linuxkit/linuxkit#2131 is an issue with LinuxKit's projects/kubernetes where the kubelet container expects to create mount which will be visible in a docker container. Both of them have a /var:/var:rshared,rbind but the mounts made by kubelet are not appearing in the docker container.

I eventually tracked this down to the shim's setupRoot which unconditionally does unix.Mount("", "/", "", unix.MS_SLAVE|unix.MS_REC, ""). Which was added in ab8586b ("Remove bundles from API").

Would it be possible to make this optional by some means? Or maybe it is even possible to remove it since it seems to be redundant with runc's prepareRoot which sets up the root mount in a similar way but is configurable via the rootPropagation field in config.json.

WRT linuxkit/linuxkit#2131 I have confirmed that either dropping the mount from shim or changing it to MS_SHARED unbreaks things. I also confirmed that removing rootfsPropagation: shared from the kubelet container re-breaks things, so it seems the code in runc is effective.

@justincormack pointed me at a document and in particular kubernetes/community#648 which seem somewhat relevant/related.

/cc @justincormack @crosbymichael