Output of docker version:
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:54:25 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:54:25 2016
OS/Arch: linux/amd64
Output of docker info:
Containers: 67
Running: 1
Paused: 0
Stopped: 66
Images: 175
Server Version: 1.11.2
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 445
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.2.0-36-generic
Operating System: Ubuntu 15.10
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.36 GiB
Name:
ID: 2L4P:UKDR:MQ4A:7RQ6:X3VM:TNK2:XJ47:HJAX:DTW2:SDJK:NDZC:43QA
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Username:
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
I have seen this issue both on physical hardware and AWS EC2 host system.
Steps to reproduce the issue:
- Mount something rw on the host (you probably have one already - check /proc/mounts for anything other than the root which is labelled rw. In my case it's /run)
- docker run -it -v /:/rootfs:ro ubuntu
- touch /rootfs/run/foo
(from within the docker container's shell)
- exit the container's shell
- ls /run/foo
Describe the results you received:
When creating the file /rootfs/run/foo from within the container, it is successful.
On the host system, the file /run/foo is created.
Describe the results you expected:
Creating the file /rootfs/run/foo should not succeed because the directory should be mounted read-only.
The file should not appear on the host system for the same reason.
Additional information you deem important (e.g. issue happens only occasionally):
From inside the docker container, any mount point on the host shows as a corresponding mountpoint within /rootfs. This is expected.
The root /rootfs is also shown mounted ro, as expected.
But any other mount points within rootfs (which were writeable on the host) show up as rw, for example:
cat /proc/mounts | grep '/rootfs/run '
tmpfs /rootfs/run tmpfs rw,nosuid,noexec,relatime,size=3288840k,mode=755 0 0
Output of
docker version:Output of
docker info:Additional environment details (AWS, VirtualBox, physical, etc.):
I have seen this issue both on physical hardware and AWS EC2 host system.
Steps to reproduce the issue:
(from within the docker container's shell)
Describe the results you received:
When creating the file /rootfs/run/foo from within the container, it is successful.
On the host system, the file /run/foo is created.
Describe the results you expected:
Creating the file /rootfs/run/foo should not succeed because the directory should be mounted read-only.
The file should not appear on the host system for the same reason.
Additional information you deem important (e.g. issue happens only occasionally):
From inside the docker container, any mount point on the host shows as a corresponding mountpoint within /rootfs. This is expected.
The root /rootfs is also shown mounted ro, as expected.
But any other mount points within rootfs (which were writeable on the host) show up as rw, for example:
cat /proc/mounts | grep '/rootfs/run '
tmpfs /rootfs/run tmpfs rw,nosuid,noexec,relatime,size=3288840k,mode=755 0 0