On Fri, 23.01.15 11:31, Daniel J Walsh (dwa...@redhat.com) wrote:
You just sent a full quote without any comment of yours?
>
> On 01/22/2015 10:02 PM, Lennart Poettering wrote:
> > On Sat, 17.01.15 23:02, Lars Kellogg-Stedman (l...@redhat.com) wrote:
> >
> >> See the `devicemapper` mountpoint created by Docker for the container:
> >>
> >> # grep devicemapper/mnt /proc/mounts
> >>
> >> /dev/mapper/docker-253:6-98310-e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
> >>
> >> /var/lib/docker/devicemapper/mnt/e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62
> >> ext4
> >>
> >> rw,context="system_u:object_r:svirt_sandbox_file_t:s0:c261,c1018",relatime,discard,stripe=16,data=ordered
> >> 0 0
> > I am not sure why docker makes these mounts visible in the host
> > namespace at all. This smells like a bug.
> >
> >> Watch Docker fail to destroy the container because it is unable to remove
> >> the mountpoint directory:
> >>
> >> Jan 17 22:43:03 pk115wp-lkellogg docker-1.4.1-dev[18239]:
> >> time="2015-01-17T22:43:03-05:00" level="error" msg="Handler for DELETE
> >> /containers/{name:.*} returned error: Cannot destroy container
> >> e68df3f45d61:
> >> Driver devicemapper failed to remove root filesystem
> >> e68df3f45d6151259ce84a0e467a3117840084e99ef3bbc654b33f08d2d6dd62:
> >> Device is
> >> Busy"
> > This smells as if Docker incorrectly sets the mount propagation bits
> > on its own mounts.
> >
> > It would be good checking /proc/self/mountinfo inside and outside of
> > docker's own namespace, and checking how the propagation bits are set
> > for the individual mounts. It's a bit hard to read, but the
> > interesting bits are in the 7th column of that file.
> >
> > In general: docker should do the equivalent of "mount --make-rslave /"
> > as first thing after opening its mount namespace, so that from that
> > point on mounts and especiall *un*mounts propagate from the host into
> > the container, but not vice versa.
> >
> > If they do not invoke that, then the propagation will stay at
> > "shared", which means the mounts will appear in the host and vice
> > versa, which is certainly undesired.
> >
> > Also, they should not use "mount --make-rprivate /", as that means
> > anything the host mounted will stay mounted in the container forever,
> > which is a problem.
> >
> > Also, they really need to make this recursive, so that all mount
> > points they have access too are detached from the host!
> >
> > Lennart
> >
>
>
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
