File binding lost if DEST deleted and recreated

[garywill]

I want the app in container always see DEST same as my SRC

bwrap --dev-bind / /  --ro-bind   SRC DEST  in-container-app

Some programs outside container delete DEST and create a new one. Then the file binding loses effect. Also happends to --bind-data.

Is there a solution?

[smcv]

This is how Unix directories work. bwrap binds SRC into the container, but rm -fr SRC will delete all the files from SRC; the bind-mount points to the same directory object in the kernel, so this has the effect of deleting all those files from DEST inside the container. (SRC will disappear from its parent directory, but will not actually be removed from disk until the programs that can see DEST have all exited.) bwrap cannot avoid this.

There is no solution other than either copying SRC recursively and binding the copy, or implementing cooperative locking so that programs outside the container will not delete a SRC that is in use. Flatpak uses a lock file ${directory}/.ref for its apps and runtimes.

[charmander]

Some programs outside container delete DEST and create a new one.

If you can make them delete DEST’s contents and not DEST itself, that’s usually a good fix.