"root": { "readonly": true } not fully honoured

[olifre]

Running a rootless container and specifying a mounts section with a destination which does not yet exist in the rootfs, an mkdir of the missing bind mount point is performed.

Example for a read-only FS:

$ runc --root /tmp/runc run somefun
container_linux.go:262: starting container process caused "process_linux.go:339: container init caused \"rootfs_linux.go:57: mounting \\\"/var/tmp/olifre\\\" to rootfs \\\"/home/olifre/singularity/ubuntu_ro\\\" at \\\"/home/olifre/singularity/ubuntu_ro/beegfs\\\" caused \\\"mkdir /home/olifre/singularity/ubuntu_ro/beegfs: read-only file system\\\"\""

If the FS was not really read-only, a directory would be created (and never cleaned up).

[cyphar]

Note there would be an error in either case then (just the error would happen when runc noticed that the bind-mount is to a non-existent path). In addition, "readonly": true refers to the final setup of the container, not the context in which it was started.

But we have previously made changes to work better with containers started on a read-only root filesystem (such as #1125).