Alyssa Ross writes: > Demi Marie Obenour writes: > >> On 12/10/25 07:47, Alyssa Ross wrote: >>> This will enable running D-Bus as a user that does not have access to >>> VM directories. >>> >>> Signed-off-by: Alyssa Ross >>> --- >>> host/rootfs/image/usr/bin/create-vm-dependencies | 6 ++++-- >>> .../services/org.freedesktop.portal.Documents.service | 2 +- >>> 2 files changed, 5 insertions(+), 3 deletions(-) >>> >> >> (snip) >> >>> @@ -27,7 +27,9 @@ if { >>> # can be writable block-based bind mounted subdirectories. >>> if { mount --rbind -o nofail /run/vm/by-id/${1}/config/fs /run/vm/by-id/${1}/fs/config } >>> if { mount --rbind -o ro /run/vm/by-id/${1}/fs /run/vm/by-id/${1}/fs } >>> - mount --rbind /run/vm/by-id/${1}/doc-run/doc /run/vm/by-id/${1}/fs/doc >>> + >>> + if { mount --make-shared --rbind /run/doc/${1} /run/doc/${1} } >>> + mount --rbind /run/doc/${1}/doc /run/vm/by-id/${1}/fs/doc >>> } >> >> This could definitely use a lot more comments. For instance, why is >> --make-shared needed? What about --rbind? >> >> I trust that you tested this code and it works, but it isn't obvious >> *why* it works or why it must be written this way. >> >> It would be best to have a document explaining what all of the mount >> points and namespaces are, why they are as they are, and what mount >> propagation is involved. > > I think a separate document would quickly go out of date, but I'm happy > to add some comments inline. --rbind is perhaps worth discussing. I consider it best practice to always use --rbind over --bind, because generally the idea with a bind mount is to copy a whole hierarchy from one place to another. With --bind you have to know the internal structure of that hierarchy and be sure you only want the top-level mount; with --rbind you just think in terms of the hierarchy. There are also some situations where it's mandatory to use --rbind: where a --bind would reveal hierarchies in the mountpoint that have been hidden by extra bind mounts being placed over the top. (I won't put this in a comment here because we use --rbind all over the place, but it's something that would make sense to put into developer guidelines once we have a documentation structure that accomodates such a thing.)