libcontainer: reuse tmpfs for directory masks

[dims]

Wondering if a problem that showed up recently in k8s when we added more masked paths can be handled better in runc itself? please see details below:

Kubernetes may add one sysfs thermal_throttle entry per CPU to maskedPaths. On large Intel systems this can produce many directory masks for a single container. runc currently handles each directory mask with a separate read-only tmpfs mount, and therefore a separate tmpfs superblock.

On Linux 4.18/RHEL 8 kernels, creating and tearing down many tmpfs superblocks can contend on the global shrinker_rwsem when containers start or stop concurrently.

Use one read-only tmpfs for directory masks and bind-mount it over the remaining directory targets. The first non-procfs-fd directory mount is reopened through the container root fd before it is reused. File masks still bind /dev/null, and procfs fd targets keep the existing one-tmpfs-per-target behavior because they are fd aliases rather than stable rootfs paths.

The bind mounts do not create additional tmpfs superblocks. They also retain the read-only mount flag inherited from the source vfsmount, so the masking semantics remain unchanged.

xref: kubernetes/kubernetes#138512
xref: kubernetes/kubernetes#138388
xref: kubernetes/kubernetes#131018

(With some assistance from claude/codex)

[dims]

cc @kolyshkin @AkihiroSuda

( i think the fedora ci break is a flake )

[thaJeztah]

( i think the fedora ci break is a flake )

Kicked CI; its green now

[kolyshkin]

A similar fix was done to crun a while back, and it makes sense (especially with more masked paths and containers).

(I wish a kernel had a special mount flag for in-container /proc and /sys but until we have it...)

[dims]

thanks @thaJeztah @kolyshkin !