cannot bind mount without recursion #22107

martinetd · 2024-03-21T07:15:00Z

Issue Description

The documentation claims volumes are not mounted recursively:

To recursively mount a volume and all of its submounts into a
<<container|pod>>, use the **rbind** option. By default the bind option is
used, and submounts of the source directory is not mounted into the
<<container|pod>>.

But it looks like rbind is the default, and since flags look like they are additive in the code I have not been able to find a way to disable MS_REC to make it work non-recursively.

Steps to reproduce the issue

as root
mkdir -p /tmp/podman/submount; mount -t tmpfs tmpfs /tmp/podman/submount
podman run --rm -v /tmp/podman:/tmp/podman docker.io/alpine df | grep tmp/podman

tmpfs                 16314932   1233404  15081528   8% /tmp/podman
tmpfs                 16314932         0  16314932   0% /tmp/podman/submount

Describe the results you received

submount was listed despite not specifying rbind for the volume

Describe the results you expected

submount should not be present

podman info output

host:
  arch: amd64
  buildahVersion: 1.28.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 70.7
    systemPercent: 27.2
    userPercent: 2.1
  cpus: 8
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: journald
  hostname: xxx
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-15-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 956264448
  memTotal: 33412980736
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.8.1-1+deb12u1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 42930176
  swapTotal: 8594124800
  uptime: 2233h 52m 23.00s (Approximately 93.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 536870912000
  graphRootUsed: 287099006976
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 16
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 09:00:00 1970
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

(sorry, can't run podman 5.0.0 on debian bookworm because go version is too old, but I didn't see any code change around that and the behaviour has been the same since at least podman 3...)

Additional information

Running with strace one can see MS_REC is being set:

[pid 2320956] mount("/tmp/podman", "/proc/self/fd/10", 0x5573b36ec0c6, MS_NOSUID|MS_NODEV|MS_BIND|MS_REC, 0x5573b3d12880) = 0

Trying various flags like :bind has no impact, so it's like rbind is the default despite being documented otherwise.

The text was updated successfully, but these errors were encountered:

when the "bind" option is used, do not use the "rprivate" propagation as it would inhibit the effect of "bind", instead default to "private". Closes: containers#22107 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

giuseppe · 2024-03-21T10:35:14Z

opened a PR:

util: use private propagation with bind #22110

martinetd added the kind/bug Categorizes issue or PR as related to a bug. label Mar 21, 2024

giuseppe mentioned this issue Mar 21, 2024

util: use private propagation with bind #22110

Merged

openshift-merge-bot bot closed this as completed in #22110 Mar 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cannot bind mount without recursion #22107

cannot bind mount without recursion #22107

martinetd commented Mar 21, 2024 •

edited

giuseppe commented Mar 21, 2024

cannot bind mount without recursion #22107

cannot bind mount without recursion #22107

Comments

martinetd commented Mar 21, 2024 • edited

Issue Description

Steps to reproduce the issue

Describe the results you received

Describe the results you expected

podman info output

Podman in a container

Privileged Or Rootless

Upstream Latest Release

Additional environment details

Additional information

giuseppe commented Mar 21, 2024

martinetd commented Mar 21, 2024 •

edited