[Request]: support running containers --read-only and mounting volumes/bind mounts readonly

[Domini]

Feature or enhancement request details

Allowing running containers and mounts read-only provides vast security improvements by severely limiting which paths are available for writing.

https://docs.docker.com/reference/cli/docker/container/run/#read-only | https://docs.podman.io/en/latest/markdown/podman-run.1.html#read-only
https://docs.docker.com/engine/storage/volumes/#use-a-read-only-volume + https://docs.docker.com/engine/storage/bind-mounts/#use-a-read-only-bind-mount | https://docs.podman.io/en/latest/markdown/podman-run.1.html#mount-type-type-type-specific-option

When implementing, support ro shortcut for readonly mounts for compatibility, please.

Code of Conduct

• I agree to follow this project's Code of Conduct

[dcantah]

This is one piece of the puzzle apple/containerization#461

[dcantah]

@Domini we do support read only for mounts already, it's only the rootfs that has an issue it seems:

➜  container git:(ctr-readonly) ✗ ./bin/container run --rm --mount type=bind,source="$(pwd)",target=/app,readonly ubuntu:latest touch app/hi
Warning! Running debug build. Performance may be degraded.
touch: cannot touch 'app/hi': Read-only file system

➜  container git:(ctr-readonly) ✗ ./bin/container run --rm --mount type=bind,source="$(pwd)",target=/app,ro ubuntu:latest touch app/hi
Warning! Running debug build. Performance may be degraded.
touch: cannot touch 'app/hi': Read-only file system

➜  container git:(ctr-readonly) ✗ ./bin/container run --rm --mount type=bind,source="$(pwd)",target=/app ubuntu:latest touch app/hi
Warning! Running debug build. Performance may be degraded.

[Domini]

@dcantah, indeed, sorry about that.

Read-only volumes (type=volume,source=test,target=/test,readonly) are also supported.

Only read-only rootfs left.