Can a Container Layer Be Written to?

Are container layers immutable or can one be written to?

Maybe they can be written to. It depends how you define a layer.

Here are quotes and sources that say you cannot write to a layer:

The layers of a container image are all immutable. Immutable means that once generated, the layer cannot ever be changed.

One of the principles of Docker containers is that an image is immutable -- once built, it’s unchangeable, and if you want to make changes, you’ll get a new image as a result.

Immutable containers are containers that have no state. … Immutability improves security by decreasing the damage that can be done by a local compromise. Immutable images themselves have no secrets and save no state that could get corrupted. Immutable containers are trivial to verify because they never change.

Here are quotes and sources that say you can write to a layer:

When you start a container, Docker takes all the layers on your image, and adds a new one on top of it – That’s the read-write layer, and the one containing all the changes you do to your filesystem: File changes, file additions, file deletions.

Docker uses storage drivers to store image layers, and to store data in the writable layer of a container. The container’s writable layer does not persist after the container is deleted, but is suitable for storing ephemeral data that is generated at runtime.

As we have discussed, a container image is made of a stack of immutable or read-only layers. When the Docker engine creates a container from such an image, it adds a writable container layer on top of this stack of immutable layers.

This posting refers to writable layers of Docker.

