Make parent mount private before bind mounting rootfs

rhvgoyal · rhvgoyal · commit 6c147f86496c · 2016-10-25T11:15:11.000-04:00
This reverts part of the commit eb0a144 That commit introduced two issues. - We need to make parent mount of rootfs private before bind mounting rootfs. Otherwise bind mounting root can propagate in other mount namespaces. (If parent mount is shared). - It broke test TestRootfsPropagationSharedMount() on Fedora. On fedora /tmp is a mount point with "shared" propagation. I think you should be able to reproduce it on other distributions as well as long as you mount tmpfs on /tmp and make it "shared" propagation. Reason for failure is that pivot_root() fails. And it fails because kernel does following check. IS_MNT_SHARED(new_mnt->mnt_parent) Say /tmp/foo is new rootfs, we have bind mounted rootfs, so new_mnt is /tmp/foo, and new_mnt->mnt_parent is /tmp which is "shared" on fedora and above check fails. So this change broke few things, it is a good idea to revert part of it. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -563,10 +563,12 @@ func prepareRoot(config *configs.Config) error {
 	if err := syscall.Mount("", "/", "", uintptr(flag), ""); err != nil {
 		return err
 	}
-	if config.NoPivotRoot {
-		if err := rootfsParentMountPrivate(config.Rootfs); err != nil {
-			return err
-		}
+
+	// Make parent mount private to make sure following bind mount does
+	// not propagate in other namespaces. Also it will help with kernel
+	// check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent))
+	if err := rootfsParentMountPrivate(config.Rootfs); err != nil {
+		return err
 	}
 
 	return syscall.Mount(config.Rootfs, config.Rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, "")
@@ -617,15 +619,7 @@ func pivotRoot(rootfs string) error {
 	}
 
 	if err := syscall.PivotRoot(".", "."); err != nil {
-		// Make the parent mount private
-		if err := rootfsParentMountPrivate("."); err != nil {
-			return err
-		}
-
-		// Try again
-		if err := syscall.PivotRoot(".", "."); err != nil {
-			return fmt.Errorf("pivot_root %s", err)
-		}
+		return fmt.Errorf("pivot_root %s", err)
 	}
 
 	// Currently our "." is oldroot (according to the current kernel code).
