using a "ro" AccessMode suffix in DockerTemplateBase "volumes from" value results in BadRequestException "invalid mode: ro:rw"

[dchsueh]

Jenkins and plugins versions report

Environment

Jenkins: 2.289.3
OS: Linux - 3.10.0-1062.1.1.el7.x86_64
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
active-directory:2.25
ansible:1.1
ansicolor:1.0.0
ant:1.12
antisamy-markup-formatter:2.3
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.13.2
audit-trail:3.10
authentication-tokens:1.4
aws-credentials:1.32
aws-java-sdk:1.12.89-292.v2712528e879c
aws-java-sdk-cloudformation:1.12.89-292.v2712528e879c
aws-java-sdk-codebuild:1.12.89-292.v2712528e879c
aws-java-sdk-ec2:1.12.89-292.v2712528e879c
aws-java-sdk-ecr:1.12.89-292.v2712528e879c
aws-java-sdk-ecs:1.12.89-292.v2712528e879c
aws-java-sdk-elasticbeanstalk:1.12.89-292.v2712528e879c
aws-java-sdk-iam:1.12.89-292.v2712528e879c
aws-java-sdk-logs:1.12.89-292.v2712528e879c
aws-java-sdk-minimal:1.12.89-292.v2712528e879c
aws-java-sdk-ssm:1.12.89-292.v2712528e879c
badge:1.9.1
basic-branch-build-strategies:1.3.2
bitbucket:1.1.29
blackduck-detect:7.0.0
blueocean-commons:1.25.0
blueocean-core-js:1.25.0
blueocean-dashboard:1.25.0
blueocean-display-url:2.4.1
blueocean-executor-info:1.25.0
blueocean-git-pipeline:1.24.0
blueocean-github-pipeline:1.24.0
blueocean-jwt:1.25.0
blueocean-pipeline-api-impl:1.24.0
blueocean-pipeline-scm-api:1.25.0
blueocean-rest:1.25.0
blueocean-rest-impl:1.25.0
blueocean-web:1.25.0
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
build-pipeline-plugin:1.5.8
build-timeout:1.20
build-user-vars-plugin:1.8
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-folder:6.16
codebeamer-xunit-importer:1.9
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
console-tail:1.1
copyartifact:1.46.2
credentials:2.6.1
credentials-binding:1.27
cvs:2.19
display-url-api:2.3.5
docker-build-publish:1.3.3
docker-build-step:2.8
docker-commons:1.17
docker-java-api:3.1.5.2
docker-plugin:1.2.3
docker-workflow:1.26
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.2.1-2
email-ext:2.84
email-ext-recipients-column:1.0
envinject:2.4.0
envinject-api:1.7
extended-choice-parameter:0.82
external-monitor-job:1.7
favorite:2.3.3
folder-auth:1.3
folder-properties:1.2.1
font-awesome-api:5.15.4-1
generic-webhook-trigger:1.77
ghprb:1.42.2
git:4.9.0
git-client:3.10.0
git-parameter:0.9.13
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.10.0
github-coverage-reporter:1.10
github-label-filter:1.0.0
github-oauth:0.34
github-organization-folder:1.6
github-pr-comment-build:61.v49f749d31d98
github-pr-coverage-status:2.1.1
github-pullrequest:0.3.0
github-scm-filter-aged-refs:0.2.0
github-scm-trait-commit-skip:0.4.0
github-scm-trait-notification-context:1.1
global-build-stats:1.5
google-chat-notification:1.4
google-metadata-plugin:0.3.1
google-oauth-plugin:1.0.6
google-source-plugin:0.4
google-storage-plugin:1.5.4
gradle:1.37.1
handlebars:3.0.8
htmlpublisher:1.27
hudson-wsclean-plugin:1.0.8
icon-shim:3.0.0
image-tag-parameter:1.10
inline-pipeline:1.0.1
ivy:2.1
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.0
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
job-import-plugin:3.4
jobConfigHistory:2.28.1
jobrevision:0.6
join:1.21
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
ldap:2.7
list-git-branches-parameter:0.0.9
lockable-resources:2.11
log-parser:2.1
mailer:1.34
mapdb-api:1.0.9.0
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.15
mercurial:2.15
momentjs:1.1.1
monitoring:1.88.0
multi-branch-project-plugin:0.7
multibranch-action-triggers:1.8.6
multibranch-build-strategy-extension:1.0.10
next-build-number:1.7
oauth-credentials:0.4
okhttp-api:3.14.9
p4:1.11.6
pam-auth:1.6
parameterized-scheduler:1.0
parameterized-trigger:2.41
permissive-script-security:0.7
pipeline-aggregator-view:1.11
pipeline-as-yaml:0.12-rc
pipeline-build-step:2.15
pipeline-config-history:1.6
pipeline-dependency-walker:1.0.0
pipeline-github:2.8-138.d766e30bb08b
pipeline-github-lib:1.0
pipeline-githubnotify-step:1.0.5
pipeline-gitstatuswrapper:1.2.0
pipeline-global-lib-nexus:0.2.3
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.19
pipeline-restful-api:0.11
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-timeline:1.0.3
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
pretested-integration:3.1.1
promoted-builds:873.v6149db_d64130
pubsub-light:1.16
purge-job-history:1.6
qtest:1.4.8
qualys-cs:1.6.2.5
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
scm-api:2.6.5
scm-filter-branch-pr:0.5.1
script-security:1.78
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
structs:1.23
subversion:2.15.0
synopsys-coverity:3.0.1
testcomplete-xunit:1.1
testcomplete11-xunit:1.1
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
validating-email-parameter:1.10
validating-string-parameter:2.8
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.21
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-cps-global-lib-http:1.13.0
workflow-durable-task-step:2.35
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:2.3.9

What Operating System are you using (both controller, and any agents involved in the problem)?

docker cloud is pointing to a google container-optimized OS instance

Reproduction steps

configure a docker cloud
configure a docker agent template which has a "Volumes From" entry "container:ro" (read-only, as indicated in on-page documentation)
run a job which uses that agent template label

Expected Results

job execution proceeds

Actual Results

container instantiation fails
log shows:

Mar 22, 2022 10:36:22 PM WARNING hudson.slaves.NodeProvisioner lambda$update$6
Unexpected exception encountered while provisioning agent Image of <redacted>
com.github.dockerjava.api.exception.BadRequestException: {"message":"invalid mode: ro:rw"}

	at com.github.dockerjava.netty.handler.HttpResponseHandler.channelRead0(HttpResponseHandler.java:99)
	at com.github.dockerjava.netty.handler.HttpResponseHandler.channelRead0(HttpResponseHandler.java:33)
...
...

Anything else?

(I don't have direct access to either Jenkins master or docker host, but I think the reasoning below is sound)

I believe this is the result of

docker-plugin/src/main/java/com/nirima/jenkins/plugins/docker/DockerTemplateBase.java

Line 817 in 3f99ec2

volFrom.add(new VolumesFrom(volFromStr));

using the single-String VolumesFrom constructor defaulting to AccessMode.DEFAULT so parsing of AccessMode never happens like it would with public static VolumesFrom parse(String serialized)

on sending out on the wire it gets reconstituted as "container:ro:rw"