Add --readonly for read only container rootfs

Add a --readonly flag to allow the container's root filesystem to be
mounted as readonly.  This can be used in combination with volumes to
force a container's process to only write to locations that will be
persisted.  This is useful in many cases where the admin controls where
they would like developers to write files and error on any other
locations.

Closes #7923
Closes #8752

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 409407091a7282d0c4086b71e86397e2d089ba13
Component: engine

components/engine/integration-cli/docker_cli_run_test.go

@@ -2987,3 +2987,25 @@ func TestRunRestartMaxRetries(t *testing.T) {
 	}
 	logDone("run - test max-retries for --restart")
 }
+
+func TestRunContainerWithWritableRootfs(t *testing.T) {
+	defer deleteAllContainers()
+	out, err := exec.Command(dockerBinary, "run", "--rm", "busybox", "touch", "/file").CombinedOutput()
+	if err != nil {
+		t.Fatal(string(out), err)
+	}
+	logDone("run - writable rootfs")
+}
+
+func TestRunContainerWithReadonlyRootfs(t *testing.T) {
+	defer deleteAllContainers()
+	out, err := exec.Command(dockerBinary, "run", "--read-only", "--rm", "busybox", "touch", "/file").CombinedOutput()
+	if err == nil {
+		t.Fatal("expected container to error on run with read only error")
+	}
+	expected := "Read-only file system"
+	if !strings.Contains(string(out), expected) {
+		t.Fatalf("expected output from failure to contain %s but contains %s", expected, out)
+	}
+	logDone("run - read only rootfs")
+}