Readonly and rootless are my two requirements for Docker containers. Most images can't run readonly because they try to create a user in some startup script. Since I want my UIDs unique to isolate mounted directories, this is meaningless. I end up having to wrap or copy Dockerfiles to make them behave reasonably.

Having such a nice layered buildsystem with mountpoints, I'm amazed Docker made readonly an afterthought.

▲

subscribed 4 days ago | parent [-]

I like steering docker runs with docker-compose, especially with .env files - easy to store in repositories, easy to customise and have sane defaults.

	▲	flowerthoughts 4 days ago \| parent [-]
		Yeah agreed. I use docker-compose. But it doesn't help if the Docker images try to update /etc/passwd, or force a hardcoded UID, or run some install.sh at runtime instead of buildtime.