From d0103aa6a3da51dee51a5a21971bb5c9e0d9025b Mon Sep 17 00:00:00 2001
From: Evan Lezar <elezar@nvidia.com>
Date: Mon, 10 Mar 2025 10:27:24 +0200
Subject: [PATCH] Add rprivate to CDI mount options

This ensures that mount propagation is set to rprivate for
mounts from the host into the container. This aligns with the
default in docker.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
---
 cmd/nvidia-ctk-installer/toolkit/toolkit_test.go   |  3 ++-
 cmd/nvidia-ctk/cdi/generate/generate_test.go       |  3 ++-
 internal/discover/ipc_test.go                      |  3 ++-
 internal/discover/mounts-to-container-path.go      |  3 ++-
 internal/discover/mounts-to-container-path_test.go |  3 ++-
 internal/discover/mounts.go                        |  3 ++-
 internal/discover/mounts_test.go                   |  3 ++-
 internal/platform-support/tegra/csv_test.go        | 10 +++++-----
 8 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/cmd/nvidia-ctk-installer/toolkit/toolkit_test.go b/cmd/nvidia-ctk-installer/toolkit/toolkit_test.go
index ec9dc5bd..e91e29fc 100644
--- a/cmd/nvidia-ctk-installer/toolkit/toolkit_test.go
+++ b/cmd/nvidia-ctk-installer/toolkit/toolkit_test.go
@@ -109,7 +109,8 @@ containerEdits:
             - ro
             - nosuid
             - nodev
-            - bind
+            - rbind
+            - rprivate
 `,
 		},
 	}
diff --git a/cmd/nvidia-ctk/cdi/generate/generate_test.go b/cmd/nvidia-ctk/cdi/generate/generate_test.go
index 9e9a6a4e..d6aae4d7 100644
--- a/cmd/nvidia-ctk/cdi/generate/generate_test.go
+++ b/cmd/nvidia-ctk/cdi/generate/generate_test.go
@@ -111,7 +111,8 @@ containerEdits:
             - ro
             - nosuid
             - nodev
-            - bind
+            - rbind
+            - rprivate
 `,
 		},
 	}
diff --git a/internal/discover/ipc_test.go b/internal/discover/ipc_test.go
index f214f522..de3bc152 100644
--- a/internal/discover/ipc_test.go
+++ b/internal/discover/ipc_test.go
@@ -52,7 +52,8 @@ func TestIPCMounts(t *testing.T) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 					"noexec",
 				},
 			},
diff --git a/internal/discover/mounts-to-container-path.go b/internal/discover/mounts-to-container-path.go
index 602f153d..d92bc91c 100644
--- a/internal/discover/mounts-to-container-path.go
+++ b/internal/discover/mounts-to-container-path.go
@@ -71,7 +71,8 @@ func (d *mountsToContainerPath) Mounts() ([]Mount, error) {
 				"ro",
 				"nosuid",
 				"nodev",
-				"bind",
+				"rbind",
+				"rprivate",
 			},
 		}
 		mounts = append(mounts, mount)
diff --git a/internal/discover/mounts-to-container-path_test.go b/internal/discover/mounts-to-container-path_test.go
index e0a88801..dd4a17d1 100644
--- a/internal/discover/mounts-to-container-path_test.go
+++ b/internal/discover/mounts-to-container-path_test.go
@@ -32,7 +32,8 @@ func TestMountsToContainerPath(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}
 
 	testCases := []struct {
diff --git a/internal/discover/mounts.go b/internal/discover/mounts.go
index 7241c5ad..1f11ea9e 100644
--- a/internal/discover/mounts.go
+++ b/internal/discover/mounts.go
@@ -90,7 +90,8 @@ func (d *mounts) Mounts() ([]Mount, error) {
 					"ro",
 					"nosuid",
 					"nodev",
-					"bind",
+					"rbind",
+					"rprivate",
 				},
 			}
 		}
diff --git a/internal/discover/mounts_test.go b/internal/discover/mounts_test.go
index 40c46568..21648bcd 100644
--- a/internal/discover/mounts_test.go
+++ b/internal/discover/mounts_test.go
@@ -41,7 +41,8 @@ func TestMounts(t *testing.T) {
 		"ro",
 		"nosuid",
 		"nodev",
-		"bind",
+		"rbind",
+		"rprivate",
 	}
 
 	logger, logHook := testlog.NewNullLogger()
diff --git a/internal/platform-support/tegra/csv_test.go b/internal/platform-support/tegra/csv_test.go
index 2e8e42fe..dca09bb5 100644
--- a/internal/platform-support/tegra/csv_test.go
+++ b/internal/platform-support/tegra/csv_test.go
@@ -79,12 +79,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@@ -135,12 +135,12 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 			expectedHooks: []discover.Hook{
@@ -175,7 +175,7 @@ func TestDiscovererFromCSVFiles(t *testing.T) {
 				{
 					Path:     "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
 					HostPath: "/usr/lib/aarch64-linux-gnu/tegra/libv4l2_nvargus.so",
-					Options:  []string{"ro", "nosuid", "nodev", "bind"},
+					Options:  []string{"ro", "nosuid", "nodev", "rbind", "rprivate"},
 				},
 			},
 		},