RFC: recursive read-only bind-mount emulation using FUSE

[AkihiroSuda]

docker run -v /:/host:ro (docker run --mount type=bind,src=/,dst=/host,ro) is not really read-only, because there is no way in the kernel to bind-mount a filesystem tree recursively as read-only.

So I suggest emulating "recursive read-only bind-mount" using FUSE.
CLI would be like docker run --mount type=bind,src=/,dst=/host,ro,bind-driver=fuse.

If we don't want to use FUSE, an alternative way is to bind the tree as rprivate and then bind each of submounts explicitly.
However, rprivate does not work for /, /var/lib, and /var/lib/docker/*: 589a0af
Also, it doesn't work for those who wants to use the shared propagation.

@justincormack @cpuguy83 @dmcgowan

[tianon]

This is something that could be implemented via a volume driver today, right?

[cpuguy83]

I would almost prefer to be able to disable recursive binds which would allow users to manually RO-bind each mountpoint.

[AkihiroSuda]

This is something that could be implemented via a volume driver today, right?

Yes: https://github.com/AkihiroSuda/securebind-docker
But I'm wondering it might makes sense to have this as a standard feature (in long-term)

I would almost prefer to be able to disable recursive binds which would allow users to manually RO-bind each mountpoint.

+1 to have bind-disable-recursive either way