docs: add comment about requiring the mount hierarchy to be mounted MS_SHARED

This has been tripping up container manager people. let's document this
explicitly.

(Note that the container interface could really use some updates, i.e.
it was written before a time where cgroup namespacing was a thing. But I
am too lazy to fix that now, so let's just add this once facet.)

diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md
index 77648395e9606acfb1eb5df87c57b4018d2d137b..3b33ce636caacf7e929aa70abffabf033fd8718e 100644 (file)
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@@ -86,6 +86,12 @@ manager, please consider supporting the following interfaces.
    confuse systemd and the admin, but also prevent your implementation from
    being "stackable".
 
+8. The mount hierarchy of the container should be mounted `MS_SHARED` before
+   invoking `systemd` as PID 1. Things will break at various places if this is
+   not done. Note that of course it's OK if the mounts are first marked
+   `MS_PRIVATE`/`MS_SLAVE` (to disconnect propagation at least partially) as
+   long as they are remounted `MS_SHARED` before `systemd` is invoked.
+
 ## Environment Variables
 
 1. To allow systemd (and other programs) to identify that it is executed within