Skip to content

--userns-remap causes shared mounts to also become slaves #36472

New issue
New issue
Open
Open
--userns-remap causes shared mounts to also become slaves#36472
Labels
area/security/userns
@gvessere

Description

@gvessere
gvessere
opened on Mar 2, 2018

the --userns-remap option only mounts shared mounts using the slave option. if the daemon is started without the userns-remap option, the container mountpoint is not a slave

Steps to reproduce the issue:

  1. mkdir hostmount
  2. sudo mount --bind hostmount hostmount (edited 3/21)
  3. sudo mount --make-shared hostmount (edited 3/21)
  4. docker run -it --mount type=bind,source=hostmount,target=containermount,bind-propagation=shared ubuntu bash
  5. (inside container) findmnt -o PROPAGATION,TARGET

Describe the results you received:
...
shared,slave |-/containermount
...

Describe the results you expected:
...
shared |-/containermount
...

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:	18.02.0-ce
 API version:	1.36
 Go version:	go1.9.3
 Git commit:	fc4de44
 Built:	Wed Feb  7 21:16:33 2018
 OS/Arch:	linux/amd64
 Experimental:	false
 Orchestrator:	swarm

Server:
 Engine:
  Version:	18.02.0-ce
  API version:	1.36 (minimum version 1.12)
  Go version:	go1.9.3
  Git commit:	fc4de44
  Built:	Wed Feb  7 21:15:05 2018
  OS/Arch:	linux/amd64
  Experimental:	false

Output of docker info:

Containers: 50
 Running: 0
 Paused: 0
 Stopped: 50
Images: 2
Server Version: 18.02.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
 userns
Kernel Version: 4.4.0-1052-aws
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 36
Total Memory: 58.97GiB
Name: ip-172-30-91-26
ID: BXCO:ZVDX:QSQR:5V6W:SQSW:SDMU:RXVC:KZNN:CGMZ:W3F5:LDHY:MDMS
Docker Root Dir: /var/lib/docker/231072.231072
Debug Mode (client): false
Debug Mode (server): false
Username: basespace
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

output of uname -a:

Linux ip-172-30-91-26 4.4.0-1052-aws #61-Ubuntu SMP Mon Feb 12 23:05:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/security/userns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions