Bug#739593: systemd makes / shared by default
Tomas Pospisek
tpo at sourcepole.ch
Fri Feb 13 14:19:08 GMT 2015
On Mon, 9 Feb 2015, Christoph Berg wrote:
> Re: Tomas Pospisek 2015-02-08 <alpine.DEB.2.11.1502081748110.2557 at hier>
>> Hello all,
>>
>> there's more fallout from the change of the default that makes bind mounts
>> share submounts (as introduced by systemd) instead of the previous default
>> that kept them private (as given by the linux kernel).
>>
>> I have a variety of chroot systems that go like this:
>>
>> sudo mount --rbind /dev $CHROOT/dev
>> sudo mount -t tmpfs tmpfs $CHROOT/run/shm
>
> I think you need to execute the above in a "unshare -m" environment to
> get disconnected from the / mount namespace.
That's not sufficient though, you'll still need to sing the special:
mount --make-rslave (or --make-rprivate)
incantation as documented in the unshare man page. In the end I think
making "unshare -m" do that magic incantation by itself as considered
somewhere on the util-linux mailing list (don't have the refernce at hand)
would be best here.
> The weird part is that you can tweak some "global" options *locally*.
>
> But yes, it's hilarious that we need to take care about this stuff...
The current semantics are really absurd, unexpected and surprising and
allthough I can understand and agree with (or that's what I believe)
Lenart's argument for changing it, I think finally the change of default
was a mistake since it's in crass contrast to the principle of least
surprise.
As a consequence it makes us all less safe I think, since whatever is done
inside the bind mount or the changeroot or the unshared namespace will
have influence on the parent if one forgets to do the extra dance
to disconnect the mount from the parent.
I'm pondering bringing this up in both d-d and to have it documented in
the release notes. But currently I simply don't have the time to follow
through with this.
*t
More information about the Pkg-systemd-maintainers
mailing list