Allow setting of Docker volume label mode independent of read/write mode

What does this MR do?

Previously attempting to mount a volume with ro,z or rw,z would fail because the Linux mount parser only allowed one option. It is sometimes necessary to use both the ro and z flags at once when mounting a volume in a container, such as when the host has SELinux policies.

Why was this MR needed?

SELinux users attempting to set ro,z for volumes would see invalid volume specification:

What's the best way to test this MR?

Using CentOS with SELinux enabled, add a read-only volume for SSL certs:

  [runners.docker]
    volumes = ["/cache", "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/gitlab-runner/certs/ca.crt:ro,z"]

Then launch a new job. This time the job launched successfully, but I saw some warnings due to ca-bundle.trust.crt containing more than one cert:

I also added a sleep 300 to the CI job so I could docker inspect the container:

        "HostConfig": {
            "Binds": [
                "runner-5voej9gz-project-14-concurrent-0-cache-3c3f060a0374fc8bc39395164f415a70:/cache",
                "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/gitlab-runner/certs/ca.crt:ro,z",
                "runner-5voej9gz-project-14-concurrent-0-cache-c33bcaa1fd2c77edfc3893b41966cea8:/builds"
            ],

What are the relevant issue numbers?

Relates to #29247 (closed)