Support recursively read-only (RRO) mounts

[AkihiroSuda]

• Fixes Support recursively read-only (RRO) bind mounts (kernel >= 5.12) #44978
• Fixes Subfolders of read-only volume are writeable docker/for-linux#788
• Fixes Subdirectories of read-only bind mount are writeable (when they are rw mountpoints on the host system) #23499

- What I did

Added the support for recursively read-only (RRO) mounts.

docker run -v /foo:/foo:ro is now recursively read-only on kernel >= 5.12.
Automatically falls back to the legacy non-recursively read-only mount mode on kernel < 5.12.

Use ro-non-recursive to disable RRO.
Use ro-force-recursive or rro to explicitly enable RRO. (Fails on kernel < 5.12)
(EDIT: the CLI options are being changed in #46037 and docker/cli#4316 )

It is highly recommended to use RRO in conjunction with rprivate propagation.

- How I did it

By using OCI mount option "rro", which is implemented by calling mount_setattr(2) with AT_RECURSIVE and MOUNT_ATTR_RDONLY.

- How to verify it

Run docker run -v /mnt:/mnt:ro,rprivate on kernel >= 5.12, and make sure /mnt/recursive-mount-dir is read-only.

- Description for the changelog

Support recursively read-only (RRO) mounts

- A picture of a cute animal (not mandatory but encouraged)
🐧

[thaJeztah]

Is this something that should be provided by github.com/moby/sys/mount ? (either through a mount.MakeRecursiveReadOnly() or mount.Mount() accepting this as option?

[AkihiroSuda]

Not necessary IMHO, as the function just wraps a single MountSetattr call with the EINTR loop.

[thaJeztah]

Hm.. bit on the fence here how granular we want to be here (assuming users either know what their system supports, or to get an error that it's not supported).

We could still decide to fall back (and warn) on unsupported platforms, or be explicit and error. (pros/cons to both, I can imagine "error" could mean "works on my machine") OTOH; if you're targeting a specific environment, then perhaps that's the way to go.

[AkihiroSuda]

FYI: this tri-state granularity was proposed in kubernetes/enhancements#3858 (comment)

[thaJeztah]

I wish we could fully freeze (if we didn't not already) the shorthand syntax. To some extend, I can see rro being "reasonable", but (also see my other comment) a bit on the fence on also having rro-if-possible

[AkihiroSuda]

The --mount CSV form is too long for CLI users, and a huge portion of users still have to stick to older kernels, so I'd prefer to retain rro-if-possible as the "best effort" mode, but I can move it to a separate follow-up PR if you prefer.

[thaJeztah]

This is a tricky one; is this hit both when using the shorthand (-v <foo>:<bar>:<options>) and long-form (--mount type=....,opt=...,opt=....) formats?

Because at a glance this may actually result in the "reverse" of the current behaviour. Current APIs will return an error for this case;

docker run -it --rm -v (pwd):/docker:rro alpine
docker: Error response from daemon: invalid mode: rro.
See 'docker run --help'.

I guess this is different than other options, because "options" itself are supported, but not this specific one.

I also think we should either

• fully error (unsupported)
• or fallback to ro

Because we should not silently ignore to not mounting read-only if the user expects it to be read-only.

[AkihiroSuda]

Updated to return an error

[cpuguy83]

We discussed this on the maintainers call today (@thaJeztah @tianon @corhere @neersighted)
There was much debate on how to approach this.

I believe we landed on this (feel free to correct me if I got it wrong):

• Change ro to opportunistically try to do a recursive read-only mount (this would be the if-possible variant describe in the PR body). We expect that most, if not all, people are surprised by the current behavior.
• We could add warnings when recursive is not possible on docker info and/or on the container create/start endpoints (if ro was requested), but this may be needlessly noisy for cases that don't actually have nested mounts.
• Have rro require recursive and error out if not possible.
• We may need a daemon option to disable the opportunistic upgrade for ro.

This means users will automatically get the enhanced security where they can and those same specs will continue to work on older daemons or machines that don't support it.

[AkihiroSuda]

Change ro to opportunistically try to do a recursive read-only mount (this would be the if-possible variant describe in the PR body). We expect that most, if not all, people are surprised by the current behavior.

We can't do this. Kubernetes needs ro to retain the historical behavior: kubernetes/enhancements#3858 (comment)

[AkihiroSuda]

Other usecases of the historical ro:

• Mount /src as RO, while leaving /src/_output writable
• Mount /lecture_materials as RO, while leaving /lecture_materials/student_assignment_submission writable

[thaJeztah]

Wouldn't that case still be supported if the nested mounts are defined as separate mounts?

[AkihiroSuda]

Wouldn't that case still be supported if the nested mounts are defined as separate mounts?

Yes, but it's a breaking change.

[thaJeztah]

separate mount as in;

- v /src:ro -v /src/_output:rw

[thaJeztah]

I expect 99% of those situations to be unintentional (and unexpected; the user asked for the mount to be read only, but another mount ended up in there, and now it's not).

We could consider an advanced (for the --mount extended format) option that explicitly opts-out of recursive.

[AkihiroSuda]

I expect 99% of those situations to be unintentional

Yes, but Kubernetes will retain the classic behavior to follow their compatibility policy.

Can we just deprecate ro, and recommend people to switch to rro?

A blocker is that AT_RECURSIVE needs kernel >= 5.12, but I think we can fallback to compose classic read-only mounts to emulate AT_RECURSIVE on an older kernel.
(cc @kolyshkin @cyphar ; Is this safe?)

[corhere]

Opportunistic upgrade could be disabled per bind rather than as a daemon option. Then cri-dockerd would be able to map the Kubernetes flags to their semantic equivalents in the engine API.

K8s	Engine
ro	ro,ro-nonrecursive
rro	rro
rro-if-possible	ro

[tianon]

When we have ro or readonly in our CSV-style usage, it's technically shorthand for readonly=true -- could we abuse that in a similar way to what util-linux ended up doing to implement something like readonly=nonrecursive? Does our CSV-style flag parsing support that already? (true/false flags that don't require a value but can have an optional string value?)

One thing we discussed about emulating recursive read-only is that mount propagation makes it complex to do safely (for example, if you have a shared mount it'd have to be converted to private and then monitored and sync'd unless we do something clever with fuse which has its own drawbacks).

[AkihiroSuda]

Updated PR.
RO mounts are now RRO by default on kernel >= 5.12.

[AkihiroSuda]

rebased

[thaJeztah]

"LGTM" - discussed with @corhere and others during the maintainers call, and all concerns should be addressed, so let's get this in.

[thaJeztah]

Looks like github sees a conflict, but doesn't show "what" 🤔

If someone can do a quick rebase, then we can get this one in ❤️

[AkihiroSuda]

Rebased

[thaJeztah]

Thanks!

[AkihiroSuda]

SwarmKit PR:

• api: sync BindOptions with moby/moby@8d67d0c1a8d2 (v25.0.0-dev) swarmkit#3134

CLI (and docs) PR:

• mount: add bind-recursive=<bool|string> and deprecate bind-nonrecursive=<bool> docker/cli#4316

[thaJeztah]

• For future reference; we reverted the new options for the short-hand form, and only keep the advanced options for the advanced (--mount) syntax; see volume: remove the short RRO forms in favor of the long forms #46037