Best practice - Anonymous volume vs bind mount

Question

In a container,

anonymous volume can be created

with syntax(VOLUME /build) in Dockerfile

or

below syntax with volumes having /build entry

cache:
  build: ../../
  dockerfile: docker/dev/Dockerfile
  volumes:
    - /tmp/cache:/cache
    - /build
  entrypoint: "true"

---

My understanding is, both approach(above) make volume /build also available after container goes in Exited state.

Volume is anonymous because /build points to some random new location(in /var/lib/docker/volumes directory) in docker host

I see that anonymous volumes are more safer than named volumes(like /tmp/cache:/cache).

Because /tmp/cache location is vulnerable because there is more chance that this location is used by more than one docker container.

---

1)

Why anonymous volume usage is discouraged?

2)

Is

VOLUME /build in Dockerfile

not same as

volumes: 
 - /build 

in docker-compose.yml file? Is there a scenario, where we need to mention both?

Answer 1

You're missing a key third option, named volumes. If you declare:

version: '3'
volumes:
  build: {}
services:
  cache:
    image: ...
    volumes:
      - build:/build

Docker Compose will create a named volume for you; you can see it with docker volume ls, for example. You can explicitly manage named volumes' lifetime, and set several additional options on them which are occasionally useful. The Docker documentation has a page describing named volumes in some detail.

I'd suggest that named volumes are strictly superior to anonymous volumes, for being able to explicitly see when they are created and destroyed, and for being able to set additional options on them. You can also mount the same named volume into several containers. (In this sequence of questions you've been asking, I'd generally encourage you to use a named volume and mount it into several containers and replace volumes_from:.)

Named volumes vs. bind mounts have advantages and disadvantages in both directions. Bind mounts are easy to back up and manage, and for content like log files that you need to examine directly it's much easier; on MacOS systems they are extremely slow. Named volumes can run independently of any host-system directory layout and translate well to clustered environments like Kubernetes, but it's much harder to examine them or back them up.

You almost never need a VOLUME directive. You can mount a volume or host directory into a container regardless of whether it's declared as a volume. Its technical effect is to mount a new anonymous volume at that location if nothing else is mounted there; its practical effect is that it prevents future Dockerfile steps from modifying that directory. If you have a VOLUME line you can almost always delete it without affecting anything.

Answer 2

Actually, anonymous volumes (/build) usage is encouraged over the use of bind mounts (/tmp/cache:/cache):

Volumes have several advantages over bind mounts:

• Volumes are easier to back up or migrate than bind mounts.
• You can manage volumes using Docker CLI commands or the Docker API.
• Volumes work on both Linux and Windows containers.
• Volumes can be more safely shared among multiple containers.
• Volume drivers let you store volumes on remote hosts or cloud providers, to encrypt the contents of volumes, or to add other functionality.
• New volumes can have their content pre-populated by a container.

Regarding your second question, yes. You can create anonymous volumes in docker-compose file or in the Dockerfile. No need to specify in both places.