Unable to check Docker overlay network namespace

I have setup an overlay network and everything works as expected except when I was trying to look at the overlay network namespace.

Here is the problem:

Can anyone shed some light?

I’ll try to answer my own question.

Solution:
Comment out the line “MountFlags=slave” in /etc/systemd/system/multi-user.target.wants/docker.service

Why:
With “MountFlags=slave” set, the systemd mounts the process’s root filesystem as “MS_SLAVE” which means any newly mounted filesystems within this process won’t be seen by the parent process. That’s why you won’t be able to see the overlay namespace in the host machine.

2 Likes

I had the same issue, and tried your solution. it works. Thank you very much.

You are welcome. Glad that I could help.

Hi @baiwang, I am using CoreOS and playing with Docker Swarm. I have the same issue but in my case the docker.service file is inside /usr/lib64/systemd/system/. I am not able to edit the file, even with sudoedit. Any idea on how I could enter the namespace?

On how to customize docker.service, here is the coreos official document: https://coreos.com/os/docs/latest/customizing-docker.html.

Please read the Enabling the Docker debug flag part, just replace add the -D flag part with comment out MountFlags=slave will work.

Hope it helps.

There is another way around this, without having to modify the service. Use a double nsenter command to first enter the docker daemon’s mount namespace, then enter the network namespace from there.

E.g., in my case, 35633 is the pid of the docker daemon.

[root@docker3 ~]# nsenter -m -t 35633 nsenter --net=/var/run/docker/netns/4-4ef4272ac1 ip link

2 Likes