Add --read-only for read only container rootfs

[crosbymichael]

Add a --read-only flag to allow the container's root filesystem to be
mounted as read only. This can be used in combination with volumes to
force a container's process to only write to locations that will be
persisted. This is useful in many cases where the admin controls where
they would like developers to write files and error on any other
locations.

Closes #7923
Closes #8752

Signed-off-by: Michael Crosby crosbymichael@gmail.com

[LK4D4]

@crosbymichael Tests not compiling :)

[crosbymichael]

@LK4D4 i don't know what you are talking about....

[tianon]

+1 for this even without --tmpfs 👍

[mrunalp]

typo: it's --> its

[mrunalp]

👍

[jessfraz]

cooooollll the diff is so smalll! LGTM

[tiborvass]

Minor nit, but docker run --readonly -v /icanwrite ... could be better, as "icanwrite readonly" sounds weird.

[SvenDowideit]

i agree - putting the flag you're talking about first also gives it emphasis.

[tiborvass]

Should we add a small warning somewhere explaining that tmpfs mountpoints are still writeable?

[crosbymichael]

Any mounts are still writable, if they are mounted as rw

[tiborvass]

Oh right, it's only the rootfs that's readonly, my bad. Code LGTM

[LK4D4]

weird formatting

[LK4D4]

I have no idea where, but should be in "what's new"

[SvenDowideit]

I'd flip the first sentence to be more like

To control where a container can write files, you can combine the--readonlyflag with volumes of volume containers

Starting a discussion about readonly with Volumes made me wonder if it was out of place.

no matter tho, easy for us to discuss post-merge.

[crosbymichael]

@fredlf ! ! ! ^^^ I'm trying to apply what you told us but @SvenDowideit is saying you are wrong or I did it wrong.

[fredlf]

Heh, this is one of those cases where we can see the fact that writing is not code. There's no right or wrong, here, it's a question of what we most want to emphasize. @crosbymichael 's original sentence emphasizes the idea of "control over where a container writes". @SvenDowideit 's rewrite places reader emphasis on the idea of "combining the --readonly flag with volumes." Only the writer knows what he actually wanted to emphasize. But @SvenDowideit's response as a reader (another term for RET is reader-response criticism), gives an important clue: he did not have any context for mentally processing the concept of "volumes" when it was introduced. So, let's give the reader the context they need and expect: "The --readonly flag can be used in combination with volumes to control where a container writes files."

[SvenDowideit]

This is a very cool featurette! Docs LGTM @fredlf @jamtur01

Need to create a working example showing how its useful tho

[jamtur01]

I think readonly should probably be read-only both in option and text. It's definitely read-only when used in a sentence.

[jamtur01]

Otherwise LGTM

[crosbymichael]

@jamtur01 you mean --read-only?

[jamtur01]

Yes - though I'm open to be told I'm wrong as an option - but definitely the docs should say "read-only" - readonly is wrong.

[crosbymichael]

@tianon what do you think? --readonly or --read-only for a cli flag?

[tianon]

I think --read-only for consistency, even though I like --readonly.

from man mount:

       -r, --read-only
              Mount the filesystem read-only. A synonym is -o ro.

              Note  that,  depending  on the filesystem type, state and kernel
              behavior, the system may still write to the device. For example,
              ext3 or ext4 will replay its journal if the filesystem is dirty.
              To prevent this kind of write access, you may want to mount ext3
              or  ext4  filesystem  with  "ro,noload" mount options or set the
              block device to read-only mode, see command blockdev(8).

[crosbymichael]

@tianon thanks, consistency wins, i'll make the change in docs and code.

[crosbymichael]

@jamtur01 made the changes and changed the flag name to be consistent with other tools.

[jamtur01]

LGTM

[LK4D4]

Okay, I was ignored again :(
I found What's new section for you @crosbymichael : docs/sources/reference/api/docker_remote_api.md.

[crosbymichael]

@LK4D4 I saw your comment, I just don't know what to say about adding a new field to an api object, it looks to be more about endpoints.

[LK4D4]

@crosbymichael Now it is possible to mount container rootfs as read-only!!!!!! or something like this. This is new feature in api, this should be there.
ping @SvenDowideit maybe you know how to write it better.

[crosbymichael]

@LK4D4 added

[LK4D4]

LGTM

[noisy]

👍