Best Practice: Read Only Mounts in Swarm

[shinybrar]

Current Setup

Right now, my current setup looks something like this,

driver = DriverConfig(
    name=None,
    options={
        "o": "nfsvers=4.0,noatime,nodiratime,soft,addr=x.x.x.x,ro", #read-only
        "device": ":/path/to/data",
        "type": "nfs",
       },
)

mount = Mount(
    type="volume",
    source=None,
    target="/data",
    driver_config=driver,
)

container = ContainerSpec(
    image=image_name,
    command=command,
    args=arguments,
    env=environment,
    mounts=[mount]
    ...
)
task = TaskTemplate(
    container_spec=container,
    restart_policy=RestartPolicy("none"),
    placement=placement,
    resources=resources,
    ...
)
service = client.create_service(
    task,
    name=name,
    networks=["swarm-attachable-network"] ,
    endpoint_spec=EndpointSpec(mode="vip"),
)

Question

Alternatively, there is also an option to specify a mount to be read-only via,

mount = Mount(
    type="volume",
    source=None,
    target="/data",
    driver_config=driver,
    read_only=True, # read-only
    ...
)

This fails however with the following error,

"invalid mount config for type "volume": must not set readonly mode when using anonymous volumes"

In this scenario what is the best practice to deploy NFS mounts?

• Can source be any uuid identifier?
• Does source have to be a pre-defined volume?
• Do you have to make host specific volume on each swarm node?
• Can you centrally manage volumes?

[tknerr]

See also related issue https://github.com/moby/moby/issues/45297