fix(libcontainer): preserve rootfs slave propagation for rslave containers

[xujihui1985]

When rootfsPropagation is set to rslave, prepareRoot() was forcing the rootfs parent mount to MS_PRIVATE before bind-mounting and pivoting into the rootfs. That breaks the slave relationship needed for HostToContainer propagation, so later unmount/remount events on host mountpoints under the rootfs are not reflected inside the running container.

Fix this by keeping the rootfs parent mount as MS_SLAVE for slave-like rootfs propagation settings, while leaving the final root propagation remount in place.

Fixes: #5192

[xujihui1985]

@lifubang Please take look at this PR that fix issue #5192

[lifubang]

Thanks, I'll take a look next week. One small request: please use git rebase main instead of git merge main.

[lifubang]

Thanks!
The patch looks correct, though I've left a few comments. Also, could you move the integration test to a separate commit? It would make it easier for maintainers to review the changes step-by-step.

[lifubang]

Nice, thanks for the detailed test cases.

[kolyshkin]

OTOH I don't think this test makes sense. The code which it tests is:

func rootfsParentMountPropagationFlags(rootPropagation int) uintptr {
	if rootPropagation&unix.MS_SLAVE != 0 {
		return unix.MS_SLAVE
	}
	return unix.MS_PRIVATE
}

and I don't think this code is that complicated to deserve a test case. You can "test" it by just reading it.

More to say, if we ever want to change it for whatever reason, it's more work now (as the test cases will fail).

So I'd rather remove the unit test. @lifubang WDYT?

[lifubang]

In fact, I originally wanted to keep this unit test to ensure we wouldn’t forget MS_SLAVE during future refactoring. However, now that we have an integration test covering this behavior -- and although the logic is simple yet critical -- I think we can safely remove the unit test.
@xujihui1985

[xujihui1985]

ok, unittest for this function has been removed

[kolyshkin]

@xujihui1985 you also need to run make shfmt to fix bats formatting

[kolyshkin]

The test in this PR (which modifies / propagation) should benefit from the feature from #5212, so if that one is approved and merged, the test here needs to add require unsafe.

[lifubang]

LGTM with one nit.
Thanks!

[kolyshkin]

LGTM, thank you

[xujihui1985]

@kolyshkin @lifubang Thanks for reviewing the MR. This was a great learning opportunity, and I learned a lot from this process.

[kolyshkin]

@lifubang you set 1.3.6 milestone for the issue this PR fixes (#5192); does that mean you want 1.3, 1.4 and 1.5 backports? When answering this, please consider whether it can bring some other regressions.

If the answer is yes, please add appropriate labels (feel free to open the backports, too).

[lifubang]

you set 1.3.6 milestone for the issue this PR fixes (#5192); does that mean you want 1.3, 1.4 and 1.5 backports? When answering this, please consider whether it can bring some other regressions.

If the answer is yes, please add appropriate labels (feel free to open the backports, too).

I set the 1.3.6 milestone because this bug affects all releases from 1.3.x through 1.5.x, and the impact is broader than it appears:

1. Silent semantic regression: Users configuring rootfsPropagation: rslave get no error -- the container starts fine, but mount propagation silently falls back to rprivate. This is extremely hard to debug in production.

2. K8s 1.35 uses runc 1.3.x: Per containerd's release docs, K8s 1.35 recommends containerd 2.2.x/2.1.x/1.7.x, all of which bundle runc 1.3.4/1.3.5. Without a backport, this bug persists in current and upcoming Kubernetes deployments.

3. Docker 29.4.0 uses runc 1.3.5: The latest Docker release also carries this bug. Affecting both major container ecosystems justifies the backport effort.

4. Low regression risk: The fix is minimal and conservative -- only changes behavior when rootPropagation & MS_SLAVE != 0. All other paths remain identical.

@xujihui1985 WDYT?

[lifubang]

Oh, looking at the actual OCI spec generated by Kubernetes/docker, there's no linux.rootfsPropagation field set. So this bug only affects users who directly configure rootfsPropagation: rslave in runc. Given the limited impact, let's only backport to release-1.5.

[xujihui1985]

Oh, looking at the actual OCI spec generated by Kubernetes/docker, there's no linux.rootfsPropagation field set. So this bug only affects users who directly configure rootfsPropagation: rslave in runc. Given the limited impact, let's only backport to release-1.5.

https://github.com/containerd/containerd/blob/f006ee06cabf52ee4a32429487b93d334c009589/internal/cri/opts/spec_linux_opts.go#L173 @lifubang I didn't test on the latest kubernetes and containerd, but from our internal version, the rootfsPropagation actually set on the bundle json, I'm not sure right now if this is a internal feature, I will check it later

[lifubang]

I'm not sure right now if this is a internal feature, I will check it later

Have you had a chance to look into it yet?

[xujihui1985]

I'm not sure right now if this is a internal feature, I will check it later

Have you had a chance to look into it yet?

Hi, I check the current upstream version from internal codebase, it's from 1.5.4, and it's not an internal logic, https://github.com/containerd/containerd/blob/v1.5.4/pkg/cri/opts/spec_linux.go#L180-L197

[lifubang]

Thanks, this appears to be a long-standing bug. Do you think we should backport this to release-1.3? Since many of us are still running runc 1.3.x in production, it seems worth fixing.
Feel free to open the backport PRs.