From: Chen Linxuan On Ubuntu 24.04, I observed redundant mounts after adding a netns with the commands below: sudo ip netns add xxx cat /proc/self/mountinfo | grep /run Output: 29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ... ... 203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ... 6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw 6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw There are two mounts (6443 and 6444) related to the "xxx" netns created above. This redundancy occurs because systemd changed the default system mount propagation to "shared" since commit b3ac5f8cb987 ("mount-setup: change system mount propagation to shared by default"). Consequently, mount propagation of `/run` is shared. Link: https://docs.kernel.org/filesystems/sharedsubtree.html Link: https://github.com/systemd/systemd/commit/b3ac5f8cb98757416d8660023d6564a7c411f0a0 When `ip netns` makes `/run/netns` a mount point, a new bind mount (203) is created and attached to the same peer group as mount 29. Since mount 29 and 203 are in the same peer group (shared:5), any mount under 203 propagates back to 29, resulting in the redundant mount 6444. To prevent this, `/run/netns` should be placed in a new peer group. This can be achieved by reconfiguring `/run/netns` to MS_PRIVATE first, and then to MS_SHARED again. With this patch applied, the redundant mount is no longer present, and `/run/netns` is in a new peer group (917): 29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ... ... 203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:917 - tmpfs tmpfs ... 6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:918 - nsfs nsfs rw I also verified that mount propagation to containers remains functional. Signed-off-by: Chen Linxuan --- ip/ipnetns.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ip/ipnetns.c b/ip/ipnetns.c index a20cd8bc7cb8..3a33a3adacee 100644 --- a/ip/ipnetns.c +++ b/ip/ipnetns.c @@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create) } return -1; } + + /* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later + * MS_SAHRED again to make sure it is placed in a new peer group + */ + if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) { + fprintf(stderr, "mount --make-private %s failed: %s\n", + NETNS_RUN_DIR, strerror(errno)); + if (lock != -1) { + flock(lock, LOCK_UN); + close(lock); + } + return -1; + } + made_netns_run_dir_mount = 1; } if (lock != -1) { --- base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83 change-id: 20260210-netns-redundant-mount-aa2db50eac7d Best regards, -- Chen Linxuan