c8d: Use reference counting while mounting a snapshot

[rumpl]

• fixes c8d: implement --read-only with containerd-integration enabled #46074

- What I did

Some snapshotters (like overlayfs or zfs) can't mount the same directories twice. For example if the same directroy is used as an upper directory in two mounts the kernel will output this warning:

overlayfs: upperdir is in-use as upperdir/workdir of another mount, accessing files from both mounts will result in undefined behavior.

And indeed accessing the files from both mounts will result in an "No such file or directory" error.

This change introduces reference counts for the mounts, if a directory is already mounted the mount interface will only increment the mount counter and return the mount target effectively making sure that the filesystem doesn't end up in an undefined behavior.

This PR replaces #45383

- How I did it

Created a refCountMounter that makes sure things aren't mounted twice.

- How to verify it

You can use this script:

set -ex

pp () {
  read -s -k '?Press any key to continue.'
}

ID=$(docker run --name cp-test -d nginx)

docker exec $ID mount | wc -l

cat > test <<EOF
Hello cpa
EOF

docker cp test $ID:/test

docker exec $ID touch /etc/default/test-file

docker exec $ID touch /etc/default/test-file1

docker exec $ID mount | wc -l

docker stop $ID

# pp

docker cp test $ID:/test2
docker cp test $ID:/test2
docker cp test $ID:/test2
docker cp test $ID:/test2
docker cp test $ID:/test2
docker cp test $ID:/test2

docker rm cp-test

Note: Using this script you will see the kernel warning you that upperdir or workdir is already in-use by another mount. This is because unmounting happens async (MNT_DETACH is used, more info here), this happens during the last block of docker cp commands. This happens because cp does two calls:

• First call: HEAD /v1.43/containers/<containerID>/archive?path=<patHh
• Second call: PUT /v1.43/containers/<containerID>/archive?noOverwriteDirNonDir=true&path=<path>

The daemon calls Mount/Unmount for both of these calls, between the first Unmount and the second Mount the kernel didn't have the time to finish unmounting.

In this case this warning can be safely ignored. The same warning can be seen with graph drivers when running the script above.

- Description for the changelog

Fixed `docker cp` with the containerd integration

- A picture of a cute animal (not mandatory but encouraged)

[cpuguy83]

https://pkg.go.dev/golang.org/x/exp/slices#Contains

[rumpl]

We do have 5 implementations of this same function in the code, I could switch all of them with slices.Contains if we don't mind a new dependency

[tianon]

The benefit of this particular dep is that it's core stdlib in 1.20+ 👀

https://pkg.go.dev/slices#Contains

[vvoland]

Feels a bit weird to make daemon/snapshotter depend on the daemon/graphdriver.
How cumbersome would it be to extract the common bits out of the daemon/graphdriver?

[rumpl]

Yeah I wanted to keep this PR small-ish, I can add a commit to move it or in a followup