Re: [systemd-devel] Docker vs PrivateTmp

Thu, 22 Jan 2015 19:03:07 -0800 

On Sat, 17.01.15 23:02, Lars Kellogg-Stedman (l...@redhat.com) wrote:

> See the `devicemapper` mountpoint created by Docker for the container:
> 
>     # grep devicemapper/mnt /proc/mounts
>     
> /dev/mapper/docker-253:6-98310-e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
>     
> /var/lib/docker/devicemapper/mnt/e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
>     ext4
>     
> rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c261,c1018",relatime,discard,stripe=16,data=ordered
>     0 0

I am not sure why docker makes these mounts visible in the host
namespace at all. This smells like a bug.

> Watch Docker fail to destroy the container because it is unable to remove the 
> mountpoint directory:
> 
>     Jan 17 22:43:03 pk115wp-lkellogg docker-1.4.1-dev[18239]:
>     time="2015-01-17T22:43:03-05:00" level="error" msg="Handler for DELETE
>     /containers/{name:.*} returned error: Cannot destroy container 
> e68df3f45d61:
>     Driver devicemapper failed to remove root filesystem
>     e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62: Device 
> is
>     Busy"

This smells as if Docker incorrectly sets the mount propagation bits
on its own mounts.

It would be good checking /proc/self/mountinfo inside and outside of
docker's own namespace, and checking how the propagation bits are set
for the individual mounts. It's a bit hard to read, but the
interesting bits are in the 7th column of that file.

In general: docker should do the equivalent of "mount --make-rslave /"
as first thing after opening its mount namespace, so that from that
point on mounts and especiall *un*mounts propagate from the host into
the container, but not vice versa.

If they do not invoke that, then the propagation will stay at
"shared", which means the mounts will appear in the host and vice
versa, which is certainly undesired.

Also, they should not use "mount --make-rprivate /", as that means
anything the host mounted will stay mounted in the container forever,
which is a problem.

Also, they really need to make this recursive, so that all mount
points they have access too are detached from the host!

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to