diff options
author | Alban Crequy <alban@kinvolk.io> | 2016-10-01 10:58:56 +0200 |
---|---|---|
committer | Alban Crequy <alban@kinvolk.io> | 2016-10-03 14:19:27 +0200 |
commit | 19caffac75a2590a0c5ebc2a0214960f8188aec7 (patch) | |
tree | 0ccba09bd99a17cec31dc436ae2a769867dbc523 | |
parent | a63ee40751ee3cae053470f4e0fb0016fbc40f25 (diff) |
nspawn: set shared propagation mode for the container
-rw-r--r-- | src/nspawn/nspawn.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c2733a19f8..a5d5180727 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1755,6 +1755,11 @@ static int setup_propagate(const char *root) { if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) return log_error_errno(errno, "Failed to make propagation mount read-only"); + /* machined will MS_MOVE into that directory, and that's only + * supported for non-shared mounts. */ + if (mount(NULL, q, NULL, MS_SLAVE, NULL) < 0) + return log_error_errno(errno, "Failed to make propagation mount slave"); + return 0; } @@ -2990,6 +2995,15 @@ static int outer_child( if (mount(directory, directory, NULL, MS_BIND|MS_REC, NULL) < 0) return log_error_errno(errno, "Failed to make bind mount: %m"); + /* Mark everything as shared so our mounts get propagated down. This is + * required to make new bind mounts available in systemd services + * inside the containter that create a new mount namespace. + * See https://github.com/systemd/systemd/issues/3860 + * Further submounts (such as /dev) done after this will inherit the + * shared propagation mode.*/ + if (mount(NULL, directory, NULL, MS_SHARED|MS_REC, NULL) < 0) + return log_error_errno(errno, "MS_SHARED|MS_REC failed: %m"); + r = recursive_chown(directory, arg_uid_shift, arg_uid_range); if (r < 0) return r; |