Support changed semantics of recursive mounts in Docker Engine v25

Description

The semantics of read-only bind mounts has changed in Docker Engine v25 and therefore volumens = ["/dev:/dev:ro"] no longer works as expected.

Proposal

To restore the old behavior the volume needs to be mounted with the --mount flag and some additional options

docker run --mount type=bind,src=/dev,dst=/dev,readonly,bind-recursive=writable

instead of the short form docker run -v /dev:/dev:ro. However, the long form --mount is not accessible in the GitLab Runner configuration and therefore I'm asking to please add support for this.

Links to related issues and merge requests / references

https://github.com/moby/moby/issues/47158
https://docs.docker.com/engine/release-notes/25.0/#2500
https://docs.docker.com/storage/bind-mounts/#recursive-mounts

Edited Mar 06, 2024 by Henri Menke