You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using -v to bind mount a file into a container does not appear to modify the behavior of lstat or readlink if the target path on the container already exists and is a symbolic link.
This causes programs that use these system calls to continue seeing the file present in the container instead of the file on the host system.
In our case this caused Java processes to incorrectly resolve the timezone. An example of this behavior is provided below.
I have not tested whether this behavior also occurs for directory bind mounts.
docker version:
Client version: 1.7.0
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 0baf609
OS/Arch (client): linux/amd64
Server version: 1.7.0
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 0baf609
OS/Arch (server): linux/amd64
We noticed this on our Java app server containers, which derive from the official CentOS7 base image. Recently that image was updated so that /etc/localtime sym links to ../usr/share/zoneinfo/UTC
Our docker run commands use -v /etc/localtime:/etc/localtime to ensure that containers inherit the timezone of the VM they run on. We noticed this failed to work with the latest CentOS 7 image. After digging a bit, it appears that the JVM uses lstat and readlink to resolve /etc/localtime and this leads to unexpected results when combined with -v
Steps to Reproduce:
I have uploaded an image with Java 8 and a small Java program which demonstrates the issue. This issue shouldn't be specific to Java, but it was the simplest way for me to demonstrate the precise symptom.
The way this ends up getting mounted is the file ends up being mounted on the path the symlink is pointing to. The symlink is resolved before the mount.
Closing since we can't really change this behavior.
Description of problem:
Using -v to bind mount a file into a container does not appear to modify the behavior of lstat or readlink if the target path on the container already exists and is a symbolic link.
This causes programs that use these system calls to continue seeing the file present in the container instead of the file on the host system.
In our case this caused Java processes to incorrectly resolve the timezone. An example of this behavior is provided below.
I have not tested whether this behavior also occurs for directory bind mounts.
docker version
:docker info
:uname -a
:Linux redacted 3.16.0-41-generic #55~14.04.1-Ubuntu SMP Sun Jun 14 18:43:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Environment details (AWS, VirtualBox, physical, etc.):
HP laptop running Ubuntu 14.04 natively.
How reproducible:
We noticed this on our Java app server containers, which derive from the official CentOS7 base image. Recently that image was updated so that
/etc/localtime
sym links to../usr/share/zoneinfo/UTC
Our docker run commands use
-v /etc/localtime:/etc/localtime
to ensure that containers inherit the timezone of the VM they run on. We noticed this failed to work with the latest CentOS 7 image. After digging a bit, it appears that the JVM uses lstat and readlink to resolve/etc/localtime
and this leads to unexpected results when combined with-v
Steps to Reproduce:
I have uploaded an image with Java 8 and a small Java program which demonstrates the issue. This issue shouldn't be specific to Java, but it was the simplest way for me to demonstrate the precise symptom.
docker pull coopernurse/centos7-java
docker run -v /etc/localtime:/etc/localtime coopernurse/centos7-java /bin/bash -c '/bin/date && java Hello'
Actual Results:
Expected Results:
Additional info:
strace
shows that/bin/date
is simply callingopen('/etc/localtime')
whereas the JVM is callinglstat
and thenreadlink
readlink
still reports the original sym link, despite the -v bind mount:More strace output:
docker run -it --privileged coopernurse/centos7-java
vs
Hello.java
source:The text was updated successfully, but these errors were encountered: