unshare lxc-start into a slave mount namespace

The rationale here is simply that if the host can see all
the mounts, then any program on the host entering a new
mount namespace can keep the mountpoints active.
This can potentially lead to hard-to-track problems with
multiple mount protection or NFS storages not syncing to the
end when stop-migrating a container to another node.

diff --git a/src/PVE/API2/LXC/Status.pm b/src/PVE/API2/LXC/Status.pm
index 5e5e11678177ebe73ba8d436cebba9e476d47620..dc05445a18098b593531bfbea72680148ae672c6 100644 (file)
--- a/src/PVE/API2/LXC/Status.pm
+++ b/src/PVE/API2/LXC/Status.pm
@@ -163,7 +163,8 @@ __PACKAGE__->register_method({
 
                PVE::LXC::update_lxc_config($storage_cfg, $vmid, $conf);
 
-               my $cmd = ['lxc-start', '-n', $vmid];
+               my $cmd = ['unshare', '-m', '--',
+                          'sh', '-c', "mount --make-rslave / && exec lxc-start -n $vmid"];
 
                run_command($cmd);