Description

Docker/Moby does not accept rprivate propagation when the mount source contains the daemon root (/var/lib/docker) :

• Use rslave propagation for mounts from daemon root #36055

$ docker run -it --rm -v /:/mnt:rprivate alpine
docker: Error response from daemon: invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: "/var/lib/docker", bind mount source: "/", propagation: "rprivate".
See 'docker run --help'.

This can be an issue when Docker/Moby supports "recursively read-only" (RRO) mounts:

• Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978

So I'd suggest introducing an mount option for forcibly enabling rprivate propagation

e.g.,

• docker run -v /:/mnt:rro,rprivate-force

Or

• docker run --mount type=bind,src=/,dst=/mnt,rro,bind-propagation=rprivate,bind-propagation-force=true