Support recursively read-only (RRO) bind mounts (kernel >= 5.12)

### Description

e.g., `docker run -v /mnt:/mnt:rro,rprivate` to make its submounts such as `/mnt/usbstorage` to be read-only.
The existing `ro` mounts should remain non-recursive, for compatibility sake.

The "rro" mount type has been supported by runc >= 1.1, on kernel >= 5.12.
- https://github.com/opencontainers/runc/pull/3272

The "rro" mount type has to be used in conjunction with `rprivate` propagation, in order to avoid accidentally having writable submounts. 

So, we should also have:
- https://github.com/moby/moby/issues/44977
(Not a hard dependency, as `-v /foo:/bar:rprivate` does not automatically fall back to `rslave` when the propagation is explicitly specified)

Related:
- https://github.com/containerd/nerdctl/pull/511
- https://github.com/kubernetes/enhancements/pull/3858

Fixes:
- https://github.com/docker/for-linux/issues/788

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978

Description

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978

Description

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions