fix(mount): remove the non-Docker rw option from --mount

[mayur-tolexo]

Fixes #4991

Docker's --mount has no rw option — only readonly/ro:

$ docker run --mount type=bind,source=/tmp/x,target=/mnt,rw=false ...
invalid argument ... unknown option 'rw' in 'rw=false'

In nerdctl, --mount accepted rw, but it was redundant (read-write is the default) and rw=false was silently ignored, leaving the mount writable instead of read-only.

Change

• Remove rw from the --mount option parser (ProcessFlagMount), so rw/rw=false now return an error, matching Docker.
• ro/readonly/rro are unchanged.
• The -v src:dst:rw syntax is unaffected — it's handled by a separate parser (parseVolumeOptions), and Docker supports :rw for -v.
• Docs: readonly/ro marked Docker-compatible (🐳); rro marked nerdctl-specific (🤓, recursive read-only).

Behavioral note

--mount ...,rw now errors instead of being a no-op. Since rw was the writable default (and rw=false was silently broken), this only affects users explicitly passing a non-standard option.

Tests

TestProcessFlagMountRW: rw/rw=true/rw=false are rejected (asserting the stable error fragments), and ro/rro still parse to their read-only options.

Verified in a Linux + containerd sandbox: gofmt, go vet, and the mountutil tests pass; manually, --mount ...,rw and rw=false error, while --mount ...,ro and ...,rro still enforce read-only.

[mayur-tolexo]

Verified the rw behavior matches Docker, and confirmed rro (nerdctl-specific recursive read-only) still works.

Docker (29.4.0) — --mount rejects rw, -v :rw works

$ docker run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,rw alpine true
invalid argument "type=bind,source=/tmp/bindsrc,target=/mnt,rw" for "--mount" flag: invalid field 'rw' must be a key=value pair

$ docker run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,rw=false alpine true
invalid argument "type=bind,source=/tmp/bindsrc,target=/mnt,rw=false" for "--mount" flag: unknown option 'rw' in 'rw=false'

$ docker run --rm -v /tmp/bindsrc:/mnt:rw alpine sh -c 'touch /mnt/ok && echo writable-ok'
writable-ok

nerdctl (this PR) — same behavior for rw

$ nerdctl run --rm --mount type=bind,source=/tmp/b,target=/mnt,rw alpine true
FATA[0000] invalid field 'rw' must be a key=value pair

$ nerdctl run --rm --mount type=bind,source=/tmp/b,target=/mnt,rw=false alpine true
FATA[0000] unexpected key 'rw' in 'rw=false'

$ nerdctl run --rm -v /tmp/b:/mnt:rw alpine sh -c 'touch /mnt/ok && echo writable-ok'
writable-ok

The --mount ...,rw errors line up with Docker's (the bare-rw message is identical); -v ...:rw keeps working on both.

rro works as expected (nerdctl-specific, recursive read-only)

$ nerdctl run --rm --mount type=bind,source=/tmp/b,target=/mnt,rro alpine touch /mnt/x
touch: /mnt/x: Read-only file system

Docker has no rro for --mount (it's a nerdctl/runc feature), so Docker rejects it — expected divergence:

$ docker run --rm --mount type=bind,source=/tmp/bindsrc,target=/mnt,rro alpine true
invalid argument "...,rro" for "--mount" flag: invalid field 'rro' must be a key=value pair

[AkihiroSuda]

Docker has no rro for --mount (it's a nerdctl/runc feature)

The feature exists in Docker too, but the option name is different. (Out of the scope of this PR)
https://github.com/docker/cli/blob/v29.6.0/opts/mount.go#L90-L104

• recursive read-only (RRO) mount: support the Docker v25 form #2651

[AkihiroSuda]

Thanks