From a4956e65d018fe095ad1936cf82f20f5e6dc947a Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Mon, 10 Mar 2025 10:27:24 +0200
Subject: [PATCH] Add rprivate to CDI mount options

This ensures that mount propagation is set to rprivate for
mounts from the host into the container. This aligns with the
default in docker.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 .../container/toolkit/toolkit_test.go                  |  3 ++-
 cmd/nvidia-ctk/cdi/generate/generate_test.go           |  3 ++-
 internal/discover/ipc_test.go                          |  3 ++-
 internal/discover/mounts-to-container-path.go          |  3 ++-
 internal/discover/mounts-to-container-path_test.go     |  3 ++-
 internal/discover/mounts.go                            |  3 ++-
 internal/discover/mounts_test.go                       |  3 ++-
 internal/platform-support/tegra/csv_test.go            | 10 +++++-----
 8 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go b/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
index 4aad36c5..f71224ae 100644
--- a/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
+++ b/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
@@ -109,7 +109,8 @@ containerEdits:
     - ro
     - nosuid
     - nodev
-    - bind
+    - rbind
+    - rprivate
 `,
 		},
 	}
diff --git a/cmd/nvidia-ctk/cdi/generate/generate_test.go b/cmd/nvidia-ctk/cdi/generate/generate_test.go
index c74cff23..b927bf0d 100644
--- a/cmd/nvidia-ctk/cdi/generate/generate_test.go
+++ b/cmd/nvidia-ctk/cdi/generate/generate_test.go
@@ -111,7 +111,8 @@ containerEdits:
     - ro
     - nosuid
     - nodev
-    - bind
+    - rbind
+    - rprivate
 `,
 		},
 	}
diff --git a/internal/discover/ipc_test.go b/internal/discover/ipc_test.go
index f214f522..de3bc152 100644
--- a/internal/discover/ipc_test.go
+++ b/internal/discover/ipc_test.go
@@ -52,7 +52,8 @@ func TestIPCMounts(t *testing.T) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 					"noexec",
 				},
 			},
diff --git a/internal/discover/mounts-to-container-path.go b/internal/discover/mounts-to-container-path.go
index 602f153d..d92bc91c 100644
--- a/internal/discover/mounts-to-container-path.go
+++ b/internal/discover/mounts-to-container-path.go
@@ -71,7 +71,8 @@ func (d *mountsToContainerPath) Mounts() ([]Mount, error) {
 				"ro",
 				"nosuid",
 				"nodev",
-				"bind",
+				"rbind",
+				"rprivate",
 			},
 		}
 		mounts = append(mounts, mount)
diff --git a/internal/discover/mounts-to-container-path_test.go b/internal/discover/mounts-to-container-path_test.go
index e0a88801..dd4a17d1 100644
--- a/internal/discover/mounts-to-container-path_test.go
+++ b/internal/discover/mounts-to-container-path_test.go
@@ -32,7 +32,8 @@ func TestMountsToContainerPath(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}
 
 	testCases := []struct {
diff --git a/internal/discover/mounts.go b/internal/discover/mounts.go
index 9232dae3..90b94266 100644
--- a/internal/discover/mounts.go
+++ b/internal/discover/mounts.go
@@ -102,7 +102,8 @@ func (d *mounts) Mounts() ([]Mount, error) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 				},
 			}
 		}
diff --git a/internal/discover/mounts_test.go b/internal/discover/mounts_test.go
index 40c46568..21648bcd 100644
--- a/internal/discover/mounts_test.go
+++ b/internal/discover/mounts_test.go
@@ -41,7 +41,8 @@ func TestMounts(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}
 
 	logger, logHook := testlog.NewNullLogger()
diff --git a/internal/platform-support/tegra/csv_test.go b/internal/platform-support/tegra/csv_test.go
index 2e8e42fe..dca09bb5 100644
--- a/internal/platform-support/tegra/csv_test.go
+++ b/internal/platform-support/tegra/csv_test.go
@@ -79,12 +79,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@@ -135,12 +135,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@@ -175,7 +175,7 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 		},