How do I make a containers root filesystem r/o but allow writing to WORKDIR

Question

I want to make the root filesystem as read-only as per this answer:

docker run --read-only ... myapp

But, I also need to allow the application running in the container access to its folder /app. The application needs some temporary storage, but I need to limit its access to everything for security.

Answer 1

Anything you mount into the container with a docker run -v option isn't "part of the root filesystem" and can have its own access mode. If you just need some scratch space within the container, you can use the docker run --tmpfs option to mount an empty in-memory filesystem somewhere.

$ docker run --rm --read-only busybox \
> sh -c 'touch /tmp/foo && ls /tmp'
touch: /tmp/foo: Read-only file system

$ docker run --rm --read-only --tmpfs /tmp busybox \
> sh -c 'touch /tmp/foo && ls /tmp'
foo

You can do the same thing with named volumes:

$ docker volume create vol
vol
$ docker run --rm --read-only -v vol:/tmp busybox touch /tmp/foo
$ docker run --rm --read-only -v vol:/tmp busybox ls /tmp
foo

You don't want to do this with the directory containing your application's source code. For security reasons, if you're concerned enough to make the root filesystem read-only, you don't want to risk the application's code being overwritten. If your application code does wind up in a volume, Docker will treat it as valuable user data and refuse to ever update it. So pick some directory other than /app for this (a subdirectory /app/data would work fine just so long as it's okay to start empty).