The container’s root filesystem should be treated as a 'golden image' by using Docker run’s --read-only option. This prevents any writes to the container’s root filesystem at container runtime and enforces the principle of immutable infrastructure.


Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance’s filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. [1]

You should add a --read-only flag at a container’s runtime to enforce the container’s root filesystem being mounted as read only.

docker run <Run arguments> --read-only <Container Image Name or ID> <Command>

Enabling the --read-only option at a container’s runtime should be used by administrators to force a container’s executable processes to only write container data to explicit storage locations during its lifetime.