Recursive Mount Options and Bind Propagation Configuration

also included in the bind mount by default. This behavior is configurable, using the `bind-recursive` option for `--mount`. This option is only supported with the `--mount` flag, not with `-v` or `--volume`. If the bind mount is read-only, the Docker Engine makes a best-effort attempt at making the submounts read-only as well. This is referred to as recursive read-only mounts. Recursive read-only mounts require Linux kernel version 5.12 or later. If you're running an older kernel version, submounts are automatically mounted as read-write by default. Attempting to set submounts to be read-only on a kernel version earlier than 5.12, using the `bind-recursive=readonly` option, results in an error. Supported values for the `bind-recursive` option are: | Value | Description | | :------------------ | :---------------------------------------------------------------------------------------------------------------- | | `enabled` (default) | Read-only mounts are made recursively read-only if kernel is v5.12 or later. Otherwise, submounts are read-write. | | `disabled` | Submounts are ignored (not included in the bind mount). | | `writable` | Submounts are read-write. | | `readonly` | Submounts are read-only. Requires kernel v5.12 or later. | ## Configure bind propagation Bind propagation defaults to `rprivate` for both bind mounts and volumes. It is only configurable for bind mounts, and only on Linux host machines. Bind propagation is an advanced topic and many users never need to configure it. Bind propagation refers to whether or not mounts created within a given bind-mount can be propagated to replicas of that mount. Consider a mount point `/mnt`, which is also mounted on `/tmp`. The propagation settings control whether a mount on `/tmp/a` would also be available on `/mnt/a`. Each propagation setting has a recursive counterpoint. In the case of recursion, consider that `/tmp/a` is also mounted as `/foo`. The propagation settings control whether `/mnt/a` and/or `/tmp/a` would exist. > [!NOTE] > Mount propagation doesn't work with Docker Desktop. | Propagation setting | Description | | :------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `shared` | Sub-mounts of the original mount are exposed to replica mounts, and sub-mounts of replica mounts are also propagated to the original mount. | | `slave` | similar to a shared mount, but only in one direction. If the original mount exposes a sub-mount, the replica mount can see it. However, if the replica mount exposes a sub-mount, the original mount cannot see it. | | `private` | The mount is private. Sub-mounts within it are not exposed to replica mounts, and sub-mounts of replica mounts are not exposed to the original mount. | | `rshared` | The same as shared, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |

This section details the `bind-recursive` option for `--mount`, which controls whether submounts are included in a bind mount, and the behavior of read-only submounts based on the Linux kernel version. It presents a table of supported values for the `bind-recursive` option. The section also explains bind propagation, which determines if mounts created within a bind mount are propagated to replicas, and provides a table describing different propagation settings like `shared`, `slave`, `private`, and their recursive counterparts.