Can shared mounts be made to work in CoreOS?

[Anand Patil]

Hi everyone,

This method for propagating mounts from Linux containers to the host using shared mounts works in Ubuntu, but not CoreOS currently. Would it be possible to make it work in CoreOS? The use case is mounting non-NFS network attached storage into unprivileged containers, more detail is given in an earlier question. A test case is:

# On the host

mkdir /home/core/shared

sudo mount --bind /home/core/shared /home/core/shared                                                          

sudo mount --make-unbindable /home/core/shared

sudo mount --make-shared /home/core/shared                                                                 

sudo mkdir /home/core/shared/test

sudo docker run -i -t --privileged -v /home/core/shared/test:/shared ubuntu:12.04 /bin/bash

# In the container

mkdir /shared/usr

mount --bind /usr /shared/usr

# On the host, /home/core/shared/test/usr "should" now contain local, lib, bin, etc.

Many thanks,

Anand

[Jonathan Boulle]

Before diving in too deeply - are you sure that works on modern versions of Docker? I can't repro using those steps on Fedora 20 + docker 0.11.1; the mount within the docker container does not propagate to the host (as you're seeing on CoreOS).

[Anand Patil]

This executable test: https://gist.github.com/apatil/d6e6c95115bce01a49d1 works with docker 0.11.1 on ubuntu 12.04, meaning the mount does propagate. Does it work on Fedora?

Anand

[Anand Patil]

It _doesn't_ work on Ubuntu 14.04, however.

[Jonathan Boulle]

Nope, doesn't work on F20 (kernel = 3.14.3)

[Anand Patil]

The Ubuntu box where it does work is on 3.8.0-29, the one where it doesn't work is on 3.13.0-24. I'll try to figure out if something related to shared mounts changed in the kernel in between.

[Jonathan Boulle]

Let us know what you find - I'm quite curious now.

[Anand Patil]

The plot thickens a little bit: shared-mount-nodocker.sh from https://gist.github.com/apatil/d6e6c95115bce01a49d1, which tests shared mounts without involving Docker, _does_ work on 3.13.0.

[Jonathan Boulle]

Yeah, I noticed that too (otherwise it'd be a more glaring kernel bug). I'm guessing the breakage is related to some changes in Docker's container handling (and that on Ubuntu 12.04 Docker falls back to its old, working method) - but this is pure speculation.

Would you mind trying with LXC and/or systemd-nspawn containers and seeing what you find?

[Anand Patil]

The steps from here: http://s3hh.wordpress.com/2011/09/22/sharing-mounts-with-a-container/ with plain lxc do work on 3.13.0.

[Sebastien]

It's not a kernel bug, it's because docker mounts it's root with MS_PRIVATE recursively. As a result no mounts propagation does not work.

When you run docker with the DOCKER_RAMDISK=1 then it uses MS_SLAVE instead and mount propagation works. The problem is that you then see all the hosts mounts in the containers /proc/mount (just like lxc I believe)