Volume bind mounts into LXC containers inherited private propagation
from the host source path, which prevented mounts made inside a
container (e.g. NAS mounts via postinit.sh) from propagating back to
the host. Dependent services bind-mounting the same volume from the
host side would never see these internal mounts.
Self-bind each host volume directory and mark it rshared so that
container-internal mounts propagate back to the host path. Mark
dependency mounts as rslave so they receive propagated mounts but
cannot propagate mounts back to the source service.
Because rshared propagation means mounts can survive container
teardown, add defense-in-depth to uninstall cleanup: unmount any
remaining mounts under the package volume path, then refuse to
delete if any persist, preventing remove_dir_all from traversing
into a live NFS/NAS mount and destroying data.
4e7d33b07f