Bug 1010673

Summary: PrivateTmp keeps the whole filesystem as MS_SLAVE
Product: [Fedora] Fedora Reporter: Etsuji Nakai <enakai>
Component: systemdAssignee: systemd-maint
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: johannbg, lnykryn, msekleta, plautrba, systemd-maint, vpavlin, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-19 18:45:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Etsuji Nakai 2013-09-22 11:59:51 UTC 
Description of problem:

Under the current F19 kernel, once filesystem is marked as MS_SLAVE, it cannot be converted to MS_SHARED again. I filed the bz entry 1010669 for that:

https://bugzilla.redhat.com/show_bug.cgi?id=1010669

I'm not yet sure if this is the intended behavior or not. But anyway, because of this, the following code for the PrivateTmp mechanism doesn't work as intended.

src/core/namespace.c
------
    203 int setup_namespace(char** read_write_dirs,
...
    245         /* Remount / as SLAVE so that nothing now mounted in the namespace
    246            shows up in the parent */
    247         if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
    248                 return -errno;
...
    262         /* Remount / as the desired mode */
    263         if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
                                        /* mount_flags = MS_SHARED for default */
    264                 r = -errno;
    265                 goto undo_mounts;
    266         }
------

Although remounting / as MS_SHARED in line 263, / still behaves as MS_SLAVE. If you bind-mount some directory from the daemon running under PrivateTmp, the bind-mount cannot seen from other processes.

I checked it with the following simple service.

/etc/systemd/system/test.service
------------------
[Unit]
Description=PrivateTmp option test

[Service]
ExecStart=/root/bin/test.sh
PrivateTmp=true

[Install]
WantedBy=multi-user.target
------------------

/root/bin/test.sh
------------------
#!/bin/sh
mkdir -p /root/bind
mount --bind /tmp /root/bind
sleep 120
umount /root/bind
------------------

If PrivateTmp=false,
------------------
# systemctl start test.service
# ls /root/bind       ## /root/bind is binded to /tmp outside the daemon.
yum_save_tx.2013-09-22.04-53.Cu432Q.yumtx
------------------

If PrivateTmp=true,
------------------
# systemctl start test.service
# ls /root/bind       ## /root/bind is _not_ binded to /tmp outside the daemon.
------------------

Version-Release number of selected component (if applicable):

# rpm -q systemd
systemd-204-15.fc19.x86_64
Comment 2 Trevor Cordes 2014-01-20 13:40:32 UTC 
Would this also cause a service (say httpd) that was started with PrivateTmp=true to keep using a private tmp even when changed to PrivateTmp=false and daemon-reload and httpd stop / start?  I'm seeing such behavior and can't explain it.  Thanks
Comment 4 Lennart Poettering 2014-06-18 09:36:41 UTC 
if you use PrivateTmp= then mount propagation from the service to the host is disabled. sandboxes set up like that must have MS_SLAVE, and the host must have MS_SHARED for privatetmp= to work (privatedevices= and the others, the same).
Comment 5 Lennart Poettering 2014-06-19 18:45:47 UTC 
I don't think there's anything to fix here. Closing. Feel free to reopen if there's actually something to fix.