From 821c2e13289c19cf8c187d29be5bca4b09f79c44 Mon Sep 17 00:00:00 2001 From: Johannes Schauer Marin Rodrigues Date: Sun, 2 Jun 2024 07:44:17 +0200 Subject: [PATCH] In unshare mode, make all mounts private recursively This emulates what unshare(1) does by default or by passing --propagation=private explicitly. Mounting and unmounting filesystems will affect mounts outside the namespace which are marked as shared (see last column of `findmnt -o+PROPAGATION`). Since mmdebstrap's goal is to isolate the mounts in the new namespace, we perform the equivalent of mount(NULL, "/", MS_REC | MS_PRIVATE, NULL); from util-linux/sys-utils/unshare.c:set_propagation() which is in shell: mount --make-rprivate / See mount_namespaces(7) for details. Without setting this, unmounting /sys (and its sub-mounts) in unshare mode as root user will also unmount the sub-mounts of /sys on the outside of the namespace. This breaks tests/unshare-as-root-user which will fail to shut down with the following errors in the log: [FAILED] Failed unmounting mnt.mount - /mnt. [FAILED] Failed unmounting run-lock.mount - Legacy Locks Directory /run/lock. [...] [ OK ] Reached target poweroff.target - System Power Off. Afterwards it will stall indefinitely. Stopping mmdebstrap from messing with the /sys mounts on the outside stops this behaviour and allows to cleanly shut down the virtual machine. Thanks: Helmut Grohne --- mmdebstrap | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mmdebstrap b/mmdebstrap index 538ea02..d35a9d8 100755 --- a/mmdebstrap +++ b/mmdebstrap @@ -1177,6 +1177,8 @@ sub setup_mounts { eval { if (any { $_ eq $options->{mode} } ('root', 'unshare')) { + 0 == system('mount', "--make-rprivate", "/") + or warning("mount --make-rprivate / failed: $?"); # if more than essential should be installed, make the system look # more like a real one by creating or bind-mounting the device # nodes