feat: add bind mount option support to docker and podman runtimes

[chipselden]

Support bind mount options (propagation, readonly) in Docker and Podman runtimes

Problem

The Mount struct has an Opts field, but neither the Docker nor Podman runtimes pass these options through when creating containers. This means bind mount propagation is always the runtime default (rprivate), which prevents containers from seeing mounts that appear on the host after container creation (e.g. when using autofs). Containers are also unable to bind mounts as read-only, which can be a useful security control.

Changes

Both runtimes now read two options from Mount.Opts for bind mounts:

• propagation: mount propagation mode (e.g. rslave, rshared, rprivate)
• readonly: when set to "true", mounts the volume read-only

Podman (runtime/podman/podman.go): Extracted a formatVolumeSpec helper that appends options to the -v spec string (e.g. /src:/dst:ro,rslave).
Docker (runtime/docker/tcontainer.go): Sets BindOptions.Propagation and ReadOnly on the SDK mount.Mount struct when the corresponding opts are present.

No changes to the Mount struct or task input schema.

Usage

  mounts:
    - type: bind
      source: /mnt
      target: /mnt
      opts:
        propagation: rslave
        readonly: true

Tasks without mount opts are unaffected.

Tests

• TestFormatVolumeSpec: unit tests for the podman volume spec builder
• TestPodmanRunTaskWithBindAndPropagation: integration test with podman
• TestRunTaskWithBindAndPropagation: integration test with Docker