Add an option to forcibly enable `rprivate` propagation

[AkihiroSuda]

Description

Docker/Moby does not accept rprivate propagation when the mount source contains the daemon root (/var/lib/docker) :

• Use rslave propagation for mounts from daemon root #36055

$ docker run -it --rm -v /:/mnt:rprivate alpine
docker: Error response from daemon: invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: "/var/lib/docker", bind mount source: "/", propagation: "rprivate".
See 'docker run --help'.

This can be an issue when Docker/Moby supports "recursively read-only" (RRO) mounts:

• Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978

So I'd suggest introducing an mount option for forcibly enabling rprivate propagation

e.g.,

• docker run -v /:/mnt:rro,rprivate-force

Or

• docker run --mount type=bind,src=/,dst=/mnt,rro,bind-propagation=rprivate,bind-propagation-force=true

[danishprakash]

If I understand this, the idea is to ensure the mounts, especially in the case of rro are forced rprivate so that no mount propagation occurs? From https://github.com/moby/moby/pull/36055/files; wouldn't it be a problem at clean up now that sub-mounts are all private?

[AkihiroSuda]

sub-mounts are all private

I don't think this is true, especially for mounts created by non-Docker

[danishprakash]

This can be an issue when Docker/Moby supports "recursively read-only" (RRO) mounts

Do we want to have support for rro with rprivate in order to have read-only mount isolation, especially when the mount source contains the daemon root?

In either case, if we do end up forcing rprivate propagation on mounts within the daemon path, are we not running into the issue of having the container have references to the mount?

[AkihiroSuda]

In either case, if we do end up forcing rprivate propagation on mounts within the daemon path, are we not running into the issue of having the container have references to the mount?

We still have that issue, so enforcing should not be recommended

[danishprakash]

Ok, then I clearly didn't understand this issue, sorry about that. But we do want to allow users to specify rprivate-force with ro, not sure how that is helping the issue mentioned previously.