Find out what files are normally modified in a container by doing a diff
test@localhost: sudo docker container run --name wp -d wordpress:php8.0-apache
ca879747fbe643b3ebf138a93ddaf5a2e8938598434f093227b69cc18a632db8
test@localhost: sudo docker diff wp
C /run
C /run/apache2 #<--- Created new folder
A /run/apache2/apache2.pid #<--- Added new file
Now I can create a read-only container, providing writing access only to specific directories. RO containers are safer and can prevent users from performing changes.
test@localhost: sudo docker container run -d --name wp --read-only --volume /run/apache2 --tmpfs /tmp wordpress:php8.0-apache
The volumes are part of the Mounts configuration in the container.
test@localhost: sd inspect wp | jq '.[].Mounts[]|{Destination,Source,Driver}'
{
"Destination": "/run/apache2",
"Source": "/var/lib/docker/volumes/96d17544b776275f28cc2e83c59f13c174f82b4c6339957816c4949158ab9a00/_data",
"Driver": "local"
}
{
"Destination": "/var/www/html",
"Source": "/var/lib/docker/volumes/95c1df6097627ef6fa2e5c5bab769d14963ab50ac05969a9a754062d1e106e76/_data",
"Driver": "local"
}
tmpfs is only available on Linux and it creates a FS that is available while the container is running.
We can now launch a msyql container first, and pass an env var to set the root password
test@localhost: sudo docker run -d --name wpdb -e MYSQL_ROOT_PASSWORD=ch2demo mysql
test@localhost: sudo docker container run -d --name wp --link wpdb:mysql -p 8080:80 --read-only --volume /run/apache2 --tmpfs /tmp wordpress:php8.0-apache
List all the env var in a container with an exec command:
test@localhost: sd container exec wpdb env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=eb2bd55ca0ee
MYSQL_ROOT_PASSWORD=ch2demo
GOSU_VERSION=1.12
MYSQL_MAJOR=8.0
MYSQL_VERSION=8.0.27-1debian10
HOME=/root