Docker Read-Only File Systems

For a little bit of added security you can make the file system of your container read-only, excluding any volumes you may have created. If anyone hacks into your container, they will be unable to change any files.

Docker Run

When using the docker run command using the CLI, you can simply use the following command:

Docker Compose/Swarm

To set a read-only file system, you simply need to set the read_only flag to true, like so:

So above, I have a Docker stack file for use with Docker Swarm showing how to start Redis with a read-only file system.

What is Supported?

Not all images support having them started with a read-only file system. Some require access to write temp files and the like. You can usually get away with using a volume in this case because volumes are still writable even if you enable the read-only file system. In my research, I found it hard to determine if an image supported the feature, so I simply tried it out and found that most failed.

I discovered that Redis was the only image that I was running that had full support, several Elastic Stack containers failed to start and even my ASP.NET Core images failed to start. I since raised a GitHub issue here, trying to find out why the container fails to start and seeing if there is any workaround.