diff options
author | Wen Yang <wenyang@linux.alibaba.com> | 2020-03-23 10:42:46 +0800 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-04-09 10:14:20 +0200 |
commit | f74349d88bb039a134b225653e8e59d04af4bb7f (patch) | |
tree | 909fe333e5a3cdff2e24b1e4250d00cca5042dfc | |
parent | ca03142040f944385c9561cb9c030a64535a2e86 (diff) | |
download | systemd-f74349d88bb039a134b225653e8e59d04af4bb7f.tar.gz |
mount-setup: change the system mount propagation to shared by default only at bootup
The commit b3ac5f8cb987 has changed the system mount propagation to
shared by default, and according to the following patch:
https://github.com/opencontainers/runc/pull/208
When starting the container, the pouch daemon will call runc to execute
make-private.
However, if the systemctl daemon-reexec is executed after the container
has been started, the system mount propagation will be changed to share
again by default, and the make-private operation above will have no chance
to execute.
-rw-r--r-- | src/core/main.c | 2 | ||||
-rw-r--r-- | src/core/mount-setup.c | 4 | ||||
-rw-r--r-- | src/core/mount-setup.h | 2 |
3 files changed, 4 insertions, 4 deletions
diff --git a/src/core/main.c b/src/core/main.c index d700b3afc5..db6521b924 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -2581,7 +2581,7 @@ int main(int argc, char *argv[]) { if (!skip_setup) kmod_setup(); - r = mount_setup(loaded_policy); + r = mount_setup(loaded_policy, skip_setup); if (r < 0) { error_message = "Failed to mount API filesystems"; goto finish; diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index 284e3f6b07..ffe3d4cc64 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -478,7 +478,7 @@ static int relabel_extra(void) { } #endif -int mount_setup(bool loaded_policy) { +int mount_setup(bool loaded_policy, bool leave_propagation) { int r = 0; r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy); @@ -524,7 +524,7 @@ int mount_setup(bool loaded_policy) { * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a * container manager we assume the container manager knows what it is doing (for example, because it set up * some directories with different propagation modes). */ - if (detect_container() <= 0) + if (detect_container() <= 0 && !leave_propagation) if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0) log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m"); diff --git a/src/core/mount-setup.h b/src/core/mount-setup.h index b4ca2cf4b4..bccd094961 100644 --- a/src/core/mount-setup.h +++ b/src/core/mount-setup.h @@ -4,7 +4,7 @@ #include <stdbool.h> int mount_setup_early(void); -int mount_setup(bool loaded_policy); +int mount_setup(bool loaded_policy, bool leave_propagation); int mount_cgroup_controllers(void); |