Demi Marie Obenour writes: > On 12/11/25 07:41, Alyssa Ross wrote: >> Demi Marie Obenour writes: >> >>> On 12/10/25 07:47, Alyssa Ross wrote: >>>> The document portal has to be root to mount its fuse filesystem. This >>>> needs to be a shared namespace because virtiofsd needs to be in the >>>> same mount namespace as the document portal so that it sees the fuse >>>> filesystem, so we create a per-VM persistent user namespace. >>>> >>>> Signed-off-by: Alyssa Ross >>> >>> (snip) >>> >>>> diff --git a/host/rootfs/image/usr/bin/run-appimage b/host/rootfs/image/usr/bin/run-appimage >>>> index 47cab4c5..5e8e29fa 100755 >>>> --- a/host/rootfs/image/usr/bin/run-appimage >>>> +++ b/host/rootfs/image/usr/bin/run-appimage >>>> @@ -44,4 +44,6 @@ if { s6-instance-delete /run/service/vm-services $id } >>>> >>>> if { umount ${dir}/mount } # mount namespace >>>> if { umount ${dir}/mount } # private bind mount >>>> +if { umount ${dir}/user } # user namespace >>>> +if { umount ${dir}/user } # private bind mount >>>> rm -r $dir /run/configs/${id} >>>> diff --git a/host/rootfs/image/usr/bin/run-flatpak b/host/rootfs/image/usr/bin/run-flatpak >>>> index bb366735..86ccc12a 100755 >>>> --- a/host/rootfs/image/usr/bin/run-flatpak >>>> +++ b/host/rootfs/image/usr/bin/run-flatpak >>>> @@ -46,4 +46,6 @@ if { s6-instance-delete -- /run/service/vm-services $id } >>>> >>>> if { umount ${dir}/mount } # mount namespace >>>> if { umount ${dir}/mount } # private bind mount >>>> +if { umount ${dir}/user } # user namespace >>>> +if { umount ${dir}/user } # private bind mount >>>> rm -r $dir /run/configs/${id} >>> >>> Why is it necessary to unmount twice here? >> >> Because we mount twice, just like the comments say. It is a bit >> counterintuitive though. Namespaces can only be mounted onto a >> mountpoint that itself has private propagation. This is why we create a >> private bind mount at the start of create-vm-dependencies before unshare >> bind mounts the namespaces. You can also see this in an example in >> unshare(1). >> >> Perhaps it would be better and clearer to have /run/vm/by-id/${VM}/ns as >> a private mountpoint, with the nsfs files inside? That way, each of >> them only needs to be unmounted once, and then the ns directory also has >> to be unmounted once. > > I think it would be easier to understand. Then you will like v2! https://spectrum-os.org/lists/archives/spectrum-devel/20251211162145.124509-10-hi@alyssa.is/