downgrade shared to slave.
>>
>> So either explicitly setting MountFlags=slave, or setting
>> PrivateTmp=true if that doesn't cause any issues of which I am not
>> aware.
>>
>>
>
>Vincent what do you think about MountFlags=slave?
'slave' sounds like the correct subtree mount. We were targeting
'MountFlags' to make use of unsharing the mount namespace.
vb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150119/b4639218/attachment-0001.sig>
More information about the systemd-devel
mailing list