186

I am working with Docker, and I want to mount a dynamic folder that changes a lot (so I would not have to make a Docker image for each execution, which would be too costly), but I want that folder to be read-only. Changing the folder owner to someone else works. However, chown requires root access, which I would prefer not to expose to an application.

When I use -v flag to mount, it gives whatever the username I give, I created a non-root user inside the docker image, however, all the files in the volume with the owner as the user that ran docker, changes into the user I give from the command line, so I cannot make read-only files and folders. How can I prevent this?

I also added mustafa ALL=(docker) NOPASSWD: /usr/bin/docker, so I could change to another user via terminal, but still, the files have permissions for my user.

Denis Stafichuk
  • 2,415
  • 2
  • 16
  • 29
Mustafa
  • 10,013
  • 10
  • 70
  • 116
  • 1
    Just thought I'd leave a comment here saying that enabling a user to run docker containers it the same as giving him full root access. This is also documented in the security section of the docker documentation. – Blackclaws Mar 08 '18 at 12:33

2 Answers2

261

You can specify that a volume should be read-only by appending :ro to the -v switch:

docker run -v volume-name:/path/in/container:ro my/image

Note that the folder is then read-only in the container and read-write on the host.

2018 Edit

According to the Use volumes documentation, there is now another way to mount volumes by using the --mount switch. Here is how to utilize that with read-only:

$ docker run --mount source=volume-name,destination=/path/in/container,readonly my/image

docker-compose

Here is an example on how to specify read-only containers in docker-compose:

version: "3"
services:
  redis:
    image: redis:alpine
    read_only: true
Pang
  • 9,564
  • 146
  • 81
  • 122
Alp
  • 29,274
  • 27
  • 120
  • 198
  • 26
    is there allow writes, but not write them back up to the host? that would be fantastic – Ray Foss Aug 16 '17 at 14:11
  • 15
    That sounds like you want to specify no volume at all. – Alp Aug 16 '17 at 19:02
  • 3
    Sort of... I just dont like having to build an image just to make use of Dockerfile COPY or use a separate `docker cp` command on a shut off container. – Ray Foss Aug 16 '17 at 19:11
  • 7
    Maybe you could create a new question for that where you provide more details and link it here? – Alp Aug 17 '17 at 05:17
  • 6
    You can also use the short syntax with docker compote, ie `redis:alpine:ro` – mb14 May 17 '19 at 13:23
  • 2
    I'm using the `-v ...:ro` variant. I'd say it isn't the folder that becomes read-only, but the file system through which the container sees the folder. Permissions of the folder show it as writable, but write access fails with the message that the file system is read-only. – Roland Weber Aug 21 '19 at 12:58
101

docker-compose

Here is a proper way to specify read-only volume in docker-compose:

Long syntax

version: "3.2" # Use version 3.2 or above
services:
  my_service:
    image: my:image
    volumes:
      - type: volume
        source: volume-name
        target: /path/in/container
        read_only: true
volumes:
  volume-name:

https://docs.docker.com/compose/compose-file/compose-file-v3/#long-syntax-3

Short syntax

Add :ro to the volume mount definition:

version: "3.0" # Use version 3.0 or above
services:
  my_service:
    image: my:image
    volumes:
      - /path/on/host:/path/inside/container:ro

https://docs.docker.com/compose/compose-file/compose-file-v3/#short-syntax-3

Denis Stafichuk
  • 2,415
  • 2
  • 16
  • 29