What is the problem you're trying to solve
I am trying to run a containerized kubelet via ctr. The kubelet container needs to mount some host paths, say the kubelet root /var/lib/kubelet.

When using Secrets or ConfigMaps, the storage plugin would mount tmpfs to some path in the kubelet container. Before the container starting, containerd needs to mount those tmpfs mountpoints into the container to be created. Such that, the tmpfs mounting needs to be propagated to the host namespace to make containerd see contents in the mounted tmpfs. But, even I mount the hostpath with the propagation rshared, or change the rootfs propagation to rshared just after the container started, I can only see the mounted contents in the container namespace.

After studying the code of runc, I found that if spec.Linux.RootfsPropagation is not given, the default propagation of the container rootfs is rslave. It somehow prevents the mount events spreading to other namespaces.

Describe the solution you'd like
I've tested that if spec.Linux.RootfsPropagation is set to rshared, everything is working. And, I believe a rootfs propagation flag is necessary for ctr.

Additional context