Ensure correct propagation for cgroupsv1 systemd cgroup

On cgroups v1 systems, we need to mount /sys/fs/cgroup/systemd into the container. We were doing this with no explicit mount propagation tag, which means that, under some circumstances, the shared mount propagation could be chosen - which, combined with the fact that we need a mount to mask /sys/fs/cgroup/systemd/release_agent in the container, means we would leak a never-ending set of mounts under /sys/fs/cgroup/systemd/ on container restart. Fortunately, the fix is very simple - hardcode mount propagation to something that won't leak. Signed-off-by: Matthew Heon <[email protected]>
QiWang19 · Aug 11, 2020 · a064cfc · a064cfc
1 parent 6d3075a
commit a064cfc
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -626,7 +626,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 			Destination: "/sys/fs/cgroup/systemd",
 			Type:        "bind",
 			Source:      "/sys/fs/cgroup/systemd",
-			Options:     []string{"bind", "nodev", "noexec", "nosuid"},
+			Options:     []string{"bind", "nodev", "noexec", "nosuid", "rslave"},
 		}
 		g.AddMount(systemdMnt)
 		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")