From 34696c55e91294442325ff0d78af84945d3e955f Mon Sep 17 00:00:00 2001
From: umohnani8 <umohnani@redhat.com>
Date: Mon, 27 Nov 2017 13:17:42 -0500
Subject: Add Linux Root Propagation to kpod create and run

Add [r]shared, [r]private, [r]slave functionality to the --volume flag
for kpod create and kpod run
This sets the root propagation for each bind mount

Signed-off-by: umohnani8 <umohnani@redhat.com>

Closes: #87
Approved by: rhatdan
---
 cmd/kpod/spec.go      | 34 ++++++++++++++++++++++++----------
 cmd/kpod/spec_test.go |  2 +-
 test/kpod_run.bats    | 13 +++++--------
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b2a439a9b..5d6fe8879 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -300,6 +300,16 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 		return nil, errors.Wrapf(err, "error getting volume mounts")
 	}
 	configSpec.Mounts = append(configSpec.Mounts, mounts...)
+	for _, mount := range configSpec.Mounts {
+		for _, opt := range mount.Options {
+			switch opt {
+			case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+				if err := g.SetLinuxRootPropagation(opt); err != nil {
+					return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination)
+				}
+			}
+		}
+	}
 
 	// HANDLE CAPABILITIES
 	if err := setupCapabilities(config, configSpec); err != nil {
@@ -442,24 +452,25 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
 			options = strings.Split(spliti[2], ",")
 		}
 		options = append(options, "rbind")
-		// var foundrw, foundro,
-		var foundz, foundZ bool
+		var foundrw, foundro, foundz, foundZ bool
+		var rootProp string
 		for _, opt := range options {
 			switch opt {
-			// case "rw":
-			// 	foundrw = true
-			// case "ro":
-			// 	foundro = true
+			case "rw":
+				foundrw = true
+			case "ro":
+				foundro = true
 			case "z":
 				foundz = true
 			case "Z":
 				foundZ = true
+			case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+				rootProp = opt
 			}
 		}
-		// if !foundro && !foundrw {
-		// 	// rw option is default
-		// 	options = append(options, "rw")
-		// }
+		if !foundrw && !foundro {
+			options = append(options, "rw")
+		}
 		if foundz {
 			if err := label.Relabel(spliti[0], c.mountLabel, true); err != nil {
 				return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
@@ -470,6 +481,9 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
 				return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
 			}
 		}
+		if rootProp == "" {
+			options = append(options, "rprivate")
+		}
 
 		m = append(m, spec.Mount{
 			Destination: spliti[1],
diff --git a/cmd/kpod/spec_test.go b/cmd/kpod/spec_test.go
index 1eedb0e2a..799d6b235 100644
--- a/cmd/kpod/spec_test.go
+++ b/cmd/kpod/spec_test.go
@@ -13,7 +13,7 @@ func TestCreateConfig_GetVolumeMounts(t *testing.T) {
 		Destination: "/foobar",
 		Type:        "bind",
 		Source:      "foobar",
-		Options:     []string{"ro", "rbind"},
+		Options:     []string{"ro", "rbind", "rprivate"},
 	}
 	config := createConfig{
 		volumes: []string{"foobar:/foobar:ro"},
diff --git a/test/kpod_run.bats b/test/kpod_run.bats
index 09a66b874..ccbeaac6c 100644
--- a/test/kpod_run.bats
+++ b/test/kpod_run.bats
@@ -125,16 +125,13 @@ IMAGE="docker.io/library/fedora:latest"
 }
 
 @test "kpod run with volume flag" {
-    run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime'"
+    run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime'"
     echo $output
     [ "$status" -eq 0 ]
-    run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:ro ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test ro,relatime'"
+    run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:ro ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test ro,relatime'"
+    echo $output
+    [ "$status" -eq 0 ]
+    run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:shared ${BB} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime shared:'"
     echo $output
     [ "$status" -eq 0 ]
-    #run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:shared ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime shared:'"
-    #echo $output
-    #[ "$status" -eq 0 ]
-    #run bash -c "${KPOD_BINARY} ${KPOD_OPTIONS} run -v ${MOUNT_PATH}:/run/test:rslave ${FEDORA_MINIMAL} cat /proc/self/mountinfo | grep '${MOUNT_PATH} /run/test rw,relatime master:'"
-    #echo $output
-    #[ "$status" -eq 0 ]
 }
-- 
cgit v1.2.3-54-g00ecf