Making Docker images read-only in production
Using the new –tmpfs you can run a container as read only, but still use writeable directories for things like /etc, /tmp or /run but discard changes when a container is stopped.
Source: www.projectatomic.io