read_only parameterread_only_rootfs

4 files changed, 40 insertions, 3 deletions

diff --git a/docker/client.py b/docker/client.py
index 563fe00..9f593d2 100644
--- a/docker/client.py
+++ b/docker/client.py
@@ -936,7 +936,7 @@ class Client(requests.Session):
               publish_all_ports=False, links=None, privileged=False,
               dns=None, dns_search=None, volumes_from=None, network_mode=None,
               restart_policy=None, cap_add=None, cap_drop=None, devices=None,
-              extra_hosts=None):
+              extra_hosts=None, read_only=None):
 
         if utils.compare_version('1.10', self._version) < 0:
             if dns is not None:
@@ -948,13 +948,19 @@ class Client(requests.Session):
                     'volumes_from is only supported for API version >= 1.10'
                 )
 
+        if utils.compare_version('1.17', self._version) < 0 and \
+           read_only is not None:
+            raise errors.InvalidVersion(
+                'read_only is only supported for API version >= 1.17'
+            )
+
         start_config = utils.create_host_config(
             binds=binds, port_bindings=port_bindings, lxc_conf=lxc_conf,
             publish_all_ports=publish_all_ports, links=links, dns=dns,
             privileged=privileged, dns_search=dns_search, cap_add=cap_add,
             cap_drop=cap_drop, volumes_from=volumes_from, devices=devices,
             network_mode=network_mode, restart_policy=restart_policy,
-            extra_hosts=extra_hosts
+            extra_hosts=extra_hosts, read_only=read_only
         )
 
         if isinstance(container, dict):
diff --git a/docker/utils/utils.py b/docker/utils/utils.py
index fdaf667..de2ecf5 100644
--- a/docker/utils/utils.py
+++ b/docker/utils/utils.py
@@ -301,7 +301,7 @@ def create_host_config(
     publish_all_ports=False, links=None, privileged=False,
     dns=None, dns_search=None, volumes_from=None, network_mode=None,
     restart_policy=None, cap_add=None, cap_drop=None, devices=None,
-    extra_hosts=None
+    extra_hosts=None, read_only=None
 ):
     host_config = {}
 
@@ -311,6 +311,9 @@ def create_host_config(
     if publish_all_ports:
         host_config['PublishAllPorts'] = publish_all_ports
 
+    if read_only is not None:
+        host_config['ReadOnlyRootFs'] = read_only
+
     if dns_search:
         host_config['DnsSearch'] = dns_search
 
diff --git a/docs/hostconfig.md b/docs/hostconfig.md
index 2d7f10f..efd5c95 100644
--- a/docs/hostconfig.md
+++ b/docs/hostconfig.md
@@ -82,6 +82,7 @@ for example:
 * cap_add (list of str): Add kernel capabilities
 * cap_drop (list of str): Drop kernel capabilities
 * extra_hosts (dict): custom host-to-IP mappings (host:ip)
+* read_only (bool): mount the container's root filesystem as read only
 
 **Returns** (dict) HostConfig dictionary
 
diff --git a/tests/integration_test.py b/tests/integration_test.py
index 46b630e..edee039 100644
--- a/tests/integration_test.py
+++ b/tests/integration_test.py
@@ -312,6 +312,33 @@ class TestStartContainerWithRoBinds(BaseTestCase):
         self.assertFalse(inspect_data['VolumesRW'][mount_dest])
 
 
+class TestCreateContainerReadOnlyFs(BaseTestCase):
+    def runTest(self):
+        ctnr = self.client.create_container(
+            'busybox', ['mkdir', '/shrine'],
+            host_config=create_host_config(read_only=True)
+        )
+        self.assertIn('Id', ctnr)
+        self.tmp_containers.append(ctnr['Id'])
+        self.client.start(ctnr)
+        res = self.client.wait(ctnr)
+        self.assertNotEqual(res, 0)
+
+
+class TestStartContainerReadOnlyFs(BaseTestCase):
+    def runTest(self):
+        # Presumably a bug in 1.5.0
+        # https://github.com/docker/docker/issues/10695
+        ctnr = self.client.create_container(
+            'busybox', ['mkdir', '/shrine'],
+        )
+        self.assertIn('Id', ctnr)
+        self.tmp_containers.append(ctnr['Id'])
+        self.client.start(ctnr, read_only=True)
+        # res = self.client.wait(ctnr)
+        # self.assertNotEqual(res, 0)
+
+
 class TestCreateContainerWithName(BaseTestCase):
     def runTest(self):
         res = self.client.create_container('busybox', 'true', name='foobar')