Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cannot bind mount without recursion #22107

Closed
martinetd opened this issue Mar 21, 2024 · 1 comment · Fixed by #22110
Closed

cannot bind mount without recursion #22107

martinetd opened this issue Mar 21, 2024 · 1 comment · Fixed by #22110
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@martinetd
Copy link

martinetd commented Mar 21, 2024

Issue Description

The documentation claims volumes are not mounted recursively:

To recursively mount a volume and all of its submounts into a
<<container|pod>>, use the **rbind** option. By default the bind option is
used, and submounts of the source directory is not mounted into the
<<container|pod>>.

But it looks like rbind is the default, and since flags look like they are additive in the code I have not been able to find a way to disable MS_REC to make it work non-recursively.

Steps to reproduce the issue

Steps to reproduce the issue

  1. as root
  2. mkdir -p /tmp/podman/submount; mount -t tmpfs tmpfs /tmp/podman/submount
  3. podman run --rm -v /tmp/podman:/tmp/podman docker.io/alpine df | grep tmp/podman
tmpfs                 16314932   1233404  15081528   8% /tmp/podman
tmpfs                 16314932         0  16314932   0% /tmp/podman/submount

Describe the results you received

submount was listed despite not specifying rbind for the volume

Describe the results you expected

submount should not be present

podman info output

host:
  arch: amd64
  buildahVersion: 1.28.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 70.7
    systemPercent: 27.2
    userPercent: 2.1
  cpus: 8
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: journald
  hostname: xxx
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.1.0-15-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 956264448
  memTotal: 33412980736
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.8.1-1+deb12u1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 42930176
  swapTotal: 8594124800
  uptime: 2233h 52m 23.00s (Approximately 93.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 536870912000
  graphRootUsed: 287099006976
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 16
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 09:00:00 1970
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

(sorry, can't run podman 5.0.0 on debian bookworm because go version is too old, but I didn't see any code change around that and the behaviour has been the same since at least podman 3...)

Additional information

Running with strace one can see MS_REC is being set:

[pid 2320956] mount("/tmp/podman", "/proc/self/fd/10", 0x5573b36ec0c6, MS_NOSUID|MS_NODEV|MS_BIND|MS_REC, 0x5573b3d12880) = 0

Trying various flags like :bind has no impact, so it's like rbind is the default despite being documented otherwise.

@martinetd martinetd added the kind/bug Categorizes issue or PR as related to a bug. label Mar 21, 2024
giuseppe added a commit to giuseppe/libpod that referenced this issue Mar 21, 2024
when the "bind" option is used, do not use the "rprivate" propagation
as it would inhibit the effect of "bind", instead default to "private".

Closes: containers#22107

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
Copy link
Member

@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Jun 20, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jun 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants