Is it possible to change the read-only/read-write status of a docker mount at runtime?

Question

I have a dockerized application that uses the filesystem to store lots of state. The application code is contained in the docker image

I am considering a update strategy which involves sharing the volume between two containers, but making sure that at most one container at a time can write to that filesystem.

The workflow would be:

• start container A with /data mounted rw
• start container B with /data mounted ro, and a newer version of the application
• stop serving requests to container A
• for container A, make the /data mount read-only
• for container B, make the /data mount read-write
• start serving requests to container B

Answer 1

You can re-mount your volume from inside the container, in the rw mode, like that:

mount -o remount,rw /mnt/data

The catch is that mount syscall is not allowed inside the Docker containers by default so that you would have to run it in a privileged mode:

docker run --privileged ...

or enable the SYS_ADMIN capability

SYS_ADMIN Perform a range of system administration operations.

docker run --cap-add=SYS_ADMIN --security-opt apparmor:unconfined

(note that I have had to also add --security-opt apparmor:unconfined, to make this work on Ubuntu).

Also, remounting the rw volume back to ro might be tricky, as some process(es) might have already opened some files inside it for writing , in which case the remount will fail with is busy error message.

But my guess is that you can just restart the container instead (as it would be the one running an old version of the app).