While working with Docker the other day, I ran into an
undesirable interaction between Docker and systemd services that
utilize the PrivateTmp
directive.
The PrivateTmp directive, if true
, “sets up a new file system
namespace for the executed processes and mounts private /tmp
and
/var/tmp
directories inside it that is not shared by processes outside
of the namespace”. This is a great idea from a security
perspective, but can cause some unanticipated consequences.
The problem in a nutshell
Start a Docker container: