1318547 – Can't use shared volume mounts with docker 1.10

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1318547 - Can't use shared volume mounts with docker 1.10

Summary: Can't use shared volume mounts with docker 1.10

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm-ostree
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Colin Walters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1318690
TreeView+	depends on / blocked

Reported:	2016-03-17 08:25 UTC by Dusty Mabe
Modified:	2017-03-03 03:49 UTC (History)
CC List:	14 users (show)
Fixed In Version:	rpm-ostree-2017.2-2.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1318690 (view as bug list)
Environment:
Last Closed:	2017-03-03 03:49:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dusty Mabe 2016-03-17 08:25:35 UTC

Description of problem:

The MountFlags=slave option is set in the docker systemd unit file which is causing shared mounts to not work with docker 1.10. I have not changed the docker.service unit file on my atomic host and it has that MountFlags=slave set in the unit file:

[vagrant@vanilla-f23atomic ~]$ rpm -qV docker | grep docker.service
.......T.    /usr/lib/systemd/system/docker.service
[vagrant@vanilla-f23atomic ~]$ grep Mount /usr/lib/systemd/system/docker.service
MountFlags=slave


I have been told this is not what we want: https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2016-March/msg00083.html


Version-Release number of selected component (if applicable):
[vagrant@vanilla-f23atomic ~]$ rpm -q docker
docker-1.10.2-6.git0f5ac89.fc23.x86_64

How reproducible:
Always


Steps to Reproduce:
[vagrant@vanilla-f23atomic ~]$ sudo mount --make-shared /
[vagrant@vanilla-f23atomic ~]$ sudo docker run -it --privileged --rm -v /tmp/sharedfolder:/tmp/sharedfolder:shared sshfs /bin/bash  
docker: Error response from daemon: Cannot start container 7e99752dd8f2812a7d7acaa58594504be936b6f37aa77b6521a7098450343837: Path /tmp/sharedfolder is mounted on /sysroot but it is not a shared mount..

Actual results:
Can't run a docker container with :shared volume mount. See error message.

Comment 1 Daniel Walsh 2016-03-17 14:02:47 UTC

Lokesh please remove this line from all Fedora and RHEL versions of docker-1.10.

Comment 2 Lokesh Mandvekar 2016-03-24 16:23:22 UTC

docker has been downgraded to 1.9.1 on f23 (should land in -testing soon). I'll remove it once we're back on 1.10. f24 and rawhide are already on 1.10 and don't have MountFlags=slave. I'll make sure to remove it from RHEL 1.10 rpms too.

Comment 3 Dusty Mabe 2016-06-01 20:21:56 UTC

status on this since 1.10 is in 24 and is in testing in 23?

Comment 4 Daniel Walsh 2016-06-03 18:58:15 UTC

Fixed in docker-1.10, which is showing up everywhere now.

Comment 5 Fedora Admin XMLRPC Client 2016-06-08 14:10:11 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 6 Colin Walters 2016-07-27 16:30:14 UTC

I hit this, and the problem turned out to be the mount propagation on / being private.

Comment 7 Jonathan Lebon 2016-10-12 19:30:31 UTC

(In reply to Colin Walters from comment #6)
> I hit this, and the problem turned out to be the mount propagation on /
> being private.

Also hit this on the most recent Fedora 24 tree:

#  findmnt / -o TARGET,PROPAGATION
TARGET PROPAGATION
/      private

# docker run --rm -it --privileged -v /:/host fedora:24 echo ok
docker: Error response from daemon: Cannot start container a9a14be96410e36f6a31e6604c603d1c4f5912a9def42e162e5d5b72fd3bec30: Path / is mounted on / but it is not a shared or slave mount..sh

# mount --make-shared /
# docker run --rm -it --privileged -v /:/host fedora:24 echo ok
ok

Did this somehow change in recent times? Don't remember running into it before, although I've mounted / many times.

Comment 8 Colin Walters 2016-10-12 20:10:15 UTC

This may be an interaction with ostree doing the bind mount for /.

Comment 9 Colin Walters 2016-10-12 20:12:26 UTC

FWIW I think the right workaround is:

mount --make-rshared /

Note the extra `r` - this way you'll also be able to bind in any other host mount points.

Comment 10 Fedora End Of Life 2016-11-24 16:07:08 UTC

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 11 Micah Abbott 2017-02-02 22:07:20 UTC

We are seeing this in our F24 Atomic Host tests.  From what I can deduce, it appears using pkg-layering is causing the root filesystem to have mount propagation set to PRIVATE.

# atomic host status
State: idle
Deployments:
● fedora-atomic:fedora-atomic/24/x86_64/docker-host
       Version: 24.121 (2017-02-02 20:35:47)
        Commit: 57f57ff2eeb82797e3600bd3ce0a6dfb7a6982997abda991cc2b8711e7cb7004
        OSName: fedora-atomic
# findmnt / -o TARGET,PROPAGATION
TARGET PROPAGATION
/      shared
# rpm-ostree install wget
Checking out tree 57f57ff... done

Downloading metadata: [=====================] 100%
Resolving dependencies... done
Overlaying... done
Running %post for wget...... done
Writing rpmdb... done
Writing OSTree commit... done
Copying /etc changes: 26 modified, 0 removed, 65 added
Transaction complete; bootconfig swap: yes deployment count change: 1
Added:
  wget-1.18-1.fc24.x86_64
Run "systemctl reboot" to start a reboot

<<< reboot >>>

# atomic host status
State: idle
Deployments:
● fedora-atomic:fedora-atomic/24/x86_64/docker-host
       Version: 24.121 (2017-02-02 22:04:01)
    BaseCommit: 57f57ff2eeb82797e3600bd3ce0a6dfb7a6982997abda991cc2b8711e7cb7004
        Commit: 71aa1683f43ec9e61b3fc8dccb2bc6d1a52d06c9aa8164035fd16ba7db6e2fff
        OSName: fedora-atomic
      Packages: wget

  fedora-atomic:fedora-atomic/24/x86_64/docker-host
       Version: 24.121 (2017-02-02 20:35:47)
        Commit: 57f57ff2eeb82797e3600bd3ce0a6dfb7a6982997abda991cc2b8711e7cb7004
        OSName: fedora-atomic
-bash-4.3# findmnt / -o TARGET,PROPAGATION
TARGET PROPAGATION
/      private
# docker run --rm -it --privileged -v /:/host fedora:24 echo ok
docker: Error response from daemon: Cannot start container b8b6355cac7af433724236b58669495c8e378236fb4de242f43a610247372c75: Path / is mounted on / but it is not a shared or slave mount..


So is this really an ostree bug?  Do we want to ship a new version of ostree in F24?

Comment 12 Jonathan Lebon 2017-02-03 23:33:02 UTC

Good catch, Micah. This is indeed caused by rpm-ostree package layering. Should be fixed by:

https://github.com/projectatomic/rpm-ostree/pull/605

Note that although this also happens on F25, the docker there can deal with it.

Comment 13 Fedora Update System 2017-02-15 15:57:03 UTC

ostree-2017.2-2.fc24 rpm-ostree-2017.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-758aab74a4

Comment 14 Fedora Update System 2017-02-17 16:58:12 UTC

ostree-2017.2-2.fc24 rpm-ostree-2017.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-758aab74a4

Comment 15 Fedora Update System 2017-02-18 21:50:47 UTC

ostree-2017.2-2.fc24, rpm-ostree-2017.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-758aab74a4

Comment 16 Fedora Update System 2017-02-23 17:11:07 UTC

ostree-2017.2-3.fc24 rpm-ostree-2017.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-758aab74a4

Comment 17 Fedora Update System 2017-02-25 00:52:54 UTC

ostree-2017.2-3.fc24, rpm-ostree-2017.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-758aab74a4

Comment 18 Fedora End Of Life 2017-02-28 09:56:00 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 19 Fedora Update System 2017-03-03 03:49:04 UTC

ostree-2017.2-3.fc24, rpm-ostree-2017.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.