kata-containers/patches/0005-mount-Reduce-the-mount-points-with-namespace-isolati.patch

From 0fb8c1bd205397ee2efd070dc525a17e9a787857 Mon Sep 17 00:00:00 2001
From: Zhigang Wang <wangzhigang17@huawei.com>
Date: Mon, 1 Jan 2024 21:51:25 +0800
Subject: [PATCH 5/5] mount: Reduce the mount points with namespace isolation

This patch can reduce load on systemd process, and
increase the k8s deployment density when using go runtime.

Signed-off-by: Zhigang Wang <wangzhigang17@huawei.com>
Signed-off-by: Liu Wenyuan <liuwenyuan9@huawei.com>
---
 src/runtime/pkg/containerd-shim-v2/service.go | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/runtime/pkg/containerd-shim-v2/service.go b/src/runtime/pkg/containerd-shim-v2/service.go
index 26d4c21..7b06429 100644
--- a/src/runtime/pkg/containerd-shim-v2/service.go
+++ b/src/runtime/pkg/containerd-shim-v2/service.go
@@ -191,6 +191,27 @@ func newCommand(ctx context.Context, id, containerdBinary, containerdAddress str
 	return cmd, nil
 }
 
+func setupMntNs() error {
+	err := unix.Unshare(unix.CLONE_NEWNS)
+	if err != nil {
+		return err
+	}
+
+	err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SLAVE, "")
+	if err != nil {
+		err = fmt.Errorf("failed to mount with slave: %v", err)
+		return err
+	}
+
+	err = unix.Mount("", "/", "", unix.MS_REC|unix.MS_SHARED, "")
+	if err != nil {
+		err = fmt.Errorf("failed to mount with shared: %v", err)
+		return err
+	}
+
+	return nil
+}
+
 // StartShim is a binary call that starts a kata shimv2 service which will
 // implement the ShimV2 APIs such as create/start/update etc containers.
 func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ string, retErr error) {
@@ -255,6 +276,10 @@ func (s *service) StartShim(ctx context.Context, opts cdshim.StartOpts) (_ strin
 		}
 	}
 
+	if err := setupMntNs(); err != nil {
+		return "", err
+	}
+
 	if err := cmd.Start(); err != nil {
 		return "", err
 	}
-- 
2.34.1