Question
Are container layers immutable or can one be written to?
Answers
Maybe they can be written to. It depends how you define a layer.
Here are quotes and sources that say you cannot write to a layer:
The layers of a container image are all immutable. Immutable means that once generated, the layer cannot ever be changed.
https://medium.com/@goyalsaurabh66/docker-images-838383b367
One of the principles of Docker containers is that an image is immutable -- once built, it’s unchangeable, and if you want to make changes, you’ll get a new image as a result.
https://www.cloudbees.com/blog/container-image-immutability-power-metadata
Immutable containers are containers that have no state. … Immutability improves security by decreasing the damage that can be done by a local compromise. Immutable images themselves have no secrets and save no state that could get corrupted. Immutable containers are trivial to verify because they never change.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/keeping_containers_fresh_and_updateable
Here are quotes and sources that say you can write to a layer:
When you start a container, Docker takes all the layers on your image, and adds a new one on top of it – That’s the read-write layer, and the one containing all the changes you do to your filesystem: File changes, file additions, file deletions.
https://blogs.cisco.com/developer/container-image-layers-1
Docker uses storage drivers to store image layers, and to store data in the writable layer of a container. The container’s writable layer does not persist after the container is deleted, but is suitable for storing ephemeral data that is generated at runtime.
https://docs.docker.com/storage/storagedriver/
As we have discussed, a container image is made of a stack of immutable or read-only layers. When the Docker engine creates a container from such an image, it adds a writable container layer on top of this stack of immutable layers.
https://www.oreilly.com/library/view/learn-docker/9781788997027/9459555d-45ab-4046-a403-c12407665717.xhtml
This Stackoverflow.com posting refers to writable layers of Docker.