Named Volumes vs Bind Mounts
Two Kinds of Mounts
| Named volume | Bind mount | |
|---|---|---|
| Syntax | -v notes-data:/data | -v /home/me/html:/usr/share/nginx/html |
| Managed by | Docker (docker volume …) | you - it's just a host directory |
| Best for | databases, app state, anything production | live-editing code in dev, injecting config |
| Portable | yes (no host paths in the command) | no (depends on host layout) |
# dev: edit HTML on the host, nginx serves it live, read-only
$ docker run -d -p 8080:80 \
-v ./html:/usr/share/nginx/html:ro \
nginx:alpine
Tip: Append :ro to any mount the container only needs to read. A compromised web server that can't rewrite its own docroot is a much smaller incident.
There's a third kind - tmpfs - RAM-backed, never touches disk, gone at stop. Good for scratch space and secrets that must not persist:
$ docker run --tmpfs /tmp:rw,noexec,nosuid,size=64m myapp
Goal: The Data That Survives lab walks the full incident: data in the writable layer → named volume → prove it survives docker rm -f.