Learn Docker With My Newest Course

Dive into Docker takes you from "What is Docker?" to confidently applying Docker to your own projects. It's packed with best practices and examples. Start Learning Docker →

Docker Tip #55: Creating Read Only Containers


You may want to enable read-only on your containers to enhance its security, or perhaps you have other app specific needs.

Personally I’ve never had a reason to use read-only containers but someone from my Dive Into Docker course recently asked how to do it, so here we are.

Lucky for us, it’s really easy!

Testing out a read-only container:
docker container run --rm --read-only alpine:3.7 touch hello.txt
> touch: hello.txt: Read-only file system

You’ll notice that the file won’t be created. If you removed the --read-only flag then you’ll be able to write the file.

One thing to note is, not all images fully support this by default. Certain images will expect to be able to write to specific areas of the file system, such as to /var.

This will really come down to the image. For example Redis works fine with --read-only all by itself but Postgres does not.

Dealing with situational writes in a read-only container:

If you come across an image that doesn’t work with --read-only automatically you may need to use the --tmpfs flag too.

This will allow you to create writeable directories for whatever you need.

For example if you wanted to make /run writeable you could do --tmpfs /run. You can also use --tmpfs multiple times in the same docker run command if you need more than 1 writeable directory.

Using --tmpfs is nice because it doesn’t write a volume back to your Docker host.

Free Intro to Docker Email Course

Over 5 days you'll get 1 email per day that includes video and text from the premium Dive Into Docker course. By the end of the 5 days you'll have hands on experience using Docker to serve a website.