fix(rootfs): Ensure the container's rootfs has MS_SHARED flag

cmainas · cmainas · commit f71e10ab8d8d · 2026-05-04T10:49:18.000Z
Ensure that the container's rootfs has the MS_SHARED propagation flag. THis is necessary in order to propagate any unmounts that might happen later (e.g. in the case of block-based snapshots which are attached to the sandbox) in the mount peer groups (i.e. in the initial mount namespace). THere is no problem to do that for every rootfs, because reexec will later cut off the propagation during the preparation of the monitor;s rootfs. In the future though, we need to move this up in the shim. PR: #572 Signed-off-by: Charalampos Mainas <cmainas@nubificus.co.uk> Reviewed-by: Anastassios Nanos <ananos@nubificus.co.uk> Approved-by: Anastassios Nanos <ananos@nubificus.co.uk>
diff --git a/pkg/unikontainers/unikontainers.go b/pkg/unikontainers/unikontainers.go
@@ -136,9 +136,33 @@ func Get(containerID string, rootDir string) (*Unikontainer, error) {
 // creates the Unikernel base directory and
 // saves the state.json file with the current Unikernel state
 func (u *Unikontainer) InitialSetup() error {
+	bundleDir := filepath.Clean(u.State.Bundle)
+	rootfsDir := filepath.Clean(u.Spec.Root.Path)
+	rootfsDir, err := resolveAgainstBase(bundleDir, rootfsDir)
+	if err != nil {
+		uniklog.Errorf("could not resolve rootfs directory %s: %v", rootfsDir, err)
+		return err
+	}
+
+	// Ensure the container's rootfs has the correct propagation flag
+	// so if we unmount it later, it gets unmounted from other mount peer
+	// groups too. We do that regardless of the type of the container's
+	// rootfs (e.g. block-based, overlay) abd this is ok, because we later
+	// cut off all propagation from reexec.
+	// TODO: Move this to the shim, when we finally make it.
+	err = unix.Mount("", rootfsDir, "", unix.MS_SHARED|unix.MS_REC, "")
+	if err != nil && !errors.Is(err, unix.EINVAL) {
+		// An EINVAL error is fine, because it means that the
+		// rootfs is not really a mountpoint. This could be the case when
+		// using urunc directly from its cli and the rootfs is a normal
+		// directory
+		uniklog.Errorf("could not set propagation flag as shared for container's rootfs: %v", err)
+		return err
+	}
+
 	u.State.Status = specs.StateCreating
 	// FIXME: should we really create this base dir
-	err := os.MkdirAll(u.BaseDir, 0o755)
+	err = os.MkdirAll(u.BaseDir, 0o755)
 	if err != nil {
 		return err
 	}
