What with all the furor around containers and orchestrators, it can be easy to lose sight of some of their highly useful features. The portability and extensible nature of containers is a modern convenience to be cherished, but from my professional perspective it’s sometimes all too easy to get carried away and pay less attention to security.
There’s a lesser-known feature in the venerable Docker that I like using from a security perspective, which I’ll take a quick look at now.
Ye olde feature I have in mind has been around for a whopping 20 months at the time of writing. Believe me when I say that’s a millennium when it comes to containers, which have evolved their feature-sets at hyperspeed. From Docker version 1.10, it’s been possible to run your containers with a temporary storage, or temporary volume mount to be more precise. From the release notes of Docker v1.10, we can see the feature announcement as described below as follows:
“Temporary filesystems: It’s now really easy to create temporary filesystems by passing the –tmpfs flag to docker run. This is particularly useful for running a container with a read-only root filesystem when the piece of software inside the container expects to be able to write to certain locations on disk.”
In Figure 1, we can see the key difference between temporary and standard volumes. If you’re interested in some of the discussions around the naming of the temporary filesystem feature, then there’s some chatter available on one of Moby’s GitHub repositories.