For a little bit of added security you can make the file system of your container read-only, excluding any volumes you may have created. If anyone hacks into your container, they will be unable to change any files.
When using the docker run command using the CLI, you can simply use the following command:
docker run --read-only redis
To set a read-only file system, you simply need to set the
read_only flag to
true, like so:
version: '3.3' services: redis: image: redis:4.0.1-alpine networks: - myoverlay read_only: true networks: myoverlay:
So above, I have a Docker stack file for use with Docker Swarm showing how to start Redis with a read-only file system.
What is Supported?
Not all images support having them started with a read-only file system. Some require access to write temp files and the like. You can usually get away with using a volume in this case because volumes are still writeable even if you enable the read-only file system. In my research, I found it hard to determine if an image supported the feature, so I simply tried it out and found that most failed.
I discovered that Redis was the only image that I was running that had full support, several Elastic Stack containers failed to start and even my ASP.NET Core images failed to start. I since raised a GitHub issue here, trying to find out why the container fails to start and seeing if there is any workaround.