On 01/19/2015 12:27 AM, Lars Kellogg-Stedman wrote: > On Sun, Jan 18, 2015 at 11:38:12PM -0500, Lars Kellogg-Stedman wrote: >> I think we actually want MountFlags=slave, which will permit mounts >> from the global namespace to propagate into the service namespace >> without permitting propagation in the other direction. It seems like >> this would the Least Surprising behavior. > ...which would be the default if docker.service were itself using > PrivateTmp=true, because from systemd.exec: > > Note that the file system namespace related options (PrivateTmp=, > PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=, > InaccessibleDirectories= and ReadWriteDirectories=) require that mount > and unmount propagation from the unit's file system namespace is > disabled, and hence downgrade shared to slave. > > So either explicitly setting MountFlags=slave, or setting > PrivateTmp=true if that doesn't cause any issues of which I am not > aware. > > > > _______________________________________________ > systemd-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/systemd-devel Vincent what do you think about MountFlags=slave?
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
