-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It should be possible to set the mount propagation modes for containers and volumes #56
Comments
I agree. We have talked about two different things here though. One would be to set the default for the daemon so that distributions could choose the default for all containers. Red Hat Distributions would choose SLAVE as the default, since I believe this would cause the least surprise for administrators. The second flag would be per container. (Although some have suggested per volume mount, which I think might be too complicated, for little added value.) |
@rhatdan Yeah, my description was a little imprecise. I think everything on the table is:
Completely agree that I really don't think setting a default for all containers is a great idea outside of a distributor making a call on the default policy, in part because I don't think most users are aware enough of this feature to fully reason through all the effects. From the least-privilege principle, it seems like a bad idea to configure |
Yes, it seems like the namespaces list will need an additional parameter. And this parameter needs to be invalid if a "path" is given. Could someone work up a PR against https://github.com/opencontainers/specs/blob/master/config-linux.md#linux-namespaces and spec_linux.go? |
@philips This could be a property of the root mount like here opencontainers/runc#77 if we don't see a need per mount. |
@mrunalp what's 'root mount' in the context of your comment? |
rootfs mount propagation |
IMO we need flags for both rootfs and volume propagation flags to ensure things work as expected. For example, a |
@rootfs Interesting point -- I probably need to do some more detailed experimenting, but I had thought that the if the mountpoint for the container's rootfs was |
Currently the way the mount point propogation is being done is to do a make-rprivate, on / on the host, which basically prevents any other propogation on volume mounts from working. If the make-private happened at the ROOTFS this would work. I have suggested this change but have not heard back if this fixed the problem that caused @crosbymichael to revert the change in the first place. |
That's because the propagation is recursive ( |
Right but rootfs would make mountpoints under /var/lib/docker/... private not everything under /, which is the current behaviour. If I just did this to /var/lib/docker/... I could later mount in /var/lib/foobar into a container and changes it propogation mode. |
Under the fedora build of docker 1.6, I see both propagation modes from
So, is that really an issue? |
it is probably working for your use case, but it breaks mine. I am more interested in |
@rootfs what is your specific use-case? On Thu, Jul 9, 2015 at 1:12 PM, Huamin Chen notifications@github.com
|
@mrunalp I see, this makes sense putting a flag on the mounts. Perhaps we just make the rootfs another mount to cleanup the schema. So:
|
@philips actually that option goes in the |
On Thu, Jul 09, 2015 at 11:21:26AM -0700, Brandon Philips wrote:
I like this approach better, since it lets us avoid having two |
@crosbymichael Hrm, I thought the options field was in the fstab format and that fstab didn't allow setting propagation modes, is it possibly a gap in the fstab spec? |
fstab does not allow you to specify propagation. |
I used |
@rootfs I agree we should just add it to the root mount too. @crosbymichael eh? |
@rootfs I meant a PR to change spec_linux.go in this repo :) |
Is this closable now that #71 has been merged?
|
Yes, closing based on #71 |
Propagation modes determine how mount and umount events propagate between a mount namespace and its parent. The 'shared' and 'slave' propagation modes are critical to implementing use-cases where a container performs a mount that should be visible to other containers.
Currently the configuration spec lacks any way to specify the propagation mode of a mnt namespace relative to the host's mount namespace, or any indication of what the default propagation mode is. Perhaps this should be an option you can specify in the 'namespaces' config section.
@mrunalp @rhatdan @rootfs
The text was updated successfully, but these errors were encountered: