✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.3.1 Immutable Runtime Filesystem

A focused guide to Immutable Runtime Filesystem, connecting core concepts with practical Docker and container operations.

Immutable runtime filesystem refers to running a container so its filesystem state is fixed once started, with only specifically designated, writable exceptions, ensuring that the application's actual code and configuration remain exactly as they were at startup, immune to any unauthorized runtime modification.

Why Immutability Provides a Strong Security Guarantee

A container with an immutable filesystem cannot have its own application code modified at runtime, regardless of any compromise affecting the running process — there's simply no writable path for such a modification to persist through.

docker run --read-only myapp:1.0

A compromised process inside this container cannot tamper with the application's own code or configuration files, since the filesystem containing them is read-only.

Why This Differs From Simply Not Modifying Files in Practice

Immutability provides an enforced guarantee, not merely an expectation — even a process specifically trying to modify the filesystem is blocked outright, rather than relying on the application simply not attempting to do so under normal operation.

docker exec myapp sh -c "echo malicious >> /app/server.js"

sh: can't create temporary file: Read-only file system
Designing an Application With Immutability in Mind

Building an application that doesn't need to write to its own code or configuration directory at runtime — keeping any genuinely necessary writable state in clearly designated, separate locations — supports adopting this kind of immutable filesystem configuration cleanly.

docker run --read-only --tmpfs /tmp -v app-data:/app/data myapp:1.0
Why This Matters for Detecting Unexpected Tampering

An immutable filesystem also simplifies detecting unexpected tampering, since any attempt to modify the filesystem fails immediately and visibly, rather than silently succeeding and potentially going unnoticed.

docker logs myapp | grep "Read-only file system"
Why Immutable Runtime Filesystem Matters

Treating a container's filesystem as immutable by default, except for deliberately chosen writable exceptions, provides a strong, enforced guarantee against unauthorized runtime modification, going beyond what relying on an application's own well-behaved runtime expectations alone could provide.

Related content