origin: Incorrect `MountFlags` value in Docker daemon unit file: Cannot start container ... Path ... is mounted on ... but it is not a shared or slave mount

Seeing this issue in the networking extended tests:

Jun 10 18:11:26.242: INFO: At 2016-06-10 18:11:24 +0000 UTC - event for service-webserver: {kubelet nettest-node-1} Failed: Failed to start container with docker id f5ecb2f20b59 with error: API error (500): Cannot start container f5ecb2f20b591e2ca313d7bd98641873d2a7999721d64154855f0a86d6dee05a: Path /var/lib/openshift.local.volumes/pods/bde5b5fe-2f36-11e6-a3a6-024287af2ef2/containers/service-webserver-container/780e3547 is mounted on / but it is not a shared or slave mount.

As per https://github.com/docker/docker/issues/19625#issuecomment-203891275, it seems that the unit file setting MountFlags=slave causes this to occur.

In our AMI, we have:

$ sudo cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-storage-setup.service
Requires=rhel-push-plugin.socket

[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
ExecStart=/bin/sh -c '/usr/bin/docker-current daemon \
          --authorization-plugin=rhel-push-plugin \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          2>&1 | /usr/bin/forward-journald -tag docker'
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
MountFlags=slave
TimeoutStartSec=10min
Restart=on-abnormal
StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target

We don’t seem to have updated the version of Docker we’re running yet …

$ docker version
Client:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-25.el7.x86_64
 Go version:      go1.4.2
 Git commit:      86bbf84/1.10.3
 Built:           
 OS/Arch:         linux/amd64

Server:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-25.el7.x86_64
 Go version:      go1.4.2
 Git commit:      86bbf84/1.10.3
 Built:           
 OS/Arch:         linux/amd64

Question becomes… why are we seeing this now? Do we need to change that option?

/cc @marun @danwinship @runcom @smarterclayton