always remount / rslave before running creation template (if root)

If we're not root, our mounts in private userns won't get pushed
back anyway.  If we are root, we need to make sure that anything
the template does gets cleaned up.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 8b81a6346cd40533a7a6678b3007ad94189ee932..946133d874221f1084c605643a4ed56ac080838f 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -24,6 +24,7 @@
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/mount.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
@@ -833,11 +834,23 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool quiet
                        exit(1);
                }
 
-               if (strcmp(bdev->type, "dir") != 0) {
+               if (geteuid() == 0) {
                        if (unshare(CLONE_NEWNS) < 0) {
                                ERROR("error unsharing mounts");
                                exit(1);
                        }
+                       if (detect_shared_rootfs()) {
+                               if (mount("", "", NULL, MS_SLAVE|MS_REC, 0)) {
+                                       SYSERROR("Failed to make / rslave to run template");
+                                       ERROR("Continuing...");
+                               }
+                       }
+               }
+               if (strcmp(bdev->type, "dir") != 0) {
+                       if (geteuid() != 0) {
+                               ERROR("non-root users can only create directory-backed containers");
+                               exit(1);
+                       }
                        if (bdev->ops->mount(bdev) < 0) {
                                ERROR("Error mounting rootfs");
                                exit(1);