Description
nerdctl run --mount accepts boolean values for the rw/ro/readonly/rro options (e.g. readonly=true). But rw=false (and rro=false) is silently ignored — the mount remains writable instead of being treated as read-only.
Steps to reproduce
$ mkdir -p /tmp/bindsrc
$ nerdctl run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,rw=false alpine touch /mnt/x
$ ls /tmp/bindsrc
x # the write succeeded -> rw=false had no effect
Control (works as expected):
$ nerdctl run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,readonly alpine touch /mnt/x
touch: /mnt/x: Read-only file system
Expected
rw=false means "not read-write", so the mount should be read-only and the write should fail (same as readonly/ro).
Actual
The write succeeds; rw=false is a no-op.
Root cause
In pkg/mountutil/mountutil_linux.go, ProcessFlagMount only records the option when the parsed value is true:
case "readonly", "ro", "rw", "rro":
trueValue, _ := strconv.ParseBool(value)
if trueValue {
rwOption = key
}
So rw=false leaves rwOption empty (the writable default). It should map rw=false / rro=false to read-only (e.g. ro).
Affected
--mount type=bind and type=volume.
(Spotted during review of #4990; type=image is unaffected — it validates the read-only/writable intent separately.)
Environment
nerdctl: main; containerd 1.7; Linux.
Description
nerdctl run --mountaccepts boolean values for therw/ro/readonly/rrooptions (e.g.readonly=true). Butrw=false(andrro=false) is silently ignored — the mount remains writable instead of being treated as read-only.Steps to reproduce
Control (works as expected):
Expected
rw=falsemeans "not read-write", so the mount should be read-only and the write should fail (same asreadonly/ro).Actual
The write succeeds;
rw=falseis a no-op.Root cause
In
pkg/mountutil/mountutil_linux.go,ProcessFlagMountonly records the option when the parsed value istrue:So
rw=falseleavesrwOptionempty (the writable default). It should maprw=false/rro=falseto read-only (e.g.ro).Affected
--mount type=bindandtype=volume.(Spotted during review of #4990;
type=imageis unaffected — it validates the read-only/writable intent separately.)Environment
nerdctl: main; containerd 1.7; Linux.