You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: config-linux.md
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -654,7 +654,17 @@ The following parameters can be specified to set up seccomp:
654
654
## <aname="configLinuxRootfsMountPropagation" />Rootfs Mount Propagation
655
655
656
656
**`rootfsPropagation`** (string, OPTIONAL) sets the rootfs's mount propagation.
657
-
Its value is either slave, private, shared or unbindable.
657
+
Its value is either `shared`, `slave`, `private` or `unbindable`.
658
+
It's worth noting that a peer group is defined as a group of VFS mounts that propagate events to each other.
659
+
A nested container is defined as a container launched inside an existing container.
660
+
661
+
***`shared`**: the rootfs mount belongs to a new peer group.
662
+
This means that further mounts (e.g. nested containers) will also belong to that peer group and will propagate events to the rootfs.
663
+
Note this does not mean that it's shared with the host.
664
+
***`slave`**: the rootfs mount receives propagation events from the host (e.g. if something is mounted on the host it will also appear in the container) but not the other way around.
665
+
***`private`**: the rootfs mount doesn't receive mount propagation events from the host and further mounts in nested containers will be isolated from the host and from the rootfs (even if the nested container `rootfsPropagation` option is shared).
666
+
***`unbindable`**: the rootfs mount is a private mount that cannot be bind-mounted.
667
+
658
668
The [Shared Subtrees][sharedsubtree] article in the kernel documentation has more information about mount propagation.
0 commit comments