Make sharable mount point in rootless mount namespace for use by all containers in a pod

[adrecord]

I saw this very good thread about bind mount propagation between rootless containers. What @giuseppe posted works perfectly - if you first podman unshare mount --make-shared --bind /from /from to make a sharable bind mount in the user namespace, then new bind mounts under there can be propagated in rootless mode.

When running in rootless mode, it would be nice if podman would pre-create a sharable mount in the user namespace prior to launching the containers in a pod. Then the containers in the pod would be able to do mount propagation off of that mount point without having to do this manual podman unshare mount step prior. It would make "rootless" behave more like "rootful", which is nice.

Thoughts?

[giuseppe]

that would make rootless podman behave differently than root, where there are no mounts created on the host as a consequence of a bind mount

[adrecord]

What I meant is that "rootless" would behave more like "rootful" from an end user's perspective. As you point out, when running as root there are no mounts created. This makes sense as the containers will already have access to the mount namespace. To allow similar access from containers in a user namespace, mounts could be created in that user's mount namespace prior to launching the containers.

Here is an example. It works great as root. It seems like if emptyDir was mounted in the user namespace, prior to launching the pod/containers, this example would work with rootless also, completely unchanged. Is that not the case?

Thanks!

[giuseppe]

Even if you run as root, Podman should not create a mount on the source directory.

If you run something like podman run -v /foo:/foo:shared ... you don't get a mount on /foo unless it already existed.

Is /sharedvol already a mount point on the host?

[giuseppe]

and the risk of doing it automatically, even for rootless, is that we will start leaking mounts.

[adrecord]

Even if you run as root, Podman should not create a mount on the source directory.

I agree with you and this makes sense as the containers running as root will already have access to the mount namespace they're in.

Is /sharedvol already a mount point on the host?

It is not. It's an emptyDir volume in the pod which the containers have mounted. It winds up being a directory structure on the host which gets created as a result of me running podman kube play fuse-hello.yaml. Since podman is causing the creation of the underlying directory backing that volume, it seems like upon volume creation podman could also mount the created directory in the user's mount namespace.

and the risk of doing it automatically, even for rootless, is that we will start leaking mounts

Volume delete would conversely need to unmount the directory from the user's mount namespace. This should eliminate leaks.

My thought here was just to have rootless behave more like root, from a user's perspective. As a friend of mine summed it up nicely, "if I can achieve an effect with root, I should be able to get the same effect without, unless it's impossible". It seemed like it was possible here, so I wanted to discuss. If it's deemed something not worth doing, for whatever reason, I'm fine with that.