0

I am trying to bind host dir to some dir inside container and expecting changes done inside container should reflect on host.

Here is the steps I have followed

created /hostdir on host and run ubuntu container in privileged mode

[root@nhbdlin03 ~]# mkdir /hostdir
[root@nhbdlin03 ~]# docker run -itd --privileged --name ubuntu -v /hostdir:/hostdir:z ubuntu
76aebded33274e95a6f569d0831aee4df27e9f200a8fd0401448239bd6f5bf80
[root@nhbdlin03 ~]# docker exec -it ubuntu bash

creating a container_dir inside container

root@76aebded3327:/# mkdir /container_dir

binding the two directory (successfull)

root@76aebded3327:/# mount --bind /container_dir /hostdir

creating a file named hello.txt inside /container_dir

root@76aebded3327:/# cd container_dir/
root@76aebded3327:/container_dir# touch hello.txt

its get reflected inside /hostdir as it is bind mount to /container_dir

root@76aebded3327:/container_dir# ls /hostdir/
hello.txt

exit container and check on host , is the same reflected

root@76aebded3327:/container_dir# exit

[root@nhbdlin03 ~]# ls /hostdir/
[root@nhbdlin03 ~]# ls /hostdir/ | wc -l
0
[root@nhbdlin03 ~]#

the content are not getting reflected.
I am missing something or doing completely wrong, please help me in the right direction.

Improve this question

2 Answers 2

Reset to default
0

That's by design – mounts done inside a container are not visible outside, for several reasons.

The container runs in a separate mount namespace (not just a simple chroot), and Docker most likely configures the new namespace in "private" mode, partly to prevent the container's various mounts from cluttering the host's findmnt, and partly to make it easier to disassemble all mounts when the container exits.

(When all mounts are only visible from inside the namespace, it's enough to kill all processes – then the mounts will be torn down automatically by the kernel. But if some of them are visible externally, then a 'host OS' process could potentially hold them "in use".)

You might need something like mount --make-[r]shared / at the correct time to make internal mounts visible externally. I don't have a more precise answer right now.

You can use the unshare and nsenter tools to experiment with namespaces without involving Docker – e.g. run unshare --mount --propagation=private in one terminal, mount something, then run findmnt to see it reporting different results "inside" and "outside" the 'unshare' process.

Improve this answer
0

What worked for me was making the Docker bind mount shared as explained in this answer to a similar question "How to expose a container's mount point to the host?":

-v /hostdir:/hostdir:shared

According to Docker's docs the z option should achieve something similar, assuming your host OS uses SELinux, but I didn't try it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .