summaryrefslogtreecommitdiff
path: root/src/nspawn
diff options
context:
space:
mode:
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c2733a19f8..a5d5180727 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1755,6 +1755,11 @@ static int setup_propagate(const char *root) {
if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
return log_error_errno(errno, "Failed to make propagation mount read-only");
+ /* machined will MS_MOVE into that directory, and that's only
+ * supported for non-shared mounts. */
+ if (mount(NULL, q, NULL, MS_SLAVE, NULL) < 0)
+ return log_error_errno(errno, "Failed to make propagation mount slave");
+
return 0;
}
@@ -2990,6 +2995,15 @@ static int outer_child(
if (mount(directory, directory, NULL, MS_BIND|MS_REC, NULL) < 0)
return log_error_errno(errno, "Failed to make bind mount: %m");
+ /* Mark everything as shared so our mounts get propagated down. This is
+ * required to make new bind mounts available in systemd services
+ * inside the containter that create a new mount namespace.
+ * See https://github.com/systemd/systemd/issues/3860
+ * Further submounts (such as /dev) done after this will inherit the
+ * shared propagation mode.*/
+ if (mount(NULL, directory, NULL, MS_SHARED|MS_REC, NULL) < 0)
+ return log_error_errno(errno, "MS_SHARED|MS_REC failed: %m");
+
r = recursive_chown(directory, arg_uid_shift, arg_uid_range);
if (r < 0)
return r;