The `mount --bind` command fail in Docker container on Ubuntu

Question

In my application on Ubuntu 20.04, I need to execute the following commands due to mount directories for chroot:

% execute outside the Docker container
# cd /tmp
# mkdir a b
# mount --bind a b

If I do not use Docker containers, this mount --bind will succeed.

However, the same command will fail within a Docker container:

% execute in the docker container
# cd /app-data/
# mkdir a b
# mount --bind a b
mount: /app-data/b: bind /app-data/a failed.

I describe cap_add: SYS_ADMIN in docker-compose.yaml to launch the container.

How can I solve this problem?

For reference, here are the file system information of the execution environments:

% execute in the docker container
# df -T
Filesystem     Type    1K-blocks    Used Available Use% Mounted on
overlay        overlay  99014644 5453880  88511424   6% /
tmpfs          tmpfs       65536       0     65536   0% /dev
tmpfs          tmpfs     1017552       0   1017552   0% /sys/fs/cgroup
/dev/vda3      ext4     99014644 5453880  88511424   6% /app-data
shm            tmpfs       65536       0     65536   0% /dev/shm
tmpfs          tmpfs     1017552       0   1017552   0% /proc/acpi
tmpfs          tmpfs     1017552       0   1017552   0% /proc/scsi
tmpfs          tmpfs     1017552       0   1017552   0% /sys/firmware

% execute outside the Docker container
# df -T
Filesystem     Type     1K-blocks    Used Available Use% Mounted on
udev           devtmpfs    973876       0    973876   0% /dev
tmpfs          tmpfs       203512     828    202684   1% /run
/dev/vda3      ext4      99014644 5453880  88511424   6% /
tmpfs          tmpfs      1017552       0   1017552   0% /dev/shm
tmpfs          tmpfs         5120       0      5120   0% /run/lock
tmpfs          tmpfs      1017552       0   1017552   0% /sys/fs/cgroup
tmpfs          tmpfs       203508       0    203508   0% /run/user/1000
overlay        overlay   99014644 5453880  88511424   6% /var/lib/docker/overlay2/a393b5ab8ef81eb83d27565bc4695bbc899543aa075cbf7c1ccf6246ce846008/merged
shm            tmpfs        65536      16     65520   1% /var/lib/docker/containers/a4f2d1eff4b1a3ef1b8622fad4b529901fb415d77f17a31e8d9a0ed332d3819e/mounts/shm
overlay        overlay   99014644 5453880  88511424   6% /var/lib/docker/overlay2/a7453522f3e4a9f27c3cb20b0f3f4ebe75358ed9f5f909810ca18d836a601282/merged
shm            tmpfs        65536       0     65536   0% /var/lib/docker/containers/66a76b08846fbe38f633976bc8950ee414f867419310f8c612ce3aace8abfe0f/mounts/shm

Answer 1

A little late to answer the original requester, but I'll share the solution in case another person lands on this page as I did.

I found the solution on this book. Additionally to add SYS_ADMIN capability, you need to disable AppArmor. You can run the container like this:

docker run -it --cap-add SYS_ADMIN --security-opt apparmor=unconfined <image>