Description of problem: With docker-io upgraded to 1.6, docker build and docker runs of https://github.com/adelton/docker-freeipa started to fail. The reason seems to be that the container gets /var/log/journal/{id-of-the-container?} mounted and you cannot get rid of it because [root@4809557f6c5a /]# umount -f /var/log/journal/4809557f6c5a83f899a25b507d72c4d5 umount: /var/log/journal/4809557f6c5a83f899a25b507d72c4d5: must be superuser to unmount That however prevents use from moving /var/log to VOLUME because in build time, /var/log/canot be removed: rm: cannot remove '/var/log/journal/cf00ac62f9dad464306c48f0267be479': Device or resource busy Version-Release number of selected component (if applicable): # rpm -q docker-io docker docker-io-1.6.0-1.git0591dce.fc21.x86_64 package docker is not installed How reproducible: Deterministic. Steps to Reproduce: 1. Install docker-io. 2. Make no changes to /etc/sysconfig/docker except adding --icc=false to OPTIONS. 3. Run the service. 4. Run docker run -ti fedora:20 mount | grep /var/log Actual results: /dev/mapper/fedora--server_mgmt12-root on /var/log/journal/4809557f6c5a83f899a25b507d72c4d5 type ext4 (rw,relatime,seclabel,data=ordered) Expected results: Nothing mounted on /var/log. Additional info:
I see the same behaviour with docker-1.6.0-1.git0591dce.fc22.x86_64 but on Fedora 21 it's obviously more severe because it would mean regression there.
Dan, I don't quite remember, you mentioned something about journald work sometime back, is that something not in fedora yet?
Jan What exactly are you trying to do, can you ping me on IRC to tell me exactly what is going on?
Lokesh this should work in Fedora but not RHEL7 yet.
From https://github.com/adelton/docker-freeipa/blob/master/Dockerfile Step 14 : RUN cd / ; mkdir /data-template ; cat /etc/volume-data-list | while read i ; do if [ -e $i ] ; then tar cf - .$i | ( cd /data-template && tar xf - ) ; fi ; mkdir -p $( dirname $i ) ; rm -rf $i ; ln -sf /data${i%/} ${i%/} ; done ---> Running in 8ad03310a401 rm: cannot remove '/var/log/journal/8ad03310a40178c266b7b70bddbfb778': Device or resource busy /etc/volume-data-list includes /var/log/
Ok you are just getting an error trying to remove the contents of the directory, but everything else should work fine. I can see this being a potential issue if you are saving the logs in the image.
In the FreeIPA image, I move /var/log to a /data volume and replace it with a symlink /var/log -> /data/var/log in the image. The goal is not to save logs in the image but into the volume.
I could certainly do something like RUN ... process list of directories to put to volume (== move aside to /data-template during build) ... if [ "$i" == /var/log/ ] ; then mv /var/log /var/log-removed ; else rm -rf $i ; fi ... RUN rm -rf /var/log-removed But why mount it directly to /var/log/journal/... in the first place? Why not something like /run/journal/data and have the /var/log/journal/... be a symlink to it? I assume for many people, having /var/log in a volume is and will be way to go, and preparing for journald support shouldn't break that. I'm scared what other not-so-obvious features might be included in the future.
(In reply to Daniel Walsh from comment #7) > Ok you are just getting an error trying to remove the contents of the > directory, but everything else should work fine. If I can't remove /var/log/journal/8ad03310a40178c266b7b70bddbfb778, I can't remove /var/log, so I can't replace it with symlink pointing to /data.
Why not directly volume mount /var/log into the container? -v /data/var/log:/var/log
(In reply to Daniel Walsh from comment #11) > Why not directly volume mount /var/log into the container? > > -v /data/var/log:/var/log That'd be one more -v option to give to docker run. The goal of FreeIPA is to integrate multiple things under one umbrella and hide the complexity of the various setups. We try hard to consolidate it all (via symlinks) into one volume mountpoint, avoiding the need for the admin to have numerous volumes and numerous -v options. Besides, /var/log has rpm-populated directories that the software expects to find there. If they get hidden with an empty mounted volume, we are likely to see additional breakage.
Jan lets talk in IRC.
Any more updates on this?
Jan and I had a discussion on the atomic command and how to seup the DATADIR for volume mounting into the container. I believe that this should be handled via a different mechanism then he is currently building.
Ok, great, thanks. Jan, are you willing to close this, or is further resolution needed?
(In reply to Andy Goldstein from comment #16) > > Jan, are you willing to close this, or is further resolution needed? I'd certainly prefer if docker (the daemon, I assume) was not mounting additional external objects without the user asking for it, especially when they then cannot be unmounted. We've had enough problems being stuck with /etc/resolv.conf that couldn't be removed or unmounted, that got resolved and now new path pop up. It certainly is not a blocker for the 1.6 release but I hope there is a better way to offer the additional functionality without forcing it on everyone unconditionally.
I would guess we could easily remove it from docker build, since there is little reason to do it there. The question would be how do you get this type of functionality by default without adding mount points. We also looking to add /run and /tmp as a tmpfs by default. Potentially /sys/fs/cgroup will be showing up also.
I would like to have a meeting to discuss the IPA Image/Images to make sure they follow the latest ways we are thinking in the AppInfra team.
docker-io-1.6.0-2.git3eac457.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/docker-io-1.6.0-2.git3eac457.fc21
docker-io-1.6.0-2.git3eac457.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.