docs: add comment about requiring the mount hierarchy to be mounted MS_SHARED

This has been tripping up container manager people. let's document this
explicitly.

(Note that the container interface could really use some updates, i.e.
it was written before a time where cgroup namespacing was a thing. But I
am too lazy to fix that now, so let's just add this once facet.)

(cherry picked from commit 32f4e30be58c2d5fabff32efbd4d266ae0d7503d)

diff --git a/docs/CONTAINER_INTERFACE.md b/docs/CONTAINER_INTERFACE.md
index 2a82321881435503f7eef14da81378ea19dd6cec..da5e1985c821199426c54d4be66074d1a9d393eb 100644 (file)
--- a/docs/CONTAINER_INTERFACE.md
+++ b/docs/CONTAINER_INTERFACE.md
@@ -86,6 +86,12 @@ manager, please consider supporting the following interfaces.
    confuse systemd and the admin, but also prevent your implementation from
    being "stackable".
 
+8. The mount hierarchy of the container should be mounted `MS_SHARED` before
+   invoking `systemd` as PID 1. Things will break at various places if this is
+   not done. Note that of course it's OK if the mounts are first marked
+   `MS_PRIVATE`/`MS_SLAVE` (to disconnect propagation at least partially) as
+   long as they are remounted `MS_SHARED` before `systemd` is invoked.
+
 ## Environment Variables
 
 1. To allow systemd (and other programs) to identify that it is executed within