From 6c147f86496c02f1c28315d1e86ea8be08049ceb Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 25 Oct 2016 11:15:11 -0400 Subject: [PATCH] Make parent mount private before bind mounting rootfs This reverts part of the commit eb0a144b5e383 That commit introduced two issues. - We need to make parent mount of rootfs private before bind mounting rootfs. Otherwise bind mounting root can propagate in other mount namespaces. (If parent mount is shared). - It broke test TestRootfsPropagationSharedMount() on Fedora. On fedora /tmp is a mount point with "shared" propagation. I think you should be able to reproduce it on other distributions as well as long as you mount tmpfs on /tmp and make it "shared" propagation. Reason for failure is that pivot_root() fails. And it fails because kernel does following check. IS_MNT_SHARED(new_mnt->mnt_parent) Say /tmp/foo is new rootfs, we have bind mounted rootfs, so new_mnt is /tmp/foo, and new_mnt->mnt_parent is /tmp which is "shared" on fedora and above check fails. So this change broke few things, it is a good idea to revert part of it. Signed-off-by: Vivek Goyal --- libcontainer/rootfs_linux.go | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index c8d7ebee33e..294083b5b30 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -563,10 +563,12 @@ func prepareRoot(config *configs.Config) error { if err := syscall.Mount("", "/", "", uintptr(flag), ""); err != nil { return err } - if config.NoPivotRoot { - if err := rootfsParentMountPrivate(config.Rootfs); err != nil { - return err - } + + // Make parent mount private to make sure following bind mount does + // not propagate in other namespaces. Also it will help with kernel + // check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent)) + if err := rootfsParentMountPrivate(config.Rootfs); err != nil { + return err } return syscall.Mount(config.Rootfs, config.Rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, "") @@ -617,15 +619,7 @@ func pivotRoot(rootfs string) error { } if err := syscall.PivotRoot(".", "."); err != nil { - // Make the parent mount private - if err := rootfsParentMountPrivate("."); err != nil { - return err - } - - // Try again - if err := syscall.PivotRoot(".", "."); err != nil { - return fmt.Errorf("pivot_root %s", err) - } + return fmt.Errorf("pivot_root %s", err) } // Currently our "." is oldroot (according to the current kernel code).