Make overlay home dir Private mount
People have reported following issue with overlay $ docker run -ti --name=foo -v /dev/:/dev fedora bash $ docker cp foo:/bin/bash /tmp $ exit container Upon container exit, /dev/pts gets unmounted too. This happens because docker cp volume mounts get propagated to /run/docker/libcontainer/.... and when container exits, it must be tearing down mount point under /run/docker/libcontainerd/... and as these are "shared" mounts it propagates events to /dev/pts and it gets unmounted too. One way to solve this problem is to make sure "docker cp" volume mounts don't become visible under /run/docker/libcontainerd/.. Here are more details of what is actually happening. Make overlay home directory (/var/lib/docker/overlay) private mount when docker starts and unmount it when docker stops. Following is the reason to do it. In fedora and some other distributions / is "shared". That means when docker creates a container and mounts it root in /var/lib/docker/overlay/... that mount point is "shared". Looks like after that containerd/runc bind mounts that rootfs into /runc/docker/libcontainerd/container-id/rootfs. And this puts both source and destination mounts points in shared group and they both are setup to propagate mount events to each other. Later when "docker cp" is run it sets up container volumes under /var/lib/dokcer/overlay/container-id/... And all these mounts propagate to /runc/docker/libcontainerd/... Now mountVolumes() makes these new mount points private but by that time propagation already has happened and private only takes affect when unmount happens. So to stop this propagation of volumes by docker cp, make /var/lib/docker/overlay a private mount point. That means when a container rootfs is created, that mount point will be private too (it will inherit property from parent). And that means when bind mount happens in /runc/ dir, overlay mount point will not propagate mounts to /runc/. Other graphdrivers like devicemapper are already doing it and they don't face this issue. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Vivek Goyal
parent
1d9a6833d3
commit
e076bccb45
|
|
@ -19,6 +19,7 @@ import (
|
|||
"github.com/docker/docker/pkg/chrootarchive"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
"github.com/opencontainers/runc/libcontainer/label"
|
||||
)
|
||||
|
||||
|
|
@ -145,6 +146,10 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if err := mount.MakePrivate(home); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
d := &Driver{
|
||||
home: home,
|
||||
pathCache: make(map[string]string),
|
||||
|
|
@ -217,10 +222,11 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
|||
return metadata, nil
|
||||
}
|
||||
|
||||
// Cleanup simply returns nil and do not change the existing filesystem.
|
||||
// This is required to satisfy the graphdriver.Driver interface.
|
||||
// Cleanup any state created by overlay which should be cleaned when daemon
|
||||
// is being shutdown. For now, we just have to unmount the bind mounted
|
||||
// we had created.
|
||||
func (d *Driver) Cleanup() error {
|
||||
return nil
|
||||
return mount.Unmount(d.home)
|
||||
}
|
||||
|
||||
// CreateReadWrite creates a layer that is writable for use as a container
|
||||
|
|
|
|||
Loading…
Reference in New Issue