Allow controlling the mount namespace

[phemmer]

This is a continuation of a request & discussion in #6687
The primary request is to allow disabling the mount namespace inside a container. The use case is so that one container can mount a volume (real volume, not a docker volume), and then use docker volumes to share the mount with another container.
There are a few cases where you might want to do this.

• The most obvious use case is when your container doesn't have the utilities necessary to perform the mount (mount.* missing, FUSE daemon missing, etc). You could bake the tools into the application image, but keeping them separate lets the application image remain portable.
• A related use case is so that you can run a FUSE daemon in it's own container.
• Another use case is if you want to share this filesystem with multiple containers simultaneously.

Currently if you mount something on top of a docker volume inside a container, and you share that volume with another container, the mount appears empty.

Since the processes inside the container need to see their root as the root of the image, we can instead use a simple chroot when the mount namespace is disabled.

[cpuguy83]

+1, you could containerize things like mounting new filesystems onto the host mount namespace which can be consumed as bind-mounts for other containers as well.
Thinking things like containerized flocker.

[ghost]

This is also needed to access network namespaces that are created within a container due to the proc mount (typically at /run/netns/<net_namespace>).

EDIT: This is no longer a valid concern for >1.6 docker since the mount namespace is notlonger private and mount propogation works

[denderello]

+1 We have a use case for this where mounting with a FUSE driver could be done by a seperate container.

[KodyKantor]

This would be great for automating the setup of filesystems within the confines of a container and then sharing it between multiple containers. +1

[rncry]

+1 We're also trying to use a container to mount a FUSE filesystem which needs to be shared with the host

[rncry]

There seems to be a patch here: rootfs@0ca94ce

[btiernay]

This would be very useful in many settings for the reasons cited. Any update on this?

[rhatdan]

We are close. Checkout.

#17034

[thaJeztah]

@phemmer would #17034 fully address this? If so, could you make sure that a fixes ... is added to the PR description @rhatdan?

[phemmer]

Yes. Could also just close this as a dup of #14630

[thaJeztah]

Cool, I'll close this one, thanks @phemmer ! (technically it's the other way around, because this one's older, but 👍)