Mounting /run as a bind causes container to be unstartable

[expers-vis]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Trying to mount /run directory results in container being created but starting it fails with message bellow.

This happens regardless of running the command with these options:

• running as root
• using --privileged option
• relabeling with z/Z
• disabling SELinux separation with --security-opt label=disable

Steps to reproduce the issue:

1. podman run -d --mount type=bind,src=/run/,target=/run/,shared busybox
2. podman start -l (optionally to verify)

Describe the results you received:

The container is created, inspect shows that /run is binded but the container cannot be started with message saying:
Error: unable to start container "<container-id>": crun: mount /run/containers/storage/overlay-containers//userdata/run/secretsto/run/secrets: No such file or directory: OCI runtime attempted to invoke a command that was not found

Describe the results you expected:

The container is created with /run binded and runs without problems.

Output of podman version:

Client:       Podman Engine
Version:      4.2.0
API Version:  4.2.0
Go Version:   go1.18.4
Built:        Mon Aug 22 08:28:20 2022
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.27.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.4-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: a957ea31915f9437e7b96a5696f433bdf39fdc83'
  cpuUtilization:
    idlePercent: 97.72
    systemPercent: 0.87
    userPercent: 1.42
  cpus: 16
  distribution:
    distribution: '"centos"'
    version: "9"
  eventLogger: journald
  hostname: cs9-podman.novalocal
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.14.0-171.el9.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 452857856
  memTotal: 16496238592
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.5-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.5
      commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.2.0-2.el9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 0
  swapTotal: 0
  uptime: 149h 26m 40.00s (Approximately 6.21 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  quay.io:
    Blocked: false
    Insecure: false
    Location: quay.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: quay.io
    PullFromMirror: ""
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 23
    paused: 0
    running: 23
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 42938118144
  graphRootUsed: 18187579392
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 33
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.2.0
  Built: 1661171300
  BuiltTime: Mon Aug 22 08:28:20 2022
  GitCommit: ""
  GoVersion: go1.18.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.2.0

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

podman-4.2.0-3.el9.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Used virtual machine is deployed in Openstack cloud.

[giuseppe]

when you specify shared all the mounts created in the container are propagated to the host.

The first time you run the command, the /run/secrets mount is leaked on the host, you can verify it with findmnt -R /run on the host to see it.

The second time the command fails because /run/secrets is a tmpfs.

You either need to drop shared or make sure /run/secrets is always unmounted when the container terminates.