Control SHM mount options

I need to configure the options applied to shm.

If I start with

docker run -it --entrypoint bash oraclelinux:8-slim

and examine shm mount point options I see

bash-4.4# cat /proc/mounts | grep shm
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k 0 0
bash-4.4#

How can I get to

rw,suid,dev,exec

I am aware of the implications of these settings from a security standpoint, but they appear to be necessary to workaround an issue with the JIT compiler built into the Oracle Database. I have tired a docker build file which adds

shm /dev/shm tmpfs rw,suid,dev,exec,relatime,size=65536k 0 0

to fstab but it did not seem to have any effect.

I don’t think you should ever remount shm in a container manually with or without fstab. You could create your own tmpfs inside the container but only if you have appropriate privileges. I don’t know which capability (--cap-add) would allow you to do this, so let’s say you use the --privileged flag. But this does not seem to be the right way.

You can do this:

docker run  --tmpfs "/dev/shm:exec,dev,suid" -it --entrypoint bash oraclelinux:8-slim

This way you can have what you want in one container but you cannot share the IPC namespace to access this tmpfs from another container. When you mount a tmpfs over the original shm, it becomes non-shareable.

The other option is similar but allows you to share the tmpfs folder without sharing the IPC namespace.

Create a tmpfs volume using the “shm” as device

docker volume create --opt "type=tmpfs" --opt "device=shm" --opt="o=exec,dev,suid" shmvolume

Where the last --opt is optional since this is the default. You won’t see those mount options inside the container but you won’t see nodev,noexec,nosuid either.

Then mount the volume into multiple containers

docker run  --mount "source=shmvolume,target=/dev/shm"  -it --entrypoint bash oraclelinux:8-slim

I am aware this response is not about the mount options of the shm mounts, but it is about setting the size of the shm mount as for instance required for oracle databases:

Quoted from https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources:

--shm-size="" Size of /dev/shm . The format is <number><unit> . number must be greater than 0 . Unit is optional and can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m .

Which of course has a compose v2 and v3 representation: shm_size: 64M
see compose file v2 reference and compose file v3 reference