@@ -338,6 +338,7 @@ type MountPoint struct {

 	Driver      string `json:",omitempty"`

 	Mode        string

 	RW          bool

+	Propagation string

 }

 // Volume represents the configuration of a volume for the remote API

@@ -403,7 +403,7 @@ func (container *Container) NetworkMounts() []execdriver.Mount {

 				Source:      container.ResolvConfPath,

 				Destination: "/etc/resolv.conf",

 				Writable:    writable,

-				Private:     true,

+				Propagation: volume.DefaultPropagationMode,

 			})

 		}

 	}

@@ -420,7 +420,7 @@ func (container *Container) NetworkMounts() []execdriver.Mount {

 				Source:      container.HostnamePath,

 				Destination: "/etc/hostname",

 				Writable:    writable,

-				Private:     true,

+				Propagation: volume.DefaultPropagationMode,

 			})

 		}

 	}

@@ -437,7 +437,7 @@ func (container *Container) NetworkMounts() []execdriver.Mount {

 				Source:      container.HostsPath,

 				Destination: "/etc/hosts",

 				Writable:    writable,

-				Private:     true,

+				Propagation: volume.DefaultPropagationMode,

 			})

 		}

 	}

@@ -534,7 +534,7 @@ func (container *Container) IpcMounts() []execdriver.Mount {

 			Source:      container.ShmPath,

 			Destination: "/dev/shm",

 			Writable:    true,

-			Private:     true,

+			Propagation: volume.DefaultPropagationMode,

 		})

 	}

@@ -544,7 +544,7 @@ func (container *Container) IpcMounts() []execdriver.Mount {

 			Source:      container.MqueuePath,

 			Destination: "/dev/mqueue",

 			Writable:    true,

-			Private:     true,

+			Propagation: volume.DefaultPropagationMode,

 		})

 	}

 	return mounts

@@ -26,9 +26,8 @@ type Mount struct {

 	Source      string `json:"source"`

 	Destination string `json:"destination"`

 	Writable    bool   `json:"writable"`

-	Private     bool   `json:"private"`

-	Slave       bool   `json:"slave"`

 	Data        string `json:"data"`

+	Propagation string `json:"mountpropagation"`

 }

 // Resources contains all resource configs for a driver.

@@ -125,6 +124,11 @@ type Command struct {

 	UTS                *UTS              `json:"uts"`

 }

+// SetRootPropagation sets the root mount propagation mode.

+func SetRootPropagation(config *configs.Config, propagation int) {

+	config.RootPropagation = propagation

+}

+

 // InitContainer is the initialization of a container config.

 // It returns the initial configs for a container. It's mostly

 // defined by the default template.

@@ -137,7 +141,9 @@ func InitContainer(c *Command) *configs.Config {

 	container.Devices = c.AutoCreatedDevices

 	container.Rootfs = c.Rootfs

 	container.Readonlyfs = c.ReadonlyRootfs

-	container.RootPropagation = mount.RPRIVATE

+	// This can be overridden later by driver during mount setup based

+	// on volume options

+	SetRootPropagation(container, mount.RPRIVATE)

 	// check to see if we are running in ramdisk to disable pivot root

 	container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""

@@ -12,6 +12,7 @@ import (

 	derr "github.com/docker/docker/errors"

 	"github.com/docker/docker/pkg/mount"

+	"github.com/docker/docker/volume"

 	"github.com/opencontainers/runc/libcontainer/apparmor"

 	"github.com/opencontainers/runc/libcontainer/configs"

 	"github.com/opencontainers/runc/libcontainer/devices"

@@ -278,6 +279,20 @@ func (d *Driver) setupRlimits(container *configs.Config, c *execdriver.Command)

 	}

 }

+// If rootfs mount propagation is RPRIVATE, that means all the volumes are

+// going to be private anyway. There is no need to apply per volume

+// propagation on top. This is just an optimzation so that cost of per volume

+// propagation is paid only if user decides to make some volume non-private

+// which will force rootfs mount propagation to be non RPRIVATE.

+func checkResetVolumePropagation(container *configs.Config) {

+	if container.RootPropagation != mount.RPRIVATE {

+		return

+	}

+	for _, m := range container.Mounts {

+		m.PropagationFlags = nil

+	}

+}

+

 func (d *Driver) setupMounts(container *configs.Config, c *execdriver.Command) error {

 	userMounts := make(map[string]struct{})

 	for _, m := range c.Mounts {

@@ -298,6 +313,15 @@ func (d *Driver) setupMounts(container *configs.Config, c *execdriver.Command) e

 	}

 	container.Mounts = defaultMounts

+	mountPropagationMap := map[string]int{

+		"private":  mount.PRIVATE,

+		"rprivate": mount.RPRIVATE,

+		"shared":   mount.SHARED,

+		"rshared":  mount.RSHARED,

+		"slave":    mount.SLAVE,

+		"rslave":   mount.RSLAVE,

+	}

+

 	for _, m := range c.Mounts {

 		for _, cm := range container.Mounts {

 			if cm.Destination == m.Destination {

@@ -319,31 +343,59 @@ func (d *Driver) setupMounts(container *configs.Config, c *execdriver.Command) e

 				}

 			}

 			container.Mounts = append(container.Mounts, &configs.Mount{

-				Source:        m.Source,

-				Destination:   m.Destination,

-				Data:          data,

-				Device:        "tmpfs",

-				Flags:         flags,

-				PremountCmds:  genTmpfsPremountCmd(c.TmpDir, fulldest, m.Destination),

-				PostmountCmds: genTmpfsPostmountCmd(c.TmpDir, fulldest, m.Destination),

+				Source:           m.Source,

+				Destination:      m.Destination,

+				Data:             data,

+				Device:           "tmpfs",

+				Flags:            flags,

+				PremountCmds:     genTmpfsPremountCmd(c.TmpDir, fulldest, m.Destination),

+				PostmountCmds:    genTmpfsPostmountCmd(c.TmpDir, fulldest, m.Destination),

+				PropagationFlags: []int{mountPropagationMap[volume.DefaultPropagationMode]},

 			})

 			continue

 		}

 		flags := syscall.MS_BIND | syscall.MS_REC

+		var pFlag int

 		if !m.Writable {

 			flags |= syscall.MS_RDONLY

 		}

-		if m.Slave {

-			flags |= syscall.MS_SLAVE

+

+		// Determine property of RootPropagation based on volume

+		// properties. If a volume is shared, then keep root propagtion

+		// shared. This should work for slave and private volumes too.

+		//

+		// For slave volumes, it can be either [r]shared/[r]slave.

+		//

+		// For private volumes any root propagation value should work.

+

+		pFlag = mountPropagationMap[m.Propagation]

+		if pFlag == mount.SHARED || pFlag == mount.RSHARED {

+			rootpg := container.RootPropagation

+			if rootpg != mount.SHARED && rootpg != mount.RSHARED {

+				execdriver.SetRootPropagation(container, mount.SHARED)

+			}

+		} else if pFlag == mount.SLAVE || pFlag == mount.RSLAVE {

+			rootpg := container.RootPropagation

+			if rootpg != mount.SHARED && rootpg != mount.RSHARED && rootpg != mount.SLAVE && rootpg != mount.RSLAVE {

+				execdriver.SetRootPropagation(container, mount.RSLAVE)

+			}

 		}

-		container.Mounts = append(container.Mounts, &configs.Mount{

+		mount := &configs.Mount{

 			Source:      m.Source,

 			Destination: m.Destination,

 			Device:      "bind",

 			Flags:       flags,

-		})

+		}

+

+		if pFlag != 0 {

+			mount.PropagationFlags = []int{pFlag}

+		}

+

+		container.Mounts = append(container.Mounts, mount)

 	}

+

+	checkResetVolumePropagation(container)

 	return nil

 }

@@ -72,6 +72,7 @@ func addMountPoints(container *container.Container) []types.MountPoint {

 			Driver:      m.Driver,

 			Mode:        m.Mode,

 			RW:          m.RW,

+			Propagation: m.Propagation,

 		})

 	}

 	return mountPoints

@@ -99,6 +99,7 @@ func (daemon *Daemon) registerMountPoints(container *container.Container, hostCo

 				RW:          m.RW && volume.ReadWrite(mode),

 				Driver:      m.Driver,

 				Destination: m.Destination,

+				Propagation: m.Propagation,

 			}

 			if len(cp.Source) == 0 {

@@ -24,11 +24,13 @@ func (daemon *Daemon) setupMounts(container *container.Container) ([]execdriver.

 			return nil, err

 		}

 		if !container.TrySetNetworkMount(m.Destination, path) {

-			mounts = append(mounts, execdriver.Mount{

+			mnt := execdriver.Mount{

 				Source:      path,

 				Destination: m.Destination,

 				Writable:    m.RW,

-			})

+				Propagation: m.Propagation,

+			}

+			mounts = append(mounts, mnt)

 		}

 	}

@@ -79,12 +79,12 @@ Creates a new container.

       -u, --user=""                 Username or UID

       --ulimit=[]                   Ulimit options

       --uts=""                      UTS namespace to use

-      -v, --volume=[]               Bind mount a volume with: [host-src:]container-dest[:<options>], where

-                                    options are comma delimited and selected from [rw|ro] and [z|Z].

-                                    The 'host-src' can either be an absolute path or a name value.

-                                    If 'host-src' is missing, then docker creates a new volume.

-                                    If neither 'rw' or 'ro' is specified then the volume is mounted

-                                    in read-write mode.

+      -v, --volume=[host-src:]container-dest[:<options>]

+                                    Bind mount a volume. The comma-delimited

+                                    `options` are [rw|ro], [z|Z], or

+                                    [[r]shared|[r]slave|[r]private]. The

+                                    'host-src' is an absolute path or a name

+                                    value.

       --volume-driver=""            Container's volume driver

       --volumes-from=[]             Mount volumes from the specified container(s)

       -w, --workdir=""              Working directory inside the container

@@ -80,12 +80,12 @@ parent = "smn_cli"

       -u, --user=""                 Username or UID (format: <name|uid>[:<group|gid>])

       --ulimit=[]                   Ulimit options

       --uts=""                      UTS namespace to use

-      -v, --volume=[]               Bind mount a volume with: [host-src:]container-dest[:<options>], where

-                                    options are comma delimited and selected from [rw|ro] and [z|Z].

-                                    The 'host-src' can either be an absolute path or a name value.

-                                    If 'host-src' is missing, then docker creates a new volume.

-                                    If neither 'rw' or 'ro' is specified then the volume is mounted

-                                    in read-write mode.

+      -v, --volume=[host-src:]container-dest[:<options>]

+                                    Bind mount a volume. The comma-delimited

+                                    `options` are [rw|ro], [z|Z], or

+                                    [[r]shared|[r]slave|[r]private]. The

+                                    'host-src' is an absolute path or a name

+                                    value.

       --volume-driver=""            Container's volume driver

       --volumes-from=[]             Mount volumes from the specified container(s)

       -w, --workdir=""              Working directory inside the container

@@ -1330,11 +1330,14 @@ Similarly the operator can set the **hostname** with `-h`.

 ### VOLUME (shared filesystems)

-    -v=[]: Create a bind mount with: [host-src:]container-dest[:<options>], where

-    options are comma delimited and selected from [rw|ro] and [z|Z].

-           If 'host-src' is missing, then docker creates a new volume.

-		   If neither 'rw' or 'ro' is specified then the volume is mounted

-		   in read-write mode.

+    -v, --volume=[host-src:]container-dest[:<options>]: Bind mount a volume.

+    The comma-delimited `options` are [rw|ro], [z|Z], or

+    [[r]shared|[r]slave|[r]private]. The 'host-src' is an absolute path or a

+    name value.

+

+    If neither 'rw' or 'ro' is specified then the volume is mounted in

+    read-write mode.

+

     --volumes-from="": Mount all volumes from the given container(s)

 > **Note**:

@@ -64,7 +64,7 @@ docker-create - Create a new container

 [**-u**|**--user**[=*USER*]]

 [**--ulimit**[=*[]*]]

 [**--uts**[=*[]*]]

-[**-v**|**--volume**[=*[]*]]

+[**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]]

 [**--volume-driver**[=*DRIVER*]]

 [**--volumes-from**[=*[]*]]

 [**-w**|**--workdir**[=*WORKDIR*]]

@@ -311,8 +311,78 @@ any options, the systems uses the following options:

      **host**: use the host's UTS namespace inside the container.

      Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.

-**-v**, **--volume**=[]

-   Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)

+**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]

+   Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker

+   bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker

+   container. If 'HOST-DIR' is omitted,  Docker automatically creates the new

+   volume on the host.  The `OPTIONS` are a comma delimited list and can be:

+

+   * [rw|ro]

+   * [z|Z]

+   * [`[r]shared`|`[r]slave`|`[r]private`]

+

+The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR`

+can be an absolute path or a `name` value. A `name` value must start with an

+alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or

+`-` (hyphen). An absolute path starts with a `/` (forward slash).

+

+If you supply a `HOST-DIR` that is an absolute path,  Docker bind-mounts to the

+path you specify. If you supply a `name`, Docker creates a named volume by that

+`name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR`

+value. If you supply the `/foo` value, Docker creates a bind-mount. If you

+supply the `foo` specification, Docker creates a named volume.

+

+You can specify multiple  **-v** options to mount one or more mounts to a

+container. To use these same mounts in other containers, specify the

+**--volumes-from** option also.

+

+You can add `:ro` or `:rw` suffix to a volume to mount it  read-only or

+read-write mode, respectively. By default, the volumes are mounted read-write.

+See examples.

+

+Labeling systems like SELinux require that proper labels are placed on volume

+content mounted into a container. Without a label, the security system might

+prevent the processes running inside the container from using the content. By

+default, Docker does not change the labels set by the OS.

+

+To change a label in the container context, you can add either of two suffixes

+`:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file

+objects on the shared volumes. The `z` option tells Docker that two containers

+share the volume content. As a result, Docker labels the content with a shared

+content label. Shared volume labels allow all containers to read/write content.

+The `Z` option tells Docker to label the content with a private unshared label.

+Only the current container can use a private volume.

+

+By default bind mounted volumes are `private`. That means any mounts done

+inside container will not be visible on host and vice-a-versa. One can change

+this behavior by specifying a volume mount propagation property. Making a

+volume `shared` mounts done under that volume inside container will be

+visible on host and vice-a-versa. Making a volume `slave` enables only one

+way mount propagation and that is mounts done on host under that volume

+will be visible inside container but not the other way around.

+

+To control mount propagation property of volume one can use `:[r]shared`,

+`:[r]slave` or `:[r]private` propagation flag. Propagation property can

+be specified only for bind mounted volumes and not for internal volumes or

+named volumes. For mount propagation to work source mount point (mount point

+where source dir is mounted on) has to have right propagation properties. For

+shared volumes, source mount point has to be shared. And for slave volumes,

+source mount has to be either shared or slave.

+

+Use `df <source-dir>` to figure out the source mount and then use

+`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation

+properties of source mount. If `findmnt` utility is not available, then one

+can look at mount entry for source mount point in `/proc/self/mountinfo`. Look

+at `optional fields` and see if any propagaion properties are specified.

+`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if

+nothing is there that means mount is `private`.

+

+To change propagation properties of a mount point use `mount` command. For

+example, if one wants to bind mount source directory `/foo` one can do

+`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This

+will convert /foo into a `shared` mount point. Alternatively one can directly

+change propagation properties of source mount. Say `/` is source mount for

+`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.

 **--volume-driver**=""

    Container's volume driver. This driver creates volumes specified either from

@@ -104,6 +104,7 @@ To get information on a container use its ID or instance name:

         "Destination": "/data",

         "Mode": "ro,Z",

         "RW": false

+	"Propagation": ""

       }

     ],

     "AppArmorProfile": "",

@@ -67,7 +67,7 @@ docker-run - Run a command in a new container

 [**-u**|**--user**[=*USER*]]

 [**--ulimit**[=*[]*]]

 [**--uts**[=*[]*]]

-[**-v**|**--volume**[=*[]*]]

+[**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]]

 [**--volume-driver**[=*DRIVER*]]

 [**--volumes-from**[=*[]*]]

 [**-w**|**--workdir**[=*WORKDIR*]]

@@ -476,24 +476,34 @@ any options, the systems uses the following options:

 **--ulimit**=[]

     Ulimit options

-**-v**, **--volume**=[] Create a bind mount

-   (format: `[host-dir:]container-dir[:<suffix options>]`, where suffix options

-are comma delimited and selected from [rw|ro] and [z|Z].)

+**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]

+   Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker

+   bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker

+   container. If 'HOST-DIR' is omitted,  Docker automatically creates the new

+   volume on the host.  The `OPTIONS` are a comma delimited list and can be:

-   (e.g., using -v /host-dir:/container-dir, bind mounts /host-dir in the

-host to /container-dir in the Docker container)

+   * [rw|ro]

+   * [z|Z]

+   * [`[r]shared`|`[r]slave`|`[r]private`]

-   If 'host-dir' is missing, then docker automatically creates the new volume

-on the host. **This auto-creation of the host path has been deprecated in

-Release: v1.9.**

+The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR`

+can be an absolute path or a `name` value. A `name` value must start with an

+alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or

+`-` (hyphen). An absolute path starts with a `/` (forward slash).

-   The **-v** option can be used one or

-more times to add one or more mounts to a container. These mounts can then be

-used in other containers using the **--volumes-from** option.

+If you supply a `HOST-DIR` that is an absolute path,  Docker bind-mounts to the

+path you specify. If you supply a `name`, Docker creates a named volume by that

+`name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR`

+value. If you supply the `/foo` value, Docker creates a bind-mount. If you

+supply the `foo` specification, Docker creates a named volume.

-   The volume may be optionally suffixed with :ro or :rw to mount the volumes in

-read-only or read-write mode, respectively. By default, the volumes are mounted

-read-write. See examples.

+You can specify multiple  **-v** options to mount one or more mounts to a

+container. To use these same mounts in other containers, specify the

+**--volumes-from** option also.

+

+You can add `:ro` or `:rw` suffix to a volume to mount it  read-only or

+read-write mode, respectively. By default, the volumes are mounted read-write.

+See examples.

 Labeling systems like SELinux require that proper labels are placed on volume

 content mounted into a container. Without a label, the security system might

@@ -508,18 +518,36 @@ content label. Shared volume labels allow all containers to read/write content.

 The `Z` option tells Docker to label the content with a private unshared label.

 Only the current container can use a private volume.

-The `container-dir` must always be an absolute path such as `/src/docs`.

-The `host-dir` can either be an absolute path or a `name` value. If you

-supply an absolute path for the `host-dir`, Docker bind-mounts to the path

-you specify. If you supply a `name`, Docker creates a named volume by that `name`.

-

-A `name` value must start with start with an alphanumeric character,

-followed by `a-z0-9`, `_` (underscore), `.` (period) or `-` (hyphen).

-An absolute path starts with a `/` (forward slash).

-

-For example, you can specify either `/foo` or `foo` for a `host-dir` value.

-If you supply the `/foo` value, Docker creates a bind-mount. If you supply

-the `foo` specification, Docker creates a named volume.

+By default bind mounted volumes are `private`. That means any mounts done

+inside container will not be visible on host and vice-a-versa. One can change

+this behavior by specifying a volume mount propagation property. Making a

+volume `shared` mounts done under that volume inside container will be

+visible on host and vice-a-versa. Making a volume `slave` enables only one

+way mount propagation and that is mounts done on host under that volume

+will be visible inside container but not the other way around.

+

+To control mount propagation property of volume one can use `:[r]shared`,

+`:[r]slave` or `:[r]private` propagation flag. Propagation property can

+be specified only for bind mounted volumes and not for internal volumes or

+named volumes. For mount propagation to work source mount point (mount point

+where source dir is mounted on) has to have right propagation properties. For

+shared volumes, source mount point has to be shared. And for slave volumes,

+source mount has to be either shared or slave.

+

+Use `df <source-dir>` to figure out the source mount and then use

+`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation

+properties of source mount. If `findmnt` utility is not available, then one

+can look at mount entry for source mount point in `/proc/self/mountinfo`. Look

+at `optional fields` and see if any propagaion properties are specified.

+`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if

+nothing is there that means mount is `private`.

+

+To change propagation properties of a mount point use `mount` command. For

+example, if one wants to bind mount source directory `/foo` one can do

+`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This

+will convert /foo into a `shared` mount point. Alternatively one can directly

+change propagation properties of source mount. Say `/` is source mount for

+`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.

 **--volume-driver**=""

    Container's volume driver. This driver creates volumes specified either from

@@ -52,6 +52,9 @@ type MountPoint struct {

 	// Note Mode is not used on Windows

 	Mode string `json:"Relabel"` // Originally field was `Relabel`"

+

+	// Note Propagation is not used on Windows

+	Propagation string // Mount propagation string

 }

 // Setup sets up a mount point by either mounting the volume if it is

@@ -85,17 +88,6 @@ func (m *MountPoint) Path() string {

 	return m.Source

 }

-// ValidMountMode will make sure the mount mode is valid.

-// returns if it's a valid mount mode or not.

-func ValidMountMode(mode string) bool {

-	return roModes[strings.ToLower(mode)] || rwModes[strings.ToLower(mode)]

-}

-

-// ReadWrite tells you if a mode string is a valid read-write mode or not.

-func ReadWrite(mode string) bool {

-	return rwModes[strings.ToLower(mode)]

-}

-

 // ParseVolumesFrom ensure that the supplied volumes-from is valid.

 func ParseVolumesFrom(spec string) (string, string, error) {

 	if len(spec) == 0 {

@@ -111,6 +103,13 @@ func ParseVolumesFrom(spec string) (string, string, error) {

 		if !ValidMountMode(mode) {

 			return "", "", derr.ErrorCodeVolumeInvalidMode.WithArgs(mode)

 		}

+		// For now don't allow propagation properties while importing

+		// volumes from data container. These volumes will inherit

+		// the same propagation property as of the original volume

+		// in data container. This probably can be relaxed in future.

+		if HasPropagation(mode) {

+			return "", "", derr.ErrorCodeVolumeInvalidMode.WithArgs(mode)

+		}

 	}

 	return id, mode, nil

 }

new file mode 100644

@@ -0,0 +1,44 @@

+// +build linux

+

+package volume

+

+import (

+	"strings"

+)

+

+// DefaultPropagationMode defines what propagation mode should be used by

+// default if user has not specified one explicitly.

+const DefaultPropagationMode string = "rprivate"

+

+// propagation modes

+var propagationModes = map[string]bool{

+	"private":  true,

+	"rprivate": true,

+	"slave":    true,

+	"rslave":   true,

+	"shared":   true,

+	"rshared":  true,

+}

+

+// GetPropagation extracts and returns the mount propagation mode. If there

+// are no specifications, then by default it is "private".

+func GetPropagation(mode string) string {

+	for _, o := range strings.Split(mode, ",") {

+		if propagationModes[o] {

+			return o

+		}

+	}

+	return DefaultPropagationMode

+}

+

+// HasPropagation checks if there is a valid propagation mode present in

+// passed string. Returns true if a valid propagatio mode specifier is

+// present, false otherwise.

+func HasPropagation(mode string) bool {

+	for _, o := range strings.Split(mode, ",") {

+		if propagationModes[o] {

+			return true

+		}

+	}

+	return false

+}

new file mode 100644

@@ -0,0 +1,22 @@

+// +build !linux

+

+package volume

+

+// DefaultPropagationMode is used only in linux. In other cases it returns

+// empty string.

+const DefaultPropagationMode string = ""

+

+// propagation modes not supported on this platform.

+var propagationModes = map[string]bool{}

+

+// GetPropagation is not supported. Return empty string.

+func GetPropagation(mode string) string {

+	return DefaultPropagationMode

+}

+

+// HasPropagation checks if there is a valid propagation mode present in

+// passed string. Returns true if a valid propagatio mode specifier is

+// present, false otherwise.

+func HasPropagation(mode string) bool {

+	return false

+}

@@ -12,22 +12,14 @@ import (

 // read-write modes

 var rwModes = map[string]bool{

-	"rw":   true,

-	"rw,Z": true,

-	"rw,z": true,

-	"z,rw": true,

-	"Z,rw": true,

-	"Z":    true,

-	"z":    true,

+	"rw": true,

+	"ro": true,

 }

-// read-only modes

-var roModes = map[string]bool{

-	"ro":   true,

-	"ro,Z": true,

-	"ro,z": true,

-	"z,ro": true,

-	"Z,ro": true,

+// label modes

+var labelModes = map[string]bool{

+	"Z": true,

+	"z": true,

 }

 // BackwardsCompatible decides whether this mount point can be

@@ -51,7 +43,8 @@ func ParseMountSpec(spec, volumeDriver string) (*MountPoint, error) {

 	spec = filepath.ToSlash(spec)

 	mp := &MountPoint{

-		RW: true,

+		RW:          true,

+		Propagation: DefaultPropagationMode,

 	}

 	if strings.Count(spec, ":") > 2 {

 		return nil, derr.ErrorCodeVolumeInvalid.WithArgs(spec)

@@ -84,6 +77,7 @@ func ParseMountSpec(spec, volumeDriver string) (*MountPoint, error) {

 			return nil, derr.ErrorCodeVolumeInvalidMode.WithArgs(mp.Mode)

 		}

 		mp.RW = ReadWrite(mp.Mode)

+		mp.Propagation = GetPropagation(mp.Mode)

 	default:

 		return nil, derr.ErrorCodeVolumeInvalid.WithArgs(spec)

 	}

@@ -106,6 +100,17 @@ func ParseMountSpec(spec, volumeDriver string) (*MountPoint, error) {

 		if len(mp.Driver) == 0 {

 			mp.Driver = DefaultDriverName

 		}

+		// Named volumes can't have propagation properties specified.

+		// Their defaults will be decided by docker. This is just a

+		// safeguard. Don't want to get into situations where named

+		// volumes were mounted as '[r]shared' inside container and

+		// container does further mounts under that volume and these

+		// mounts become visible on  host and later original volume

+		// cleanup becomes an issue if container does not unmount

+		// submounts explicitly.

+		if HasPropagation(mp.Mode) {

+			return nil, derr.ErrorCodeVolumeInvalid.WithArgs(spec)

+		}

 	} else {

 		mp.Source = filepath.Clean(source)

 	}

@@ -130,3 +135,48 @@ func ParseVolumeSource(spec string) (string, string) {

 func IsVolumeNameValid(name string) (bool, error) {

 	return true, nil

 }

+

+// ValidMountMode will make sure the mount mode is valid.

+// returns if it's a valid mount mode or not.

+func ValidMountMode(mode string) bool {

+	rwModeCount := 0

+	labelModeCount := 0

+	propagationModeCount := 0

+

+	for _, o := range strings.Split(mode, ",") {

+		if rwModes[o] {

+			rwModeCount++

+			continue

+		} else if labelModes[o] {

+			labelModeCount++

+			continue

+		} else if propagationModes[o] {

+			propagationModeCount++

+			continue

+		}

+		return false

+	}

+

+	// Only one string for each mode is allowed.

+	if rwModeCount > 1 || labelModeCount > 1 || propagationModeCount > 1 {

+		return false

+	}

+	return true

+}

+

+// ReadWrite tells you if a mode string is a valid read-write mode or not.

+// If there are no specifications w.r.t read write mode, then by default

+// it returs true.

+func ReadWrite(mode string) bool {

+	if !ValidMountMode(mode) {

+		return false

+	}

+

+	for _, o := range strings.Split(mode, ",") {

+		if o == "ro" {

+			return false

+		}

+	}

+

+	return true

+}

@@ -186,3 +186,14 @@ func IsVolumeNameValid(name string) (bool, error) {

 	}

 	return true, nil

 }

+

+// ValidMountMode will make sure the mount mode is valid.

+// returns if it's a valid mount mode or not.

+func ValidMountMode(mode string) bool {

+	return roModes[strings.ToLower(mode)] || rwModes[strings.ToLower(mode)]

+}

+

+// ReadWrite tells you if a mode string is a valid read-write mode or not.

+func ReadWrite(mode string) bool {

+	return rwModes[strings.ToLower(mode)]

+}