Implementing a Read Only volume option in the docker-compose.yaml file

[petertjmills]

Description

This change allows users to set a read only flag on volumes in their service containers using the optional read_only: true option in the docker-compose.yaml file as defined by the compose spec

  volumes:
      - type: bind
        source: ./readonly
        target: /var/lib/readonlyfile
        read_only: true

In specifying this flag it mounts the volume onto the container as read only, meaning the container can not write or change the folder.

Motivation and Context

• I have raised an issue to propose this change this is required - Support request for monitoring with cAdvisor #340

This change allows for containers to mount read only volumes. This is useful to run a number of different containers as service containers that specify using :ro in their documentation.

The reason this is often used is primarily a security and system integrity concern. Allowing containers to write where they don't need to can be considered bad practice in certain environments.

How Has This Been Tested?

• I created a grafana container as an example, with the volume listed above.
• Started a shell inside the container and navigated to the read-only mounted folder
• Attempted to write to the file, unsuccessful. Produces the Read-only file system error

root@faasd1:/var/lib/faasd# ctr -n openfaas tasks exec -t --exec-id bash grafana /bin/bash
grafana:/usr/share/grafana$ cd /var/lib/readonlyfile/                                                                             
grafana:/var/lib/readonlyfile$ ls
a-great-file
grafana:/var/lib/readonlyfile$ cat a-great-file 
this is a great file
grafana:/var/lib/readonlyfile$ touch a-greater-file
touch: a-greater-file: Read-only file system
grafana:/var/lib/readonlyfile$ 

Further, all volumes that are mounted without this option still successfully are able to mount and use their volumes without needing to specify the read_only flag meaning it's addition is optional.

All make operations ran successfully.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

Commits:

• I've read the CONTRIBUTION guide
• My commit message has a body and describe how this was tested and why it is required.
• I have signed-off my commits with git commit -s for the Developer Certificate of Origin (DCO)

Code:

• My code follows the code style of this project.
• I have added tests to cover my changes.

Docs:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.

[petertjmills]

Should this be ReadOnly?

[alexellis]

Yes, looks like it

[alexellis]

I applied the change to make readOnly ReadOnly, and pushed to your branch. GitHub closed the PR, I'm not sure why.

Anyway, your changes are now in: #342