[systemd-devel] Docker vs PrivateTmp

Andrei Borzenkov arvidjaar at gmail.com
Mon Jan 19 09:54:52 PST 2015 

В Mon, 19 Jan 2015 11:33:42 -0500
Lars Kellogg-Stedman <lars at redhat.com> пишет:

> On Sat, Jan 17, 2015 at 11:02:01PM -0500, Lars Kellogg-Stedman wrote:
> > The TL;DR is that restarting a service with PrivateTmp=true appears to
> > preserve references to any mounts in the parent mount namespace that
> > were active at the time the service was started.  If these mounts are
> > later unmounted in the parent namespace, the reference persists in the
> > child mount namespace, which means among other things that the
> > mountpoint cannot be deleted ("Device or resource busy")...
> 
> While I think we've probably identified the solution, I'm still trying
> to understand how we get into this situation in the first place.
> 
> With neither `MountFlags` nor `PrivateTmp` specified in my docker.service,
> starting a container results in the following mount visible in the global mount
> namespace:
> 
>     global# grep /mnt /proc/self/mountinfo
>     685 433 253:22 / /var/lib/docker/devicemapper/mnt/297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,relatime - ext4 /dev/mapper/docker-253:6-98310-297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c138,c268",discard,stripe=16,data=ordered
> 
> If I create a new mount namespace (as a child of the global namespace) with
> `unshare -m`, I can as expected see the same mount:
> 
>     unshare# grep /mnt /proc/self/mountinfo
>     805 804 253:22 / /var/lib/docker/devicemapper/mnt/297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,relatime - ext4 /dev/mapper/docker-253:6-98310-297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c138,c268",discard,stripe=16,data=ordered
> 
> If I attempt to stop that container, the mount disappears from the global
> namespace:
> 
>     global# grep /mnt /proc/self/mountinfo
>     global#
> 
> But is still visible in the mount namespace I created with unshare:
> 
>     unshare# grep /mnt /proc/self/mountinfo 
>     805 804 253:22 / /var/lib/docker/devicemapper/mnt/297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,relatime - ext4 /dev/mapper/docker-253:6-98310-297bf7ae64bd5cf552b45b098b22df85a49deeadb2d71b330e2f866dac95a448 rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c138,c268",discard,stripe=16,data=ordered
> 
> What is causing this behavior? I have tried to replicate it by hand through a
> combination of mount and unshare, and the only way I can get a mount to persist
> in the unshare namespace after being unmounted in the global namespace is by
> explicitly calling mount `--make-rprivate /` *inside* the unshare namespace, which
> is obviously not happening in the above Docker example.
> 

It obviously happens. Your mount is private (it does not have any of
shared/master/.. flags). May be docker does it?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150119/5b6329d6/attachment-0001.sig>

More information about the systemd-devel mailing list