Merge pull request #214 from endlessm/T35640-var-slave-shared

switchroot: Stop making /sysroot mount private

src/libostree/ostree-impl-system-generator.c

@@ -216,6 +216,15 @@ fstab_generator (const char *ostree_cmdline, const char *normal_dir, const char
    *
    * Note that our unit doesn't run if systemd.volatile is enabled;
    * see https://github.com/ostreedev/ostree/pull/856
+   *
+   * To avoid having submounts of /var propagate into $stateroot/var, the mount
+   * is made with slave+shared propagation. This means that /var will receive
+   * mount events from the parent /sysroot mount, but not vice versa. Adding a
+   * shared peer group below the slave group means that submounts of /var will
+   * inherit normal shared propagation. See mount_namespaces(7), Linux
+   * Documentation/filesystems/sharedsubtree.txt and
+   * https://github.com/ostreedev/ostree/issues/2086. This also happens in
+   * ostree-prepare-root.c for the INITRAMFS_MOUNT_VAR case.
    */
   if (!g_output_stream_printf (outstream, &bytes_written, cancellable, error,
                                "##\n# Automatically generated by ostree-system-generator\n##\n\n"
@@ -227,7 +236,7 @@ fstab_generator (const char *ostree_cmdline, const char *normal_dir, const char
                                "[Mount]\n"
                                "Where=%s\n"
                                "What=%s\n"
-                               "Options=bind\n",
+                               "Options=bind,slave,shared\n",
                                var_path, stateroot_var_path))
     return FALSE;
   if (!g_output_stream_flush (outstream, cancellable, error))

src/switchroot/ostree-prepare-root.c

@@ -492,6 +492,16 @@ main (int argc, char *argv[])
     {
       if (mount ("../../var", TMP_SYSROOT "/var", NULL, MS_BIND | MS_SILENT, NULL) < 0)
         err (EXIT_FAILURE, "failed to bind mount ../../var to var");
+
+      /* To avoid having submounts of /var propagate into $stateroot/var, the
+       * mount is made with slave+shared propagation. See the comment in
+       * ostree-impl-system-generator.c when /var isn't mounted in the
+       * initramfs for further explanation.
+       */
+      if (mount (NULL, TMP_SYSROOT "/var", NULL, MS_SLAVE | MS_SILENT, NULL) < 0)
+        err (EXIT_FAILURE, "failed to change /var to slave mount");
+      if (mount (NULL, TMP_SYSROOT "/var", NULL, MS_SHARED | MS_SILENT, NULL) < 0)
+        err (EXIT_FAILURE, "failed to change /var to slave+shared mount");
     }
 
   /* We only stamp /run now if we're running in an initramfs, i.e. we're
@@ -551,17 +561,6 @@ main (int argc, char *argv[])
         }
     }
 
-  /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
-   * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
-   *
-   * Now in reality, today this is overridden by systemd: the *actual* way we fix this up
-   * is in ostree-remount.c.  But let's do it here to express the semantics we want
-   * at the very start (perhaps down the line systemd will have compile/runtime option
-   * to say that the initramfs environment did everything right from the start).
-   */
-  if (mount ("none", "sysroot", NULL, MS_PRIVATE | MS_SILENT, NULL) < 0)
-    err (EXIT_FAILURE, "remounting 'sysroot' private");
-
   if (running_as_pid1)
     {
       execl ("/sbin/init", "/sbin/init", NULL);

src/switchroot/ostree-remount.c

@@ -86,15 +86,6 @@ main (int argc, char *argv[])
    */
   touch_run_ostree ();
 
-  /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
-   * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
-   *
-   * Today systemd remounts / (recursively) as shared, so we're undoing that as early
-   * as possible.  See also a copy of this in ostree-prepare-root.c.
-   */
-  if (mount ("none", "/sysroot", NULL, MS_REC | MS_PRIVATE, NULL) < 0)
-    perror ("warning: While remounting /sysroot MS_PRIVATE");
-
   bool root_is_composefs = false;
   struct stat stbuf;
   if (fstatat (AT_FDCWD, _OSTREE_COMPOSEFS_ROOT_STAMP, &stbuf, 0) == 0)