RootfsPropagation behavior has changed as of runc 1.2+

[amberrenton]

Hello! First off, thanks so much for reading this.

I will start off by saying that I don't think what I'm observing is a regression, although I believe it may be a side effect of this change:
runc run: fix mount leak #4417

Old version: runc v1.1.9
New version: runc v1.2.2

If I create a container with "rootfsPropagation": "rslave", and a rootfs directory at /foo on the host, I would expect a mount such as /foo/mount to propagate into the container at /mount. However, with #4417, the container's rootfs is fully isolated.

Repro Steps

1. runc spec
2. Edit config.json to contain "rootfsPropagation": "rslave"
3. strace -f -e unshare,clone,mount,pivot_root,chdir,fchdir runc run strace-test

With runc v1.1.9:

...
[pid 336920] unshare(CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWNET) = 0
[pid 336920] clone(child_stack=0x7ffe32543ad0, flags=CLONE_PARENT|SIGCHLDstrace: Process 336921 attached
) = 336921
[pid 336921] mount("", "/", 0xc0000bf2a4, MS_REC|MS_SLAVE, NULL) = 0
[pid 336921] mount("/home/test/rootfs", "/home/test/rootfs", 0xc0000bf2a5, MS_BIND|MS_REC, NULL) = 0
[pid 336921] mount("proc", "/proc/self/fd/7", "proc", 0, NULL) = 0
[pid 336921] mount("tmpfs", "/proc/self/fd/7", "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=0755,mode=755,size=65536k") = 0
[pid 336921] mount("devpts", "/proc/self/fd/7", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=0"...) = 0
[pid 336921] mount("shm", "/proc/self/fd/7", "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, "mode=1777,size=65536k") = 0
[pid 336921] mount("mqueue", "/proc/self/fd/7", "mqueue", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
[pid 336921] mount("sysfs", "/proc/self/fd/7", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
...

With runc v1.2.2:

...
[pid 1241343] unshare(CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWNET) = 0
[pid 1241343] clone(child_stack=0x7fffba91dfd0, flags=CLONE_PARENT|SIGCHLDstrace: Process 1241344 attached
[pid 1241342] unshare(CLONE_FS) = 0
[pid 1241344] mount("", "/", 0xc0001df5dc, MS_REC|MS_SLAVE, NULL) = 0
[pid 1241344] mount("", "/home/test/rootfs", 0xc0001df5de, MS_PRIVATE, NULL) = 0
[pid 1241344] mount("/home/test/rootfs", "/home/test/rootfs", 0xc0001df5f0, MS_BIND|MS_REC, NULL) = 0
[pid 1241344] mount("proc", "/proc/thread-self/fd/9", "proc", 0, NULL) = 0
[pid 1241344] mount("tmpfs", "/proc/thread-self/fd/9", "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=0755,mode=755,size=65536k") = 0
[pid 1241344] mount("devpts", "/proc/thread-self/fd/9", "devpts", MS_NOSUID|MS_NOEXEC, "newinstance,ptmxmode=0666,mode=0"...) = 0
[pid 1241344] mount("shm", "/proc/thread-self/fd/9", "tmpfs", MS_NOSUID|MS_NODEV|MS_NOEXEC, "mode=1777,size=65536k") = 0
[pid 1241344] mount("mqueue", "/proc/thread-self/fd/9", "mqueue", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
[pid 1241344] mount("sysfs", "/proc/thread-self/fd/9", "sysfs", MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = 0
...

With runc v1.2.2, an extra mount is unconditionally performed with just the MS_PRIVATE flag. My understanding - which is pretty rough and may be incorrect - is that this removes it from its peer group, and as a result, it no longer receives propagated events from the rootfs mountpoint on the host. With runc v1.1.9, this extra mount isn't performed, and the container's root directory continues receiving propagated mount events.

Using ctr to start a sample container with the same rslave rootfs propagation setting, the difference is illustrated in the propagation flags (from within the container):

With runc v1.1.9

(inside container) findmnt -o SOURCE,TARGET,PROPAGATION
SOURCE                   TARGET                  PROPAGATION
overlay                  /                       private,slave
proc                     |-/proc                 private
proc[/bus]               | |-/proc/bus           private
proc[/fs]                | |-/proc/fs            private
proc[/irq]               | |-/proc/irq           private
proc[/sys]               | |-/proc/sys           private
...

With runc v1.2.2

(inside container) findmnt -o SOURCE,TARGET,PROPAGATION
SOURCE                   TARGET                  PROPAGATION
overlay                  /                       private
proc                     |-/proc                 private
proc[/bus]               | |-/proc/bus           private
proc[/fs]                | |-/proc/fs            private
proc[/irq]               | |-/proc/irq           private
proc[/sys]               | |-/proc/sys           private

---

With all of this said, as far as I know, there is no way to work around the change in behavior. Is propagation of mounts from the host to the container (specifically the container root filesystem) still a supported scenario? If so, does anyone have any pointers on how to get that working again? Thank you so much!

[glaming1]

Just wanted to comment on this in case it helps to bring this to the top! Any insights here would be appreciated