Comment 7 for bug 1833835

$ systemctl show docker.service | grep MountFlags
MountFlags=1048576
$ systemctl show containerd.service | grep MountFlags
MountFlags=0

Though `man systemd.exec` says:
MountFlags=
           Takes a mount propagation flag: shared, slave or private, which control whether mounts in the file system namespace set up for this unit's processes will receive or propagate mounts or unmounts.
           See mount(2) for details. Defaults to shared.
           ...
           Note that the file system namespace related options
           (PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=, ReadOnlyDirectories=, InaccessibleDirectories= and ReadWriteDirectories=) require that mount and unmount propagation from the unit's
           file system namespace is disabled, and hence downgrade shared to slave.

None of these are used here.

I only know MountFlags were added to satisfy neutron components which probably had some issues without it.

I am also concerned with the fact that we override the ExecStart line:
$ cat /usr/lib/systemd/system/docker.service | grep ExecStart
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
$ cat /etc/systemd/system/docker.service.d/kolla.conf | grep ExecStart
ExecStart=
ExecStart=/usr/bin/dockerd --log-opt max-file=5 --log-opt max-size=50m