rootless: check that / is mounted as shared

if the root mount '/' is not mounted as MS_SHARED, print a warning, otherwise new mounts that are created in the host won't be propagated to the rootless mount namespace. Closes: https://github.com/containers/podman/issues/10946 [NO TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2021-07-27 12:17:22 +02:00 · 2021-07-27 12:17:22 +02:00 · 67d439197e
parent d7b2f03f8a
commit 67d439197e
1 changed files with 20 additions and 0 deletions
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@ -14,11 +14,13 @@ import (
 	"os/user"
 	"runtime"
 	"strconv"
+	"strings"
 	"sync"
 	"unsafe"

 	"github.com/containers/podman/v3/pkg/errorhandling"
 	"github.com/containers/storage/pkg/idtools"
+	pmount "github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@ -235,6 +237,24 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
 		return false, 0, nil
 	}

+	if mounts, err := pmount.GetMounts(); err == nil {
+		for _, m := range mounts {
+			if m.Mountpoint == "/" {
+				isShared := false
+				for _, o := range strings.Split(m.Optional, ",") {
+					if strings.HasPrefix(o, "shared:") {
+						isShared = true
+						break
+					}
+				}
+				if !isShared {
+					logrus.Warningf("%q is not a shared mount, this could cause issues or missing mounts with rootless containers", m.Mountpoint)
+				}
+				break
+			}
+		}
+	}
+
 	cPausePid := C.CString(pausePid)
 	defer C.free(unsafe.Pointer(cPausePid))