On mån, 2015-02-02 at 12:12 +0100, Lennart Poettering wrote:
> On Fri, 30.01.15 11:02, Alexander Larsson (al...@redhat.com) wrote:
>
> > I think the problem is that docker daemon makes
> > /var/lib/docker/devicemapper private in the host namespace to handle
> > some scalability issues we found in the kernel. This causes problem not
> > with docker containers (because they unmount all other mounts as per the
> > above), but with other namespace-using apps. For instance, if a service
> > with PrivateTmp is launched, it will inherit the existing mounts
> > in /var/lib/docker/devicemapper at the point of startup, but when these
> > are eventually unmounted in the host namespace this is not propagated
> > into the service (due to it being a private mount, not a slave mount).
> >
> > We could try making this slave instead, but I don't know if that then
> > fixes the scalability issues we had, because they were related to
> > stupidities in the kernel wrt propagating mounts. If it doesn't work,
> > then we have to put docker-daemon in its own namespace.
>
> The daemon should first create its own namespace, and then detach
> propagation, not the other way round. This really isn't "stupidity" in
> the kernel, but in docker's userspace...
The stupidity was the O(n^4) algorithm in the kernel when it was
duplicating all vfsmounts that could possibly be propagated, and then
immediately freeing them when they did not propagate, which interacted
poorly with some lame kernel O(n^2) allocator behaviour.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
al...@redhat.com alexander.lars...@gmail.com
He's an oversexed shark-wrestling rock star from the 'hood. She's a
high-kicking cigar-chomping former first lady with the power to see
death. They fight crime!
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
