Docker Desktop 4.67.0 (Engine 29.x) breaks nested bind mounts on macOS — Rocky/boefje/normalizer crash

[hasecon]

Summary

After updating to Docker Desktop 4.67.0 (Docker Engine 29.3.1, Compose v5.1.1) on macOS Tahoe 26.4, nested bind mounts in docker-compose.yml no longer work correctly. This causes Rocky, boefje, and normalizer containers to crash on startup with ModuleNotFoundError.

Symptoms

rocky-1  | django.template.library.InvalidTemplateLibrary: Invalid template library specified.
           ImportError raised when trying to load 'tools.templatetags.ooi_extra': No module named 'octopoes.models'

boefje-1 | ModuleNotFoundError: No module named 'octopoes.connector'

Containers rocky, rocky_worker, boefje, and normalizer enter restart loops. All other containers (octopoes_api, bytes, scheduler, katalogus, etc.) run fine.

Root cause

The docker-compose.yml uses nested bind mounts to overlay the octopoes package into other containers:

rocky:
  volumes:
    - ./rocky:/app/rocky                          # first mount
    - ./octopoes/octopoes:/app/rocky/octopoes     # second mount overlays into first

Docker Engine 29.x no longer correctly handles this overlay. The first mount creates an empty rocky/octopoes/ directory locally, and the second mount fails to overlay it. Inside the container, /app/rocky/octopoes/ is empty.

Verified by exec-ing into a running container:

$ docker compose exec boefje ls -la /app/boefjes/octopoes/
total 0
drwxr-xr-x  2 root root  64 Feb  4 20:32 .
drwxr-xr-x 27 root root 864 Mar 30 19:07 ..

The same empty directories appear locally:

$ ls -la rocky/octopoes/
total 0
drwxr-xr-x@  2 edward  staff  64 Feb  4 21:28 .
drwxr-xr-x  48 edward  staff  1536 ...          ..

Reproduction

• macOS Tahoe 26.4 (build 25E246)
• Docker Desktop 4.67.0 (Engine 29.3.1, Compose v5.1.1)
• make clean && make kat
• Rocky, boefje, normalizer crash with import errors

Occurs on both main and feature branches — not code-related.

Suspected Docker changes

Docker Engine 29.x includes several mount-related changes:

• 29.1.3: "Fixed shared mount detection for paths mounted multiple times" — directly relevant
• 29.3.0: New bind-create-src option for automatic source directory creation
• 29.0.0: Removed deprecated bind-nonrecursive option

The macOS Tahoe 26.4 update (March 24) may also affect VirtioFS, which handles bind mounts on macOS.

Workaround

Use OrbStack instead of Docker Desktop. OrbStack ships with Docker Engine 28.5.2 and Compose v2.40.3, which handle nested bind mounts correctly:

brew install orbstack
# Then: make clean && make kat — all 13 containers start successfully

Possible permanent fixes

1. Add a check to the Makefile that removes stale empty mount-point directories before docker compose up
2. Replace nested bind mounts with symlinks in the repo (e.g., rocky/octopoes -> ../octopoes/octopoes)
3. Wait for Docker to fix the regression in a future Engine 29.x release

[hasecon]

Upstream bug report filed at docker/desktop-feedback#279.