Overview

Mount propagation allows for sharing volumes mounted by a container to other containers in the same pod, or even to other pods on the same node.

Values

Mount propagation of a volume is controlled by the mountPropagation field in Container.volumeMounts. Its values are:

  • none - This volume mount does not receive any subsequent mounts that are mounted to this volume or any of its subdirectories by the host. In similar fashion, no mounts created by the container are visible on the host. This is the default mode, and is equal to private mount propagation in Linux kernels.

  • HostToContainer - This volume mount receives all subsequent mounts that are mounted to this volume or any of its subdirectories. In other words, if the host mounts anything inside the volume mount, the container acknowledges it mounted there. This mode is equal to rslave mount propagation in Linux kernels.

  • Bidirectional - This volume mount behaves the same as the HostToContainer mount. In addition, all volume mounts created by the container are propagated back to the host and to all containers of all pods that use the same volume. A typical use case for this mode is a Pod with a FlexVolume or CSI driver or a Pod that needs to mount something on the host using a hostPath volume. This mode is equal to rshared mount propagation in Linux kernels.

Bidirectional mount propagation can be dangerous. It can damage the host operating system and therefore it is allowed only in privileged containers. Familiarity with Linux kernel behavior is strongly recommended. In addition, any volume mounts created by containers in pods must be destroyed, or unmounted, by the containers on termination.

Configuration

Before mount propagation can work properly on some deployments, such as CoreOS, Red Hat Enterprise Linux/Centos, or Ubuntu, the mount share must be configured correctly in Docker.

Procedure
  1. Edit your Docker’s systemd service file. Set MountFlags as follows:

    MountFlags=shared

    Alternatively, remove MountFlags=slave, if present.

  2. Restart the Docker daemon:

    $ sudo systemctl daemon-reload
    $ sudo systemctl restart docker