Skip to content

--mount ...,rw=false is silently ignored (mount stays writable) #4991

Description

@mayur-tolexo

Description

nerdctl run --mount accepts boolean values for the rw/ro/readonly/rro options (e.g. readonly=true). But rw=false (and rro=false) is silently ignored — the mount remains writable instead of being treated as read-only.

Steps to reproduce

$ mkdir -p /tmp/bindsrc
$ nerdctl run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,rw=false alpine touch /mnt/x
$ ls /tmp/bindsrc
x      # the write succeeded -> rw=false had no effect

Control (works as expected):

$ nerdctl run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,readonly alpine touch /mnt/x
touch: /mnt/x: Read-only file system

Expected

rw=false means "not read-write", so the mount should be read-only and the write should fail (same as readonly/ro).

Actual

The write succeeds; rw=false is a no-op.

Root cause

In pkg/mountutil/mountutil_linux.go, ProcessFlagMount only records the option when the parsed value is true:

case "readonly", "ro", "rw", "rro":
    trueValue, _ := strconv.ParseBool(value)
    if trueValue {
        rwOption = key
    }

So rw=false leaves rwOption empty (the writable default). It should map rw=false / rro=false to read-only (e.g. ro).

Affected

--mount type=bind and type=volume.

(Spotted during review of #4990; type=image is unaffected — it validates the read-only/writable intent separately.)

Environment

nerdctl: main; containerd 1.7; Linux.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdocumentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions