Non editable containers?

Hello, I have a question.
I want to make a container and it must run one or more programs.
The question now is: can I acess the container in some way and stop programs (that were star by the CMD command in the image) and start doing other stuff (ex: get files from the container or put other programs and run them)? (pausing or stopping container doesn’t matter)
Is there a way to make container “static” not editable?

does this: https://blog.tutum.co/2015/02/03/hardening-containers-disable-suid-programs/
helps me?

Thanks!

you could start multiple programs with programs like supervisord. CMD should in that case just start your supervisord.

you can copy files from/to your container with docker cp.

“static”: you can set the container to read only.

But remember it is best practice to start just a single process within a container.

yes I want the container to be readonly, How can i do???
(you saved my life)

docker run --read-only -ti ubuntu bash

try a touch foo inside it, and it will fail, cause of the read-only file system.

no i dont want a readonly filesystem… I dont want the docker to be able to run other commands except the ones written in the image worch CMD…

Why do you deploy more applications in your image as you are going to allow to start?
Make a read-only filesystem which your single app, nothing more. Then people could start it and nothing else.

read-only file systems are a good pattern. Your container basically should not store any thing on the filesystem.
If your container needs temporary files, add a --tmpfs /tmp/foo.
If your container wants to store something permanent, add a --volume /tmp/bar