✦ For everyone, free.

Practical knowledge for real and everyday life

Home

8.3.1.4 Bind Read Only Mode

A focused guide to Bind Read Only Mode, connecting core concepts with practical Docker and container operations.

Bind read-only mode restricts a bind mount so the container can read the mounted host content but cannot modify it in any way, providing a safer option for situations where a container needs access to host data without any risk of altering it.

Specifying Read-Only Mode

Appending :ro to a bind mount's specification restricts it to read-only access.

docker run -d -v /home/user/config:/app/config:ro myapp:1.0

The application inside this container can read configuration files from this mount, but any attempt to write to this path fails.

Confirming Write Attempts Actually Fail

Testing that a write attempt against a read-only mount is genuinely rejected confirms the restriction is correctly in effect.

docker exec myapp sh -c "echo 'test' > /app/config/test.txt"

sh: can't create /app/config/test.txt: Read-only file system
Why Read-Only Mounts Are a Good Default for Configuration and Reference Data

Configuration files, reference data, or any other host content a container genuinely only needs to read benefits from this restriction, eliminating any possibility of the container inadvertently or maliciously modifying that content.

docker run -d -v /etc/ssl/certs:/app/certs:ro myapp:1.0

Mounting certificate files this way ensures the application can use them without any risk of accidentally corrupting or modifying these sensitive files.

Why This Matters Particularly for Untrusted or Less-Trusted Containers

For a container running code of uncertain trustworthiness, restricting any bind-mounted host content to read-only access provides a meaningful safeguard against that content being tampered with, even if the container itself were somehow compromised.

docker run -d -v /home/user/shared-input:/data:ro untrusted-processor:1.0
Why Bind Read-Only Mode Matters

Defaulting to read-only access whenever a container genuinely only needs to read host-mounted content, rather than defaulting to the more permissive read-write mode, is a simple, low-cost practice that meaningfully reduces the risk of accidental or malicious modification to important host data.

Related content