Add --readonly for read only container rootfs

Add a --readonly flag to allow the container's root filesystem to be mounted as readonly. This can be used in combination with volumes to force a container's process to only write to locations that will be persisted. This is useful in many cases where the admin controls where they would like developers to write files and error on any other locations. Closes #7923 Closes #8752 Signed-off-by: Michael Crosby <crosbymichael@gmail.com> Upstream-commit: 221cd67e25 Component: cli
2026-01-22 03:22:01 +03:00 · 2015-01-13 13:52:51 -08:00
parent 3af7c4551a
commit 909c972594
1 changed files with 9 additions and 0 deletions
--- a/components/cli/docs/sources/reference/commandline/cli.md
+++ b/components/cli/docs/sources/reference/commandline/cli.md
@@ -755,6 +755,7 @@ Creates a new container.
                                   When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. (e.g., `-p 1234-1236:1234-1236/tcp`)
                                   (use 'docker port' to see the actual mapping)
      --privileged=false         Give extended privileges to this container
+      --read-only=false           Mount the container's root filesystem as read only
      --restart=""               Restart policy to apply when a container exits (no, on-failure[:max-retry], always)
      --security-opt=[]          Security Options
      -t, --tty=false            Allocate a pseudo-TTY
@@ -1608,6 +1609,7 @@ removed before the image is removed.
                                   (use 'docker port' to see the actual mapping)
      --pid=host		 'host': use the host PID namespace inside the container.  Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
      --privileged=false         Give extended privileges to this container
+      --read-only=false           Mount the container's root filesystem as read only
      --restart=""               Restart policy to apply when a container exits (no, on-failure[:max-retry], always)
      --rm=false                 Automatically remove the container when it exits (incompatible with -d)
      --security-opt=[]          Security Options
@@ -1683,6 +1685,13 @@ will automatically create this directory on the host for you. In the
 example above, Docker will create the `/doesnt/exist`
 folder before starting your container.

+    $ sudo docker run --read-only -v /icanwrite busybox touch /icanwrite here
+
+Volumes can be used in combination with `--read-only` to control where 
+a container writes files.  The `--read only` flag mounts the container's root
+filesystem as read only prohibiting writes to locations other than the
+specified volumes for the container.
+
    $ sudo docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v ./static-docker:/usr/bin/docker busybox sh

 By bind-mounting the docker unix socket and statically linked docker