fix(libcontainer) no_pivot args is not used

fix the problem that no_pivot args is not used when create container
when we prepare rootfs with chroot, we should move_mount the rootfs before chroot,
otherwise we will not able to use the new rootfs when exec into the container

crates/libcontainer/src/container/builder_impl.rs

@@ -49,6 +49,8 @@ pub(super) struct ContainerBuilderImpl {
     pub detached: bool,
     /// Default executes the specified execution of a generic command
     pub executor: Box<dyn Executor>,
+    /// If the container is to be run with no pivot
+    pub no_pivot: bool,
 }
 
 impl ContainerBuilderImpl {
@@ -154,6 +156,7 @@ impl ContainerBuilderImpl {
             cgroup_config,
             detached: self.detached,
             executor: self.executor.clone(),
+            no_pivot: self.no_pivot,
         };
 
         let (init_pid, need_to_clean_up_intel_rdt_dir) =

crates/libcontainer/src/container/init_builder.rs

@@ -20,6 +20,7 @@ pub struct InitContainerBuilder {
     bundle: PathBuf,
     use_systemd: bool,
     detached: bool,
+    no_pivot: bool,
 }
 
 impl InitContainerBuilder {
@@ -31,6 +32,7 @@ impl InitContainerBuilder {
             bundle,
             use_systemd: true,
             detached: true,
+            no_pivot: false,
         }
     }
 
@@ -45,6 +47,11 @@ impl InitContainerBuilder {
         self
     }
 
+    pub fn with_no_pivot(mut self, no_pivot: bool) -> Self {
+        self.no_pivot = no_pivot;
+        self
+    }
+
     /// Creates a new container
     pub fn build(self) -> Result<Container, LibcontainerError> {
         let spec = self.load_spec()?;
@@ -95,6 +102,7 @@ impl InitContainerBuilder {
             preserve_fds: self.base.preserve_fds,
             detached: self.detached,
             executor: self.base.executor,
+            no_pivot: self.no_pivot,
         };
 
         builder_impl.create()?;

crates/libcontainer/src/container/tenant_builder.rs

@@ -142,6 +142,7 @@ impl TenantContainerBuilder {
             preserve_fds: self.base.preserve_fds,
             detached: self.detached,
             executor: self.base.executor,
+            no_pivot: false,
         };
 
         let pid = builder_impl.create()?;

crates/libcontainer/src/process/args.rs

@@ -42,4 +42,6 @@ pub struct ContainerArgs {
     pub detached: bool,
     /// Manage the functions that actually run on the container
     pub executor: Box<dyn Executor>,
+    /// If the container is to be run with no pivot
+    pub no_pivot: bool,
 }

crates/libcontainer/src/process/container_init_process.rs

@@ -343,13 +343,21 @@ pub fn container_init_process(
         // we use pivot_root, but if we are on the host mount namespace, we will
         // use simple chroot. Scary things will happen if you try to pivot_root
         // in the host mount namespace...
-        if namespaces.get(LinuxNamespaceType::Mount)?.is_some() {
+        if namespaces.get(LinuxNamespaceType::Mount)?.is_some() && !args.no_pivot {
             // change the root of filesystem of the process to the rootfs
             syscall.pivot_rootfs(rootfs_path).map_err(|err| {
                 tracing::error!(?err, ?rootfs_path, "failed to pivot root");
                 InitProcessError::SyscallOther(err)
             })?;
         } else {
+            // Move the rootfs to the root of the host filesystem before chrooting
+            // This is equivalent to pivot_root
+            syscall
+                .mount(Some(rootfs_path), Path::new("/"), None, MsFlags::MS_MOVE, None)
+                .map_err(|err| {
+                    tracing::error!(?err, ?rootfs_path, "failed to move rootfs");
+                    InitProcessError::SyscallOther(err)
+                })?;
             syscall.chroot(rootfs_path).map_err(|err| {
                 tracing::error!(?err, ?rootfs_path, "failed to chroot");
                 InitProcessError::SyscallOther(err)

crates/youki/src/commands/run.rs

@@ -22,6 +22,7 @@ pub fn run(args: Run, root_path: PathBuf, systemd_cgroup: bool) -> Result<i32> {
         .as_init(&args.bundle)
         .with_systemd(systemd_cgroup)
         .with_detach(args.detach)
+        .with_no_pivot(args.no_pivot)
         .build()?;
 
     container