From da8d776c088b943a380e4a061f226a946ccf4c27 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Thu, 1 Oct 2015 17:03:02 -0400 Subject: [PATCH] Make pivotDir rprivate pivotDir is the one where pivot_root() call puts the old root. We will unmount pivotDir() and delete it. Previously we were making / always rslave or rprivate. That will mean that pivotDir() could never have mounts which would be shared with parent mount namespace. That also means that unmounting pivotDir() was safe and none of the unmount will propagate to parent namespace and unmount things which we did not want to. But now user can specify that apply private, shared, slave on /. That means some of the mounts we inherited from parent could be shared and that also means if we umount pivotDir/, those mounts will get unmounted in parent too. That's not what we want. Instead make pivotDir rprivate so that unmounts don't propagate back to parent. Signed-off-by: Vivek Goyal --- libcontainer/rootfs_linux.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index c93d7849..147c93d6 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -545,6 +545,13 @@ func pivotRoot(rootfs, pivotBaseDir string) error { } // path to pivot dir now changed, update pivotDir = filepath.Join(pivotBaseDir, filepath.Base(pivotDir)) + + // Make pivotDir rprivate to make sure any of the unmounts don't + // propagate to parent. + if err := syscall.Mount("", pivotDir, "", syscall.MS_PRIVATE|syscall.MS_REC, ""); err != nil { + return err + } + if err := syscall.Unmount(pivotDir, syscall.MNT_DETACH); err != nil { return fmt.Errorf("unmount pivot_root dir %s", err) }