[systemd-devel] Docker vs PrivateTmp

Lennart Poettering lennart at poettering.net
Thu Jan 22 18:53:41 PST 2015

On Sun, 18.01.15 20:50, Colin Walters (walters at verbum.org) wrote:

> On Sat, Jan 17, 2015, at 11:02 PM, Lars Kellogg-Stedman wrote:
> > Hello all,
> > 
> > With systemd 216 on Fedora 21 (kernel 3.17.8), I have run into an odd
> > behavior concerning the PrivateTmp directive, and I am looking for
> > help identifying this as:
> > 
> > - Everything Is Working As Designed, Citizen
> > - A bug in Docker (some mount flag is being set incorrectly?)
> This should be fixed by:
> http://pkgs.fedoraproject.org/cgit/docker-io.git/commit/?id=6c9e373ee06cb1aee07d3cae426c46002663010d
> i.e. having docker.service use MountFlags=private, so its mounts
> aren't visible to other processes.

MountFlags=private also disables *un*mount propagation from the host
into the service, which means file systems once mounted in the host
when a service was started will stay mounted forever in the service,
which will keep the backing device busy forever.

MountFlags=private is hence pretty useless in real life. Never use it.

MountFlags=shared is also pointless, since it is the implied default.

Which means "MountFlags=slave" is really the only option that makes
sense to ever add to a unit file.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list