ip/netns: avoid redundant mounts

On Ubuntu 24.04, I observed redundant mounts after adding a netns with
the commands below:

	sudo ip netns add xxx
	cat /proc/self/mountinfo | grep /run

Output:

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
	6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw

There are two mounts (6443 and 6444) related to the "xxx" netns created
above.

This redundancy occurs because systemd changed the default system mount
propagation to "shared" since commit b3ac5f8cb987 ("mount-setup: change
system mount propagation to shared by default"). Consequently, mount
propagation of `/run` is shared.

Link: https://docs.kernel.org/filesystems/sharedsubtree.html
Link: https://github.com/systemd/systemd/commit/b3ac5f8cb98757416d8660023d6564a7c411f0a0
When `ip netns` makes `/run/netns` a mount point, a new bind mount (203)
is created and attached to the same peer group as mount 29. Since mount
29 and 203 are in the same peer group (shared:5), any mount under 203
propagates back to 29, resulting in the redundant mount 6444.

To prevent this, `/run/netns` should be placed in a new peer group. This
can be achieved by reconfiguring `/run/netns` to MS_PRIVATE first, and
then to MS_SHARED again.

With this patch applied, the redundant mount is no longer present, and
`/run/netns` is in a new peer group (917):

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:917 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:918 - nsfs nsfs rw

I also verified that mount propagation to containers remains functional.

Signed-off-by: Chen Linxuan <me@black-desk.cn>
Signed-off-by: David Ahern <dsahern@kernel.org>

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index a20cd8bc7cb8668a766e5cbf969dc567ac907868..3a33a3adacee31080c3ea9d0a52e455243423a75 100644 (file)
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
                        }
                        return -1;
                }
+
+               /* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
+                * MS_SAHRED again to make sure it is placed in a new peer group
+                */
+               if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
+                       fprintf(stderr, "mount --make-private %s failed: %s\n",
+                               NETNS_RUN_DIR, strerror(errno));
+                       if (lock != -1) {
+                               flock(lock, LOCK_UN);
+                               close(lock);
+                       }
+                       return -1;
+               }
+
                made_netns_run_dir_mount = 1;
        }
        if (lock != -1) {