5.2.4 Mounting a Host's root File System in Read-Only Mode

You can mount the host's root file system in read-only mode from a container by specifying the --read-only=true option to docker create or docker run. You can use this mode to restrict write access by a containerized application.