I am aware of the implications of these settings from a security standpoint, but they appear to be necessary to workaround an issue with the JIT compiler built into the Oracle Database. I have tired a docker build file which adds
I don’t think you should ever remount shm in a container manually with or without fstab. You could create your own tmpfs inside the container but only if you have appropriate privileges. I don’t know which capability (--cap-add) would allow you to do this, so let’s say you use the --privileged flag. But this does not seem to be the right way.
You can do this:
docker run --tmpfs "/dev/shm:exec,dev,suid" -it --entrypoint bash oraclelinux:8-slim
This way you can have what you want in one container but you cannot share the IPC namespace to access this tmpfs from another container. When you mount a tmpfs over the original shm, it becomes non-shareable.
The other option is similar but allows you to share the tmpfs folder without sharing the IPC namespace.
Where the last --opt is optional since this is the default. You won’t see those mount options inside the container but you won’t see nodev,noexec,nosuid either.
Then mount the volume into multiple containers
docker run --mount "source=shmvolume,target=/dev/shm" -it --entrypoint bash oraclelinux:8-slim
I am aware this response is not about the mount options of the shm mounts, but it is about setting the size of the shm mount as for instance required for oracle databases:
--shm-size="" Size of /dev/shm . The format is <number><unit> . number must be greater than 0 . Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m .