nspawn: set shared propagation mode for the container

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c2733a19f81fca0630551d526ce6e0fa2772ff7b..a5d5180727c3003c5949159f063f0a260bf2331a 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1755,6 +1755,11 @@ static int setup_propagate(const char *root) {
         if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
                 return log_error_errno(errno, "Failed to make propagation mount read-only");
 
+        /* machined will MS_MOVE into that directory, and that's only
+         * supported for non-shared mounts. */
+        if (mount(NULL, q, NULL, MS_SLAVE, NULL) < 0)
+                return log_error_errno(errno, "Failed to make propagation mount slave");
+
         return 0;
 }
 
@@ -2990,6 +2995,15 @@ static int outer_child(
         if (mount(directory, directory, NULL, MS_BIND|MS_REC, NULL) < 0)
                 return log_error_errno(errno, "Failed to make bind mount: %m");
 
+        /* Mark everything as shared so our mounts get propagated down. This is
+         * required to make new bind mounts available in systemd services
+         * inside the containter that create a new mount namespace.
+         * See https://github.com/systemd/systemd/issues/3860
+         * Further submounts (such as /dev) done after this will inherit the
+         * shared propagation mode.*/
+        if (mount(NULL, directory, NULL, MS_SHARED|MS_REC, NULL) < 0)
+                return log_error_errno(errno, "MS_SHARED|MS_REC failed: %m");
+
         r = recursive_chown(directory, arg_uid_shift, arg_uid_range);
         if (r < 0)
                 return r;