From a064cfc99ba4f0e8d3a13ddeea76718f9e50b14e Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Mon, 10 Aug 2020 14:33:52 -0400
Subject: Ensure correct propagation for cgroupsv1 systemd cgroup

On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd
into the container. We were doing this with no explicit mount
propagation tag, which means that, under some circumstances, the
shared mount propagation could be chosen - which, combined with
the fact that we need a mount to mask
/sys/fs/cgroup/systemd/release_agent in the container, means we
would leak a never-ending set of mounts under
/sys/fs/cgroup/systemd/ on container restart.

Fortunately, the fix is very simple - hardcode mount propagation
to something that won't leak.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 libpod/container_internal_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 9fb9738dc..e2bc4e50f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -626,7 +626,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 			Destination: "/sys/fs/cgroup/systemd",
 			Type:        "bind",
 			Source:      "/sys/fs/cgroup/systemd",
-			Options:     []string{"bind", "nodev", "noexec", "nosuid"},
+			Options:     []string{"bind", "nodev", "noexec", "nosuid", "rslave"},
 		}
 		g.AddMount(systemdMnt)
 		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
-- 
cgit v1.2.3-54-g00ecf