Support recursively read-only (RRO) bind mounts (kernel >= 5.12)

[AkihiroSuda]

Description

e.g., docker run -v /mnt:/mnt:rro,rprivate to make its submounts such as /mnt/usbstorage to be read-only.
The existing ro mounts should remain non-recursive, for compatibility sake.

The "rro" mount type has been supported by runc >= 1.1, on kernel >= 5.12.

• Support recursive mount attrs ("rro", "rnosuid", "rnodev", ...) opencontainers/runc#3272

The "rro" mount type has to be used in conjunction with rprivate propagation, in order to avoid accidentally having writable submounts.

So, we should also have:

• Add an option to forcibly enable rprivate propagation #44977
  (Not a hard dependency, as -v /foo:/bar:rprivate does not automatically fall back to rslave when the propagation is explicitly specified)

Related:

• Support recursive read-only (RRO) mounts: nerdctl run -v /foo:/bar:rro,rprivate containerd/nerdctl#511
• KEP-3857: Recursive Read-only (RRO) mounts kubernetes/enhancements#3858

Fixes:

• Subfolders of read-only volume are writeable docker/for-linux#788

[AkihiroSuda]

kubernetes/enhancements#3858 (comment)

Probably we should have if-possible form like:

• -v /mnt:/mnt:rro-if-possible,rprivate
• --mount type=bind,src=/mnt,dest=/mnt,ro,bind-recursivelyreadonly=if-possible,bind-propagation=rslave

[AkihiroSuda]

@thaJeztah PTAL 🙏

[AkihiroSuda]

PR:

• Support recursively read-only (RRO) mounts #45278