On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote: > On Sun, Jan 18, 2015 at 08:50:35PM -0500, Colin Walters wrote: > > On Sat, Jan 17, 2015, at 11:02 PM, Lars Kellogg-Stedman wrote: > > > Hello all, > > > > > > With systemd 216 on Fedora 21 (kernel 3.17.8), I have run into an odd > > > behavior concerning the PrivateTmp directive, and I am looking for > > > help identifying this as: > > > > > > - Everything Is Working As Designed, Citizen > > > - A bug in Docker (some mount flag is being set incorrectly?) > > > > This should be fixed by: > > http://pkgs.fedoraproject.org/cgit/docker-io.git/commit/?id=6c9e373ee06cb1aee07d3cae426c46002663010d > > > > i.e. having docker.service use MountFlags=private, so its mounts > > aren't visible to other processes. > > Colin, > > Thanks for the pointer. > > It seems as if using MountFlags=private is going to cause a new set of > problems: > > Imagine that I am a system administrator using Docker to containerize > services. I want to serve set up a webserver container on my Docker > host, so I mount the web content from a remote server: > > mount my-fancy-server:/vol/content /content > > And then expose that as a Docker volume: > > docker run -v /content:/content webserver > > This will fail mysteriously, because with MountFlags=private, the > mount of my-fancy-server:/vol/content on /content won't be visible to > Docker containers. I will spend fruitless hours trying to figure out > why such a seemingly simple operation is failing. > > I think we actually want MountFlags=slave, which will permit mounts > from the global namespace to propagate into the service namespace > without permitting propagation in the other direction. It seems like > this would the Least Surprising behavior.
Copying dwalsh -- Lokesh Freenode, OFTC: lsm5 GPG: 0xC7C3A0DD
pgpTr9Yj9xv1t.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel