Named Volumes vs Bind Mounts

Two Kinds of Mounts

Named volumeBind mount
Syntax-v notes-data:/data-v /home/me/html:/usr/share/nginx/html
Managed byDocker (docker volume …)you - it's just a host directory
Best fordatabases, app state, anything productionlive-editing code in dev, injecting config
Portableyes (no host paths in the command)no (depends on host layout)
# dev: edit HTML on the host, nginx serves it live, read-only
$ docker run -d -p 8080:80 \
    -v ./html:/usr/share/nginx/html:ro \
    nginx:alpine
Tip: Append :ro to any mount the container only needs to read. A compromised web server that can't rewrite its own docroot is a much smaller incident.

There's a third kind - tmpfs - RAM-backed, never touches disk, gone at stop. Good for scratch space and secrets that must not persist:

$ docker run --tmpfs /tmp:rw,noexec,nosuid,size=64m myapp
Goal: The Data That Survives lab walks the full incident: data in the writable layer → named volume → prove it survives docker rm -f.