aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2020-08-10 14:33:52 -0400
committerMatthew Heon <mheon@redhat.com>2020-08-11 09:53:36 -0400
commita064cfc99ba4f0e8d3a13ddeea76718f9e50b14e (patch)
tree8369dcf135c09ce7d832aaee50fdf77f78cb5190
parent6d3075a6c79a6e761c183e0d5e6aa239fad21b63 (diff)
downloadpodman-a064cfc99ba4f0e8d3a13ddeea76718f9e50b14e.tar.gz
podman-a064cfc99ba4f0e8d3a13ddeea76718f9e50b14e.tar.bz2
podman-a064cfc99ba4f0e8d3a13ddeea76718f9e50b14e.zip
Ensure correct propagation for cgroupsv1 systemd cgroup
On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd into the container. We were doing this with no explicit mount propagation tag, which means that, under some circumstances, the shared mount propagation could be chosen - which, combined with the fact that we need a mount to mask /sys/fs/cgroup/systemd/release_agent in the container, means we would leak a never-ending set of mounts under /sys/fs/cgroup/systemd/ on container restart. Fortunately, the fix is very simple - hardcode mount propagation to something that won't leak. Signed-off-by: Matthew Heon <mheon@redhat.com>
-rw-r--r--libpod/container_internal_linux.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 9fb9738dc..e2bc4e50f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -626,7 +626,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
Destination: "/sys/fs/cgroup/systemd",
Type: "bind",
Source: "/sys/fs/cgroup/systemd",
- Options: []string{"bind", "nodev", "noexec", "nosuid"},
+ Options: []string{"bind", "nodev", "noexec", "nosuid", "rslave"},
}
g.AddMount(systemdMnt)
g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")