From 3f4978b77bcd9baffcfdd861f2fea12d701fe5e9 Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Wed, 30 Aug 2017 01:39:53 +0000
Subject: [PATCH] Use rbind and rprivate in bind mount.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 hack/test-e2e-node.sh               | 10 +++++-----
 pkg/server/container_create.go      |  6 ++++--
 pkg/server/container_create_test.go |  4 ++--
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/hack/test-e2e-node.sh b/hack/test-e2e-node.sh
index d36c1dd96..d6a815b80 100755
--- a/hack/test-e2e-node.sh
+++ b/hack/test-e2e-node.sh
@@ -19,13 +19,9 @@ set -o pipefail
 source $(dirname "${BASH_SOURCE[0]}")/test-utils.sh
 
 DEFAULT_SKIP="\[Flaky\]|\[Slow\]|\[Serial\]"
-DEFAULT_SKIP+="|scheduling\sa\sGuaranteed\sPod"
-DEFAULT_SKIP+="|scheduling\sa\sBurstable\sPod"
-DEFAULT_SKIP+="|scheduling\sa\sBestEffort\sPod"
 DEFAULT_SKIP+="|querying\s\/stats\/summary"
 DEFAULT_SKIP+="|set\sto\sthe\smanifest\sdigest"
 DEFAULT_SKIP+="|AppArmor"
-DEFAULT_SKIP+="|Top\slevel\sQoS\scontainers"
 DEFAULT_SKIP+="|pull\sfrom\sprivate\sregistry\swith\ssecret"
 
 # FOCUS focuses the test to run.
@@ -54,6 +50,10 @@ git checkout ${KUBERNETES_VERSION}
 mkdir -p ${REPORT_DIR}
 start_cri_containerd ${REPORT_DIR}
 
-make test-e2e-node RUNTIME=remote CONTAINER_RUNTIME_ENDPOINT=unix:///var/run/cri-containerd.sock ARTIFACTS=${REPORT_DIR}
+make test-e2e-node \
+	RUNTIME=remote \
+	CONTAINER_RUNTIME_ENDPOINT=unix:///var/run/cri-containerd.sock \
+	ARTIFACTS=${REPORT_DIR} \
+	TEST_ARGS='--kubelet-flags=--cgroups-per-qos=true --kubelet-flags=--cgroup-root=/' # Enable the QOS tree.
 
 kill_cri_containerd
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index e98e8cdd9..f3a99bf93 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -438,9 +438,11 @@ func addOCIBindMounts(g *generate.Generator, mounts []*runtime.Mount) {
 	for _, mount := range mounts {
 		dst := mount.GetContainerPath()
 		src := mount.GetHostPath()
-		options := []string{"rw"}
+		options := []string{"rbind", "rprivate"}
 		if mount.GetReadonly() {
-			options = []string{"ro"}
+			options = append(options, "ro")
+		} else {
+			options = append(options, "rw")
 		}
 		// TODO(random-liu): [P1] Apply selinux label
 		g.AddBindMount(src, dst, options)
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index 66c98d89e..67935a0ec 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -121,8 +121,8 @@ func getCreateContainerTestData() (*runtime.ContainerConfig, *runtime.PodSandbox
 		checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil)
 
 		t.Logf("Check bind mount")
-		checkMount(t, spec.Mounts, "host-path-1", "container-path-1", "bind", []string{"rw"}, nil)
-		checkMount(t, spec.Mounts, "host-path-2", "container-path-2", "bind", []string{"ro"}, nil)
+		checkMount(t, spec.Mounts, "host-path-1", "container-path-1", "bind", []string{"rbind", "rprivate", "rw"}, nil)
+		checkMount(t, spec.Mounts, "host-path-2", "container-path-2", "bind", []string{"rbind", "rprivate", "ro"}, nil)
 
 		t.Logf("Check resource limits")
 		assert.EqualValues(t, *spec.Linux.Resources.CPU.Period, 100)