shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-06 16:59:03 +03:00
Code

core: add comment why we don't bother with MS_SHARED remounting of / in containers

Browse Source
This commit is contained in:
Lennart Poettering 2016-12-08 10:51:32 +01:00
parent 289cb4d5cd
commit dee22f3970
1 changed files with 11 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/core/mount-setup.c
View File

@ -360,7 +360,6 @@ int mount_setup(bool loaded_policy) {
int r = 0; int r = 0;
r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy); r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
if (r < 0) if (r < 0)
return r; return r;
@ -391,25 +390,24 @@ int mount_setup(bool loaded_policy) {
* udevd. */ * udevd. */
dev_setup(NULL, UID_INVALID, GID_INVALID); dev_setup(NULL, UID_INVALID, GID_INVALID);
/* Mark the root directory as shared in regards to mount /* Mark the root directory as shared in regards to mount propagation. The kernel defaults to "private", but we
* propagation. The kernel defaults to "private", but we think * think it makes more sense to have a default of "shared" so that nspawn and the container tools work out of
* it makes more sense to have a default of "shared" so that * the box. If specific setups need other settings they can reset the propagation mode to private if
* nspawn and the container tools work out of the box. If * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a
* specific setups need other settings they can reset the * container manager we assume the container manager knows what it is doing (for example, because it set up
* propagation mode to private if needed. */ * some directories with different propagation modes). */
if (detect_container() <= 0) if (detect_container() <= 0)
if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0) if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0)
log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m"); log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m");
/* Create a few directories we always want around, Note that /* Create a few directories we always want around, Note that sd_booted() checks for /run/systemd/system, so
* sd_booted() checks for /run/systemd/system, so this mkdir * this mkdir really needs to stay for good, otherwise software that copied sd-daemon.c into their sources will
* really needs to stay for good, otherwise software that * misdetect systemd. */
* copied sd-daemon.c into their sources will misdetect
* systemd. */
(void) mkdir_label("/run/systemd", 0755); (void) mkdir_label("/run/systemd", 0755);
(void) mkdir_label("/run/systemd/system", 0755); (void) mkdir_label("/run/systemd/system", 0755);
(void) mkdir_label("/run/systemd/inaccessible", 0000);
/* Set up inaccessible items */ /* Set up inaccessible items */
(void) mkdir_label("/run/systemd/inaccessible", 0000);
(void) mknod("/run/systemd/inaccessible/reg", S_IFREG | 0000, 0); (void) mknod("/run/systemd/inaccessible/reg", S_IFREG | 0000, 0);
(void) mkdir_label("/run/systemd/inaccessible/dir", 0000); (void) mkdir_label("/run/systemd/inaccessible/dir", 0000);
(void) mknod("/run/systemd/inaccessible/chr", S_IFCHR | 0000, makedev(0, 0)); (void) mknod("/run/systemd/inaccessible/chr", S_IFCHR | 0000, makedev(0, 0));