mount-setup: change the system mount propagation to shared by default only at bootup

The commit b3ac5f8cb987 has changed the system mount propagation to
shared by default, and according to the following patch:
https://github.com/opencontainers/runc/pull/208
When starting the container, the pouch daemon will call runc to execute
make-private.

However, if the systemctl daemon-reexec is executed after the container
has been started, the system mount propagation will be changed to share
again by default, and the make-private operation above will have no chance
to execute.

diff --git a/src/core/main.c b/src/core/main.c
index d700b3afc5299d4d6b1f3a81ff5891ad3fe23730..db6521b924d82f09021ea2e95b520bcdf74fa3fa 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2581,7 +2581,7 @@ int main(int argc, char *argv[]) {
                 if (!skip_setup)
                         kmod_setup();
 
-                r = mount_setup(loaded_policy);
+                r = mount_setup(loaded_policy, skip_setup);
                 if (r < 0) {
                         error_message = "Failed to mount API filesystems";
                         goto finish;

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 284e3f6b077236cd382db530a4308dd5939d9551..ffe3d4cc64127419d14ca53b36b6843a825d9e1e 100644 (file)
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -478,7 +478,7 @@ static int relabel_extra(void) {
 }
 #endif
 
-int mount_setup(bool loaded_policy) {
+int mount_setup(bool loaded_policy, bool leave_propagation) {
         int r = 0;
 
         r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
@@ -524,7 +524,7 @@ int mount_setup(bool loaded_policy) {
          * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
          * container manager we assume the container manager knows what it is doing (for example, because it set up
          * some directories with different propagation modes). */
-        if (detect_container() <= 0)
+        if (detect_container() <= 0 && !leave_propagation)
                 if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
                         log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");
 

diff --git a/src/core/mount-setup.h b/src/core/mount-setup.h
index b4ca2cf4b45bf28de8bd124d7746ac51e06c73f7..bccd094961152c996d38acbc7111399723eadcbc 100644 (file)
--- a/src/core/mount-setup.h
+++ b/src/core/mount-setup.h
@@ -4,7 +4,7 @@
 #include <stdbool.h>
 
 int mount_setup_early(void);
-int mount_setup(bool loaded_policy);
+int mount_setup(bool loaded_policy, bool leave_propagation);
 
 int mount_cgroup_controllers(void);