Bug#739593: systemd makes / shared by default

Tomas Pospisek tpo at sourcepole.ch
Fri Feb 13 14:19:08 GMT 2015


On Mon, 9 Feb 2015, Christoph Berg wrote:

> Re: Tomas Pospisek 2015-02-08 <alpine.DEB.2.11.1502081748110.2557 at hier>
>> Hello all,
>>
>> there's more fallout from the change of the default that makes bind mounts
>> share submounts (as introduced by systemd) instead of the previous default
>> that kept them private (as given by the linux kernel).
>>
>> I have a variety of chroot systems that go like this:
>>
>>   sudo mount --rbind /dev $CHROOT/dev
>>   sudo mount -t tmpfs tmpfs $CHROOT/run/shm
>
> I think you need to execute the above in a "unshare -m" environment to
> get disconnected from the / mount namespace.

That's not sufficient though, you'll still need to sing the special:

   mount --make-rslave (or --make-rprivate)

incantation as documented in the unshare man page. In the end I think 
making "unshare -m" do that magic incantation by itself as considered 
somewhere on the util-linux mailing list (don't have the refernce at hand) 
would be best here.

> The weird part is that you can tweak some "global" options *locally*.
>
> But yes, it's hilarious that we need to take care about this stuff...

The current semantics are really absurd, unexpected and surprising and 
allthough I can understand and agree with (or that's what I believe) 
Lenart's argument for changing it, I think finally the change of default 
was a mistake since it's in crass contrast to the principle of least 
surprise.

As a consequence it makes us all less safe I think, since whatever is done 
inside the bind mount or the changeroot or the unshared namespace will 
have influence on the parent if one forgets to do the extra dance 
to disconnect the mount from the parent.

I'm pondering bringing this up in both d-d and to have it documented in 
the release notes. But currently I simply don't have the time to follow 
through with this.
*t



More information about the Pkg-systemd-maintainers mailing list