virtcontainers: simplify read-only mount handling

Current handling of read-only mounts is a little tricky.
However, a clearer solution can be used here:
  1. make a private ro bind mount at privateDest to the mount source
  2. make a bind mount at mountDest to the mount created in step 1
  3. umount the private bind mount created in step 1
One important aspect is that the mount in step 2 is duplicated from
the one we created in step 1. So the MS_RDONLY flag is properly
preserved in all mounts created in the propagtion.

Fixes: #2205

Depends-on: github.com/kata-containers/tests#4106

Signed-off-by: Yujia Qiao <rapiz3142@gmail.com>

src/runtime/virtcontainers/container.go

@@ -463,25 +463,21 @@ func (c *Container) shareFiles(ctx context.Context, m Mount, idx int) (string, b
 			// For RO mounts, bindmount remount event is not propagated to mount subtrees,
 			// and it doesn't present in the virtiofsd standalone mount namespace either.
 			// So we end up a bit tricky:
-			// 1. make a private bind mount to the mount source
-			// 2. make another ro bind mount on the private mount
-			// 3. move the ro bind mount to mountDest
-			// 4. umount the private bind mount created in step 1
+			// 1. make a private ro bind mount to the mount source
+			// 2. duplicate the ro mount we create in step 1 to mountDest, by making a bind mount. No need to remount with MS_RDONLY here.
+			// 3. umount the private bind mount created in step 1
 			privateDest := filepath.Join(getPrivatePath(c.sandboxID), filename)
-			if err := bindMount(c.ctx, m.Source, privateDest, false, "private"); err != nil {
+
+			if err := bindMount(c.ctx, m.Source, privateDest, true, "private"); err != nil {
 				return "", false, err
 			}
 			defer func() {
 				syscall.Unmount(privateDest, syscall.MNT_DETACH|UmountNoFollow)
 			}()
-			if err := bindMount(c.ctx, privateDest, privateDest, true, "private"); err != nil {
-				return "", false, err
-			}
-			if err := moveMount(c.ctx, privateDest, mountDest); err != nil {
-				return "", false, err
-			}
 
-			syscall.Unmount(privateDest, syscall.MNT_DETACH|UmountNoFollow)
+			if err := bindMount(c.ctx, privateDest, mountDest, false, "private"); err != nil {
+				return "", false, err
+			}
 		}
 		// Save HostPath mount value into the mount list of the container.
 		c.mounts[idx].HostPath = mountDest

src/runtime/virtcontainers/mount.go

@@ -242,22 +242,6 @@ func evalMountPath(source, destination string) (string, string, error) {
 	return absSource, destination, nil
 }
 
-// moveMount moves a mountpoint to another path with some bookkeeping:
-// * evaluate all symlinks
-// * ensure the source exists
-// * recursively create the destination
-func moveMount(ctx context.Context, source, destination string) error {
-	span, _ := katatrace.Trace(ctx, nil, "moveMount", mountTracingTags)
-	defer span.End()
-
-	source, destination, err := evalMountPath(source, destination)
-	if err != nil {
-		return err
-	}
-
-	return syscall.Mount(source, destination, "move", syscall.MS_MOVE, "")
-}
-
 // bindMount bind mounts a source in to a destination. This will
 // do some bookkeeping:
 // * evaluate all symlinks