Bug 1262994

Summary: docker-io remounts host /sys read-only
Product: [Fedora] Fedora EPEL Reporter: David Six <dsix.work>
Component: docker-ioAssignee: Ivan Chavero <ichavero>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: adimania, admiller, akurtako, dsix.work, dwalsh, extras-qa, golang-updates, hushan.jia, ichavero, jalmansor, jchaloup, jperrin, lsm5, manuel.wolfshant, mattdm, mgoldman, miminar, pwebster, s, thrcka, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1214394 Environment:
Last Closed: 2015-10-28 14:40:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Six 2015-09-14 20:37:54 UTC 
+++ This bug was initially created as a clone of Bug #1214394 +++

Description of problem: 

Running a container without --privileged will remount /sys as read only on the host machine.

Verified with docker-io-1.7.1-2.el6.x86_64 on RHEL 6.7

How reproducible: Always

Steps to Reproduce: 

1. Install docker-io
2. Start a container without --privileged (e.g docker run -it --rm busybox date)
3. /sys is now mounted RO on the host

Expected results: 

/sys should be read-only within the container, but remain read-write for the host

Additional docker version information:

# docker info
Containers: 10
Images: 179
Storage Driver: devicemapper
 Pool Name: docker-253:0-27395432-pool
 Pool Blocksize: 65.54 kB
 Backing Filesystem: extfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 8.951 GB
 Data Space Total: 107.4 GB
 Data Space Available: 98.42 GB
 Metadata Space Used: 10.13 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.137 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.95-RHEL6 (2015-07-29)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 2.6.32-573.3.1.el6.x86_64
Operating System: <unknown>
CPUs: 2
Total Memory: 1.808 GiB
Name: -
ID: IHHZ:XJ2C:4JQL:AN6P:I7KG:7Y3P:FIEC:P5NK:QKSA:PTKR:CDHR:RILN

# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64