Docker Tip #55: Creating Read Only Containers
You may want to enable read-only on your containers to enhance its security, or perhaps you have other app specific needs.
Personally I’ve never had a reason to use read-only containers but someone from my Dive Into Docker course recently asked how to do it, so here we are.
Lucky for us, it’s really easy!
Testing out a read-only container:
docker container run --rm --read-only alpine:3.7 touch hello.txt
> touch: hello.txt: Read-only file system
You’ll notice that the file won’t be created. If you removed the --read-only
flag then you’ll be able to write the file.
One thing to note is, not all images fully support this by default. Certain images
will expect to be able to write to specific areas of the file system, such as to
/var.
This will really come down to the image. For example Redis works fine with
--read-only all by itself but Postgres does not.
Dealing with situational writes in a read-only container:
If you come across an image that doesn’t work with --read-only automatically
you may need to use the --tmpfs flag too.
This will allow you to create writeable directories for whatever you need.
For example if you wanted to make /run writeable you could do --tmpfs /run.
You can also use --tmpfs multiple times in the same docker run command if
you need more than 1 writeable directory.
Using --tmpfs is nice because it doesn’t write a volume back to your Docker host.