[systemd-devel] Docker vs PrivateTmp
Lennart Poettering
lennart at poettering.net
Thu Jan 22 18:53:41 PST 2015
On Sun, 18.01.15 20:50, Colin Walters (walters at verbum.org) wrote:
> On Sat, Jan 17, 2015, at 11:02 PM, Lars Kellogg-Stedman wrote:
> > Hello all,
> >
> > With systemd 216 on Fedora 21 (kernel 3.17.8), I have run into an odd
> > behavior concerning the PrivateTmp directive, and I am looking for
> > help identifying this as:
> >
> > - Everything Is Working As Designed, Citizen
> > - A bug in Docker (some mount flag is being set incorrectly?)
>
> This should be fixed by:
> http://pkgs.fedoraproject.org/cgit/docker-io.git/commit/?id=6c9e373ee06cb1aee07d3cae426c46002663010d
>
> i.e. having docker.service use MountFlags=private, so its mounts
> aren't visible to other processes.
MountFlags=private also disables *un*mount propagation from the host
into the service, which means file systems once mounted in the host
when a service was started will stay mounted forever in the service,
which will keep the backing device busy forever.
MountFlags=private is hence pretty useless in real life. Never use it.
MountFlags=shared is also pointless, since it is the implied default.
Which means "MountFlags=slave" is really the only option that makes
sense to ever add to a unit file.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list