11.2.3 Read Only Filesystems
A focused guide to Read Only Filesystems, connecting core concepts with practical Docker and container operations.
Read-only filesystems restrict a container so its root filesystem cannot be written to at all, limiting what a compromised process could actually modify, while still allowing specific, deliberately chosen paths to remain writable for the application's genuine needs.
Enabling a Read-Only Root Filesystem
The --read-only flag makes a container's entire root filesystem read-only.
docker run --read-only myapp:1.0
Any attempt by the application to write to its own root filesystem now fails, since that filesystem is no longer writable at all.
Providing Specific Writable Locations Where Genuinely Needed
Since most applications need at least some writable location for temporary files, logs, or similar, specific paths can be made writable through a tmpfs mount or volume, even while the broader root filesystem remains read-only.
docker run --read-only --tmpfs /tmp -v app-logs:/app/logs myapp:1.0
This provides /tmp as a writable, memory-backed location and /app/logs as a writable, persistent volume, while everything else in the container's filesystem remains read-only.
Why This Restriction Limits a Compromised Process's Options
A compromised process attempting to write a malicious script to disk, modify application files, or otherwise alter the container's filesystem state finds these actions blocked outright when the root filesystem is read-only.
docker exec myapp sh -c "echo malicious > /app/backdoor.sh"
sh: can't create /app/backdoor.sh: Read-only file system
Testing an Application Thoroughly Under This Restriction
Verifying an application actually functions correctly with a read-only root filesystem (and only the specific writable paths it genuinely needs) confirms this restriction hasn't broken legitimate functionality.
docker run --rm --read-only --tmpfs /tmp myapp:1.0 npm test
Why Read-Only Filesystems Matter
A read-only root filesystem, combined with deliberately chosen writable exceptions, meaningfully limits a compromised process's ability to persist changes or write malicious content to the container's filesystem, an effective and often underused container security practice.