What is a safe way to add an immutable flag to a created docker container?

I have a docker image that can run in two modes DEV and PROD. Dev is insecure (e.g does not validate for credentials, CORS is allowed etc’) while PROD is secure.

Is there a safe method (e.g by leveraging environment variable, docker config, docker secrets…) to set the flag in the created container to PROD and be reasonable sure it can not be later set to DEV by an adversary, resulting a security breach?

(docker is running within a docker swarm)

bumping hoping to get noticed

Immutable like Mount the container’s root filesystem as read only?
`docker service create --read-only …

I am not sure if the declaration is available in docker-compose.yml v3 as well. You might want to give it a try, though:

1 Like

Does docker config provide a similar adequate protection?

Obviously having a single file mounted read-only is not the same as having the whole rootfs mounted read-only. Though, you will want to combine both (and secrets for sensitve data as well) to still have the possibility to have individual configurations, don’t you?

It is a bad habit to create a new image per stage. You want to have a fixed image that your transport thru you stages. Of course the image should have a usuful default configuration in place, so that mounting a configs or secrets is not required, but allows to optionaly replace the default configuration with an environment specific one.