Mount host volume in another host volume: unexpected leftover folder

[mviereck]

Description

Issue with --volume:
If I mount a host folder dir1 in a container,
and mount another host folder dir2 as a subfolder of first mounted folder dir1,
docker creates a persistent host folder dir2 in folder dir1.

Steps to reproduce the issue:

1. Generate two empty folders in HOME, check them with ls -la.

lauscher@debianlaptop:~$ mkdir ~/dir1 ~/dir2

lauscher@debianlaptop:~$ ls -la ~/dir1 ~/dir2
/home/lauscher/dir1:
insgesamt 16
drwxr-xr-x  2 lauscher lauscher  4096 Nov 13 22:19 .
drwxr-xr-x 55 lauscher lauscher 12288 Nov 13 22:13 ..

/home/lauscher/dir2:
insgesamt 16
drwxr-xr-x  2 lauscher lauscher  4096 Nov 13 22:13 .
drwxr-xr-x 55 lauscher lauscher 12288 Nov 13 22:13 ..

2. Run docker and mount one folder into the other one. Show ls -la of "parent" folder in container.

lauscher@debianlaptop:~$ docker run --rm --volume ~/dir1:/dir1 --volume ~/dir2:/dir1/dir2 -- alpine ls -la /dir1
total 12
drwxr-xr-x    3 1000     1000          4096 Nov 13 21:19 .
drwxr-xr-x    1 root     root          4096 Nov 13 21:19 ..
drwxr-xr-x    2 1000     1000          4096 Nov 13 21:13 dir2

3. Check ls -la on host again. Compare with first output.

lauscher@debianlaptop:~$ ls -la ~/dir1 ~/dir2
/home/lauscher/dir1:
insgesamt 20
drwxr-xr-x  3 lauscher lauscher  4096 Nov 13 22:19 .
drwxr-xr-x 55 lauscher lauscher 12288 Nov 13 22:13 ..
drwxr-xr-x  2 root     root      4096 Nov 13 22:19 dir2

/home/lauscher/dir2:
insgesamt 16
drwxr-xr-x  2 lauscher lauscher  4096 Nov 13 22:13 .
drwxr-xr-x 55 lauscher lauscher 12288 Nov 13 22:13 ..

Describe the results you received:
A folder ~/dir1/dir2 with ownership root:root remains as a leftover of mounting one user owned folder into another.
In the example, the last ls -la shows this entry that should not exist:

drwxr-xr-x  2 root     root      4096 Nov 13 22:19 dir2

It appears at container startup and remains after stopping&removing the container.
In container it shows correct uid:gid (here 1000:1000 or lauscher:lauscher), on host the ownership is root:root.

Describe the results you expected:
There should appear no folder on host in ~/dir1 and furthermore it should not remain as a leftover.

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:45:50 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:25 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 33
  Running: 3
  Paused: 0
  Stopped: 30
 Images: 27
 Server Version: 19.03.13
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc crun kata-runtime
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.7.0-1-amd64
 Operating System: Debian GNU/Linux bullseye/sid
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 6.757GiB
 Name: debianlaptop
 ID: KWTB:OYBB:2DTH:EHQI:KV6V:VTQP:C6BM:6RJN:IZ53:IYWM:FJYG:HTT6
 Docker Root Dir: /sda7docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

[jimlinntu]

In my opinion, I think the result is reasonable. But it is also interesting to see what will happen when we introduce more complex recurisve mounting.

Because when you run this command:
docker run --rm --volume ~/dir1:/dir1 --volume ~/dir2:/dir1/dir2 -- alpine ls -la /dir1
In the container, Docker will have to somehow create a mount point at /dir1/dir2 and then mount the folder outside the container (i.e. ~/dir2) into the container at /dir1/dir2/.

Therefore a directory must be created under /dir1/, which is also ~/dir1.

And of course the folder created by the container is using root, so it make sense that ~/dir1/dir2 ownership is root

[mviereck]

Ok, if not avoidable, it is reasonable that there is a visible mount point while the container is running.
But it remains after stopping and removing the container.
I think it should be removed automatically; there is no reason to keep it.

[thaJeztah]

Let me close this ticket for now, as it looks like it went stale.