api/pre-1.44: Default ReadOnlyNonRecursive to true

[vvoland]

• closes: Disable upgrading RO mounts to RRO when a client speaks API older than v1.44 (Docker v25) #47355

Don't change the behavior for older clients and keep the same behavior.

- How to verify it
TestContainerBindMountReadOnlyDefault

- Description for the changelog

- To preserve backwards compatibility, read-only mounts are not recursive by default when using older clients (API version < v1.44).

- A picture of a cute animal (not mandatory but encouraged)

[vvoland]

Note: This is needed, because m.BindOptions = ... would only overwrite the BindOptions in the m variable which is a local copy of the original mount and not a reference to the Mount in hostConfig.Mounts.

[vvoland]

Failure related, test needs adjustment:

=== Failed
=== FAIL: amd64.integration-cli TestDockerCLIRunSuite/TestRunMount (0.08s)
    docker_cli_run_test.go:4396: assertion failed: err is not nil: got error while creating a container with [--mount type=bind,src=/tmp/mount1181042325/mnt1,dst=/foo --mount type=bind,src=/tmp/mount1181042325/mnt2,dst=/bar] (mount-0-0)
    --- FAIL: TestDockerCLIRunSuite/TestRunMount (0.08s)

EDIT: Oh, actually it's not the test, ReadOnlyNonRecursive was set true also for non-readonly mounts which made it error out. Changed the default to only apply for m.ReadOnly mounts.

[AkihiroSuda]

Thanks

[vvoland]

Looks like some failures are related:

      Command:  /usr/local/cli-integration/docker run -d -v /vol1 -v /tmp/test-put-container-archive-err-symlink-in-volume-to-read-only-rootfs-1579682919:/vol2 -v /tmp/test-put-container-archive-err-symlink-in-volume-to-read-only-rootfs-1579682919/vol3:/vol3 -v /tmp/test-put-container-archive-err-symlink-in-volume-to-read-only-rootfs-1579682919/vol_ro:/vol_ro:ro --read-only busybox /bin/sh -c #(nop)
        ExitCode: 125
        Error:    exit status 125
        Stdout:   
        Stderr:   /usr/local/cli-integration/docker: Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /tmp/test-put-container-archive-err-symlink-in-volume-to-read-only-rootfs-1579682919/vol_ro.
        See '/usr/local/cli-integration/docker run --help'.

Parsing added by this PR doesn't return-early in case of error, so not sure yet why that happens..

[thaJeztah]

Shouldn't this clear the Binds field after they've been migrated?

Also wondering if this migration should always happen, so also on current API versions 🤔

[vvoland]

This doesn't migrate all Binds (yet), only the read-only ones to reduce potential blast area.

Was planning to make a separate PR that would also deprecate the Binds field and transform all of them to Mounts.

[vvoland]

This looks green now, failures are unrelated and are caused by Docker Hub search API being down.

[cpuguy83]

I think we need a to check if rro is supported on the kernel for the test to function properly.

Alternatively, we could just check the registered mountpoints in the API to see if the option is set as expected.

[cpuguy83]

Also sorry, one more check, test should be skipped if api version is < 1.44.

[vvoland]

Why? It also tests that the behavior doesn't change when <1.44 API is requested.

[cpuguy83]

So yes technically the 1.43 test should pass on an older daemon.
But the 1.44 test would fail since it is not a supported version.

[vvoland]

1.44 test will be skipped: 0f8270b#diff-0ac47068153ec59b77b2044bd459fb6395f028e6e112dc03645f7ba72f324bf2R456

But yeah the version: "" would fail, updated it to also be skipped.

Also, added the test for api.MinSupportedAPIVersion client version.

[thaJeztah]

LGTM, thanks!