set root propagation based on volume properties

Set the root propagation based on the properties of volumes and default
mounts.  To remain compatibility, follow the semantics of Docker.  If a
volume is shared, keep the root propagation shared which works for slave
and private volumes too.  For slave volumes, it can either be shared or
rshared.  Do not change the root propagation for private volumes and
stick with the default.

Fixes: #1834
Signed-off-by: Valentin Rothberg <vrothberg@suse.com>

3 files changed, 48 insertions, 1 deletions

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index e6071945d..93bd23b55 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -347,8 +347,34 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// Mounts need to be sorted so paths will not cover other paths
 	mounts := sortMounts(g.Mounts())
 	g.ClearMounts()
+
+	// Determine property of RootPropagation based on volume properties. If
+	// a volume is shared, then keep root propagation shared. This should
+	// work for slave and private volumes too.
+	//
+	// For slave volumes, it can be either [r]shared/[r]slave.
+	//
+	// For private volumes any root propagation value should work.
+	rootPropagation := ""
 	for _, m := range mounts {
 		g.AddMount(m)
+		for _, opt := range m.Options {
+			switch opt {
+			case MountShared, MountRShared:
+				if rootPropagation != MountShared && rootPropagation != MountRShared {
+					rootPropagation = MountShared
+				}
+			case MountSlave, MountRSlave:
+				if rootPropagation != MountShared && rootPropagation != MountRShared && rootPropagation != MountSlave && rootPropagation != MountRSlave {
+					rootPropagation = MountRSlave
+				}
+			}
+		}
+	}
+
+	if rootPropagation != "" {
+		logrus.Debugf("set root propagation to %q", rootPropagation)
+		g.SetLinuxRootPropagation(rootPropagation)
 	}
 	return g.Config, nil
 }
diff --git a/libpod/mounts_linux.go b/libpod/mounts_linux.go
new file mode 100644
index 000000000..e6aa09eac
--- /dev/null
+++ b/libpod/mounts_linux.go
@@ -0,0 +1,18 @@
+// +build linux
+
+package libpod
+
+const (
+	// MountPrivate represents the private mount option.
+	MountPrivate = "private"
+	// MountRPrivate represents the rprivate mount option.
+	MountRPrivate = "rprivate"
+	// MountShared represents the shared mount option.
+	MountShared = "shared"
+	// MountRShared represents the rshared mount option.
+	MountRShared = "rshared"
+	// MountSlave represents the slave mount option.
+	MountSlave = "slave"
+	// MountRSlave represents the rslave mount option.
+	MountRSlave = "rslave"
+)
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index beb408fd4..ff166f466 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -609,7 +609,10 @@ USER mail`
 		session := podmanTest.Podman([]string{"run", "--volume", vol1 + ":/myvol1:z", "--volume", vol2 + ":/myvol2:shared,z", fedoraMinimal, "findmnt", "-o", "TARGET,PROPAGATION"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
-		match, _ := session.GrepString("shared")
+		match, shared := session.GrepString("shared")
 		Expect(match).Should(BeTrue())
+		// make sure it's only shared (and not 'shared,slave')
+		isSharedOnly := !strings.Contains(shared[0], "shared,")
+		Expect(isSharedOnly).Should(BeTrue())
 	})
 })