For docker executor, add isolation for shared build and cache directories

Description

Now if use host mounted directories for build dir, each job can directly read (even write) the content/cache of other projects, bypassing all permission and visibility.

Proposal

Provide tokens in docker volume list, these tokens, such as %p will be replaced by the runner with the project short name before start the building containers. Then the runner admin can share the build dir via

/build/%r/%i/%p:/build:rw

Then the real volume is

/build/runner-short-id/concurrent-id/group-name/project-name/:/build:rw

This will isolate the build dir for each project, and reuse the previous pulled source.