From b029e442b2eeb4807feaa60f5d8ea7fe30c03c5a Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 5 Dec 2018 12:25:36 -0600 Subject: [PATCH] virtcontainers: set private propagation in rootfs When overlay is used as storage driver, kata runtime creates a new bind mount point to the merged directory, that way this directory can be shared with the VM through 9p. By default the mount propagation is shared, that means mount events are propagated, but umount events not, to deal with this problem and to avoid left mount points in the host once container finishes, the mount propagation of bind mounts should be set to private. Depends-on: github.com/kata-containers/tests#971 fixes #794 Signed-off-by: Julio Montes --- virtcontainers/mount.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/virtcontainers/mount.go b/virtcontainers/mount.go index a9a0350ef..69567331f 100644 --- a/virtcontainers/mount.go +++ b/virtcontainers/mount.go @@ -248,10 +248,16 @@ func bindMount(ctx context.Context, source, destination string, readonly bool) e if err := ensureDestinationExists(absSource, destination); err != nil { return fmt.Errorf("Could not create destination mount point %v: %v", destination, err) - } else if err := syscall.Mount(absSource, destination, "bind", syscall.MS_BIND, ""); err != nil { + } + + if err := syscall.Mount(absSource, destination, "bind", syscall.MS_BIND, ""); err != nil { return fmt.Errorf("Could not bind mount %v to %v: %v", absSource, destination, err) } + if err := syscall.Mount("none", destination, "", syscall.MS_PRIVATE, ""); err != nil { + return fmt.Errorf("Could not make mount point %v private: %v", destination, err) + } + // For readonly bind mounts, we need to remount with the readonly flag. // This is needed as only very recent versions of libmount/util-linux support "bind,ro" if readonly {