On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote: > I think we actually want MountFlags=slave, which will permit mounts > from the global namespace to propagate into the service namespace > without permitting propagation in the other direction. It seems like > this would the Least Surprising behavior.
...which would be the default if docker.service were itself using
PrivateTmp=true, because from systemd.exec:
Note that the file system namespace related options (PrivateTmp=,
PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=,
InaccessibleDirectories= and ReadWriteDirectories=) require that mount
and unmount propagation from the unit's file system namespace is
disabled, and hence downgrade shared to slave.
So either explicitly setting MountFlags=slave, or setting
PrivateTmp=true if that doesn't cause any issues of which I am not
aware.
--
Lars Kellogg-Stedman <[email protected]> | larsks @ {freenode,twitter,github}
Cloud Engineering / OpenStack | http://blog.oddbit.com/
pgpiVLDyZPrQb.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
