docker run -v /:/host:ro (docker run --mount type=bind,src=/,dst=/host,ro) is not really read-only, because there is no way in the kernel to bind-mount a filesystem tree recursively as read-only.
So I suggest emulating "recursive read-only bind-mount" using FUSE.
CLI would be like docker run --mount type=bind,src=/,dst=/host,ro,bind-driver=fuse.
If we don't want to use FUSE, an alternative way is to bind the tree as rprivate and then bind each of submounts explicitly.
However, rprivate does not work for /, /var/lib, and /var/lib/docker/*: 589a0af
Also, it doesn't work for those who wants to use the shared propagation.
@justincormack @cpuguy83 @dmcgowan
docker run -v /:/host:ro(docker run --mount type=bind,src=/,dst=/host,ro) is not really read-only, because there is no way in the kernel to bind-mount a filesystem tree recursively as read-only.So I suggest emulating "recursive read-only bind-mount" using FUSE.
CLI would be like
docker run --mount type=bind,src=/,dst=/host,ro,bind-driver=fuse.If we don't want to use FUSE, an alternative way is to bind the tree as
rprivateand then bind each of submounts explicitly.However,
rprivatedoes not work for/,/var/lib, and/var/lib/docker/*: 589a0afAlso, it doesn't work for those who wants to use the shared propagation.
@justincormack @cpuguy83 @dmcgowan