From eb76cb2301fc883941bc4ca2d9ebc3a486ab8e0a Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@redhat.com>
Date: Tue, 20 Jan 2015 14:22:04 -0500
Subject: [PATCH 1/2] contrib/systemd: mount namespace and subtree flags

This systemd.exec setting will construct a new mount namespace for the
docker daemon, and use slave shared-subtree mounts so that volume mounts
propogate correctly into containers.

By having an unshared mount namespace for the daemon it ensures that
mount references are not held by other pids outside of the docker
daemon. Frequently this can be seen in EBUSY or "device or resource
busy" errors.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
---
 contrib/init/systemd/docker.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/init/systemd/docker.service b/contrib/init/systemd/docker.service
index 83c810d13a..9738ca1ad5 100644
--- a/contrib/init/systemd/docker.service
+++ b/contrib/init/systemd/docker.service
@@ -6,6 +6,7 @@ Requires=docker.socket
 
 [Service]
 ExecStart=/usr/bin/docker -d -H fd://
+MountFlags=slave
 LimitNOFILE=1048576
 LimitNPROC=1048576
 

From 6bb65864589fbd720622cbd795763d108999a366 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@redhat.com>
Date: Tue, 20 Jan 2015 15:17:41 -0500
Subject: [PATCH 2/2] contrib/sysvinit-redhat: unshare mount namespace

unshare the mount namespace of the docker daemon to avoid other pids
outside the daemon holding mount references of docker containers.

Signed-off-by: Vincent Batts <vbatts@redhat.com>
---
 contrib/init/sysvinit-redhat/docker | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/init/sysvinit-redhat/docker b/contrib/init/sysvinit-redhat/docker
index eadf02c75c..1994d6b31e 100755
--- a/contrib/init/sysvinit-redhat/docker
+++ b/contrib/init/sysvinit-redhat/docker
@@ -23,6 +23,7 @@
 . /etc/rc.d/init.d/functions
 
 prog="docker"
+unshare=/usr/bin/unshare
 exec="/usr/bin/$prog"
 pidfile="/var/run/$prog.pid"
 lockfile="/var/lock/subsys/$prog"
@@ -46,7 +47,7 @@ start() {
         prestart
         printf "Starting $prog:\t"
         echo "\n$(date)\n" >> $logfile
-        $exec -d $other_args &>> $logfile &
+        "$unshare" -m -- $exec -d $other_args &>> $logfile &
         pid=$!
         touch $lockfile
         # wait up to 10 seconds for the pidfile to exist.  see