-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use rslave propagation for mounts from daemon root #36055
Conversation
10ea3b6
to
21fac5c
Compare
ping @cyphar @euank @kolyshkin |
21fac5c
to
b8fd40d
Compare
LGTM |
@cpuguy83 looks like this needs to be rebased |
b8fd40d
to
f405038
Compare
Rebased. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐼
ebc0864
to
6add9a1
Compare
Why only if the source is within the daemon root? This saves us from |
9c76bad
to
ac1c50b
Compare
Fixed this to also do the same for parent directories, updated commit message to match. Also some unit tests for this. |
Thinking about it, we may need to ignore validation errors for parent directories just so we don't break people... not sure. |
And tests confirm that maybe we shouldn't error out on the validation when mounting a parent dir... this could break people (of course they're already broken due to having private references to docker mounts in a container). |
Trying to think who would have specified something other than As an anecdote Since So, the most likely case is someone who already had the right intent but specifed |
For the case where the user has bind mounted a parent of the daemon root another option would be to implicitly give it an rslave sub mount of the daemon root with its master at dockerd's |
ac1c50b
to
6d09eb6
Compare
CI failure:
|
6d09eb6
to
9093b0d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Whoops, looks like this broke the build;
|
Caused by #36265 |
|
@free2k would need more details as to how you got to that point... also what version are you on? |
`Client: Server: |
That version of Docker does not have this fix (though I think this isn't the fix you are looking for, the others aren't in that release either). |
I found a law,All kernels that fail to delete the root file system are 3.10.0-229.el7.x86_64 ,But 3.10.0-693.47.el7.x86_64 this kernel did not find the problem。I don't know what the kernel has changed。Do you have any better suggestions? @cpuguy83 |
@free2k Probably upgraded device mapper libraries that support deferred device deletion. The problem with this method is that the reason you are getting "device or resource busy" is because something else is holding the mount point (more specifically, most likely it is another service on the system as many services get their own mount namespace, and as such a copy of the mount). With the newer kernel you aren't seeing the issue, but the underlying problem still exists and data is not actually freed. I would still recommend either upgrading Docker to a more recent version or adding it that mount command I mentioned above. |
Docker log: Old kernel devicemapper version new kernel devicemapper version Old kernel version supports deferred device deletion。I don't understand Why is there only a problem with the old kernel? |
We should have an option to disable this. PTAL: |
By default, if a user requests a bind mount it uses private propagation.
When the source path is a path within the daemon root this, along with
some other propagation values that the user can use, causes issues when
the daemon tries to remove a mountpoint because a container will then
have a private reference to that mount which prevents removal.
Unmouting with MNT_DETATCH can help this scenario on newer kernels, but
ultimately this is just covering up the problem and doesn't actually
free up the underlying resources until all references are destroyed.
This change does essentially 2 things:
rslave
when thesource path is within the daemon root path
an unacceptable propagation mode for a path within the daemon root...
basically the only two acceptable modes are
rslave
andrshared
.In cases where we have used the new default propagation but the
underlying filesystem is not setup to handle it (fs must hvae at least
rshared propagation) instead of erroring out like we normally would,
this falls back to the old default mode of
private
, which preservesbackwards compatibility.