Add an option to prevent putting the shim in a new mount namespace

This is needed for users on kernel older than 3.18 so they can avoid EBUSY
errors when trying to unlink, rename or remove a mountpoint that is present in
a shim namespace.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

linux/runtime.go

@@ -77,6 +77,17 @@ type Config struct {
 	NoShim bool `toml:"no_shim"`
 	// Debug enable debug on the shim
 	ShimDebug bool `toml:"shim_debug"`
+	// ShimNoMountNS prevents the runtime from putting shims into their own mount namespace.
+	//
+	// Putting the shim in its own mount namespace ensure that any mounts made
+	// by it in order to get the task rootfs ready will be undone regardless
+	// on how the shim dies.
+	//
+	// NOTE: This should only be used in kernel older than 3.18 to avoid shims
+	// from causing a DoS in their parent namespace due to having a copy of
+	// mounts previously there which would prevent unlink, rename and remove
+	// operations on those mountpoints.
+	ShimNoMountNS bool `toml:"shim_no_newns"`
 }
 
 // New returns a configured runtime
@@ -180,7 +191,8 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
 			}
 			cgroup = v.(*runcopts.CreateOptions).ShimCgroup
 		}
-		shimopt = ShimRemote(r.config.Shim, r.address, cgroup, r.config.ShimDebug, func() {
+		exitHandler := func() {
+			log.G(ctx).WithField("id", id).Info("shim reaped")
 			t, err := r.tasks.Get(ctx, id)
 			if err != nil {
 				// Task was never started or was already sucessfully deleted
@@ -209,7 +221,9 @@ func (r *Runtime) Create(ctx context.Context, id string, opts runtime.CreateOpts
 					"namespace": namespace,
 				}).Warn("failed to clen up after killed shim")
 			}
-		})
+		}
+		shimopt = ShimRemote(r.config.Shim, r.address, cgroup,
+			r.config.ShimNoMountNS, r.config.ShimDebug, exitHandler)
 	}
 
 	s, err := bundle.NewShimClient(ctx, namespace, shimopt, ropts)