Add rprivate to CDI mount options

This ensures that mount propagation is set to rprivate for mounts from the host into the container. This aligns with the default in docker. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-04-02 12:00:18 +00:00 · 2025-03-10 10:27:24 +02:00 · 2025-03-10 10:27:24 +02:00 · a4956e65d0
commit a4956e65d0
parent 3df59b955a
8 changed files with 19 additions and 12 deletions
--- a/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
+++ b/cmd/nvidia-ctk-installer/container/toolkit/toolkit_test.go
@ -109,7 +109,8 @@ containerEdits:
    - ro
    - nosuid
    - nodev
-    - bind
+    - rbind
+    - rprivate
 `,
 		},
 	}
--- a/cmd/nvidia-ctk/cdi/generate/generate_test.go
+++ b/cmd/nvidia-ctk/cdi/generate/generate_test.go
@ -111,7 +111,8 @@ containerEdits:
    - ro
    - nosuid
    - nodev
-    - bind
+    - rbind
+    - rprivate
 `,
 		},
 	}
--- a/internal/discover/ipc_test.go
+++ b/internal/discover/ipc_test.go
@ -52,7 +52,8 @@ func TestIPCMounts(t *testing.T) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 					"noexec",
 				},
 			},
--- a/internal/discover/mounts-to-container-path.go
+++ b/internal/discover/mounts-to-container-path.go
@ -71,7 +71,8 @@ func (d *mountsToContainerPath) Mounts() ([]Mount, error) {
 				"ro",
 				"nosuid",
 				"nodev",
-				"bind",
+				"rbind",
+				"rprivate",
 			},
 		}
 		mounts = append(mounts, mount)
--- a/internal/discover/mounts-to-container-path_test.go
+++ b/internal/discover/mounts-to-container-path_test.go
@ -32,7 +32,8 @@ func TestMountsToContainerPath(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}

 	testCases := []struct {
--- a/internal/discover/mounts.go
+++ b/internal/discover/mounts.go
@ -102,7 +102,8 @@ func (d *mounts) Mounts() ([]Mount, error) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 				},
 			}
 		}
--- a/internal/discover/mounts_test.go
+++ b/internal/discover/mounts_test.go
@ -41,7 +41,8 @@ func TestMounts(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}

 	logger, logHook := testlog.NewNullLogger()
--- a/internal/platform-support/tegra/csv_test.go
+++ b/internal/platform-support/tegra/csv_test.go
@ -79,12 +79,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@ -135,12 +135,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@ -175,7 +175,7 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 		},