The current text for idmapped mounts doesn't specify whether the attributes should be applied recursively or not (AT_RECURSIVE). At the moment, runc never passes AT_RECURSIVE. The two options I can see are:
- Make
rbind imply that the attribute should be recursive, since that's the only case where AT_RECURSIVE is necessary. (This would imply that it's always recursive.) The main downside is that a user wouldn't be able to opt-out of it, and runc's current behaviour would be spec in-compliant. But I suspect this is what most users would expect.
- Make it configurable with a new mount option (
ridmap, maybe) which can only be set if you have the uidMappings and gidMappings options enabled. The main downside is that the current rbind (which is counter-intuitive imho) would remain, but that would avoid any possible backwards-compatibility issues with runtime-spec 1.1.0.
The current text for idmapped mounts doesn't specify whether the attributes should be applied recursively or not (
AT_RECURSIVE). At the moment, runc never passesAT_RECURSIVE. The two options I can see are:rbindimply that the attribute should be recursive, since that's the only case whereAT_RECURSIVEis necessary. (This would imply that it's always recursive.) The main downside is that a user wouldn't be able to opt-out of it, and runc's current behaviour would be spec in-compliant. But I suspect this is what most users would expect.ridmap, maybe) which can only be set if you have theuidMappingsandgidMappingsoptions enabled. The main downside is that the currentrbind(which is counter-intuitive imho) would remain, but that would avoid any possible backwards-compatibility issues with runtime-spec 1.1.0.