While working with Docker the other day, I ran into an
undesirable interaction between Docker and systemd services that
utilize the PrivateTmp directive.
The PrivateTmp directive, if true, “sets up a new file system
namespace for the executed processes and mounts private /tmp and
/var/tmp directories inside it that is not shared by processes outside
of the namespace”. This is a great idea from a security
perspective, but can cause some unanticipated consequences.
The problem in a nutshell
Start a Docker container: