Bug 1603201

Description of problem:

Starting on version docker-1.13.1-63.git94f4240.el7.x86_64, docker can't no longer bindmount symbolic links to namespaces (/proc/PID/ns/*):

# docker run --privileged -it  -v /proc/1/ns/net:/aaa rhel7 /bin/bash
/usr/bin/docker-current: Error response from daemon: error while creating mount source path '/proc/1/ns/net:[4026531956]': mkdir /proc/1/ns/net:[4026531956]: no such file or directory.

This worked on previous versions (docker-1.13.1-58.git87f2fab.el7.x86_64 or lower).


Version-Release number of selected component (if applicable):

docker-1.13.1-63.git94f4240.el7.x86_64


How reproducible:

Always.


Additional info:

This problem can be tracked down to this change:

 - https://github.com/projectatomic/docker/commit/1fc7510329f938b7d38fd8989bd462201d0fe13a

volume/volume.go:
 // Setup sets up a mount point by either mounting the volume if it is
 // configured, or creating the source directory if supplied.
-func (m *MountPoint) Setup(mountLabel string, rootUID, rootGID int) (path string, err error) {
+func (m *MountPoint) Setup(prefix, mountLabel string, rootUID, rootGID int) (path string, err error) {
+	symlinkRoot := prefix
+	if symlinkRoot == "" {
+		symlinkRoot = "/"
+	}
+	sourcePath, err := symlink.FollowSymlinkInScope(filepath.Join(prefix, m.Source), symlinkRoot)
+	if err != nil {
+		path = ""
+		err = errors.Wrapf(err, "error evaluating symlink from mount source '%s'", m.Source)
+		return
+	}
+

The use of FollowSymlinkInScope on m.Source alters docker's by following symlinks in the source path of the bindmount. In the case of a symbolic link to a namespace, it produces the following transformation:

 - /proc/1/ns/net -> /proc/1/ns/net:[4026531956]

And the later doesn't really exist in the filesystem.

I've checked upstream, and this change isn't there, so this is a downstream regression.