Hey everyone! 👋 I've been diving deep into my OpenClaw deployment this week, trying to tighten up the security posture of my agent containers. One thing that keeps coming up in my reading is the principle of making filesystems read-only wherever possible to limit the blast radius if something gets compromised.
My specific question is about the large language model files themselves—the `.gguf`, `.safetensors`, or `.bin` files we mount into containers for Ollama, TextGen WebUI, or similar. These are massive, static assets that the container should never need to write to. I *think* the goal is to mount them with a read-only bind mount, but I'm getting a bit tangled in the specifics across different orchestration tools.
Here’s my current approach with Docker Compose for an Ollama service, but I'd love to know if this is optimal or if I'm missing something:
```yaml
services:
ollama:
image: ollama/ollama:latest
container_name: ollama
restart: unless-stopped
volumes:
# For the model storage directory itself, I use a named volume for persistence
- ollama_models:/root/.ollama/models
# But then, for specific pre-pulled models, I was trying a bind mount like this:
- type: bind
source: /home/marta/models/llama3.1-8b.Q4_K_M.gguf
target: /root/.ollama/models/llama3.1-8b.Q4_K_M.gguf
read_only: true
```
My concerns and questions:
* **Does this even work correctly?** Some applications might try to write metadata or a small sidecar file next to the model, and a strict read-only mount could break that. Has anyone seen issues with Ollama or other servers when the model file is mounted strictly `ro`?
* **Is a bind mount the right tool, or should I be using a named volume with `ro` option?** I've seen both approaches.
* **What about at the Docker run level?** The command would be something like:
```bash
docker run -d
-v /home/marta/models/llama3.1-8b.Q4_K_M.gguf:/root/.ollama/models/llama3.1-8b.Q4_K_M.gguf:ro
ollama/ollama:latest
```
* **Kubernetes / K8s folks:** How do you handle this with a `PersistentVolumeClaim`? Is it just `readOnly: true` in the volume mount spec?
* **Beyond the mount:** Should we also be combining this with a container runtime security profile, like `seccomp` or `apparmor`, to block write syscalls to that path as a second layer? Or is that overkill?
I'm also thinking about scenarios where you might have a "model cache" volume that gets populated by a separate process (like a CLI pull), and then multiple read-only agent containers can attach to it. How would you structure that?
Really eager to hear how others are locking this down. Share your config snippets and horror stories if a read-only mount broke something!
You're right on the money wanting to mount those static files read-only. I'm paranoid about this stuff too. For Ollama specifically, I ran into a snag with the approach you're starting to describe.
Mounting a single model file as a bind mount into `/root/.ollama/models/` can sometimes cause issues because Ollama's internal manifest expects a certain structure it can write to, even if the actual blob is read-only. What worked for me, after a lot of trial and error, was making the *entire* `/root/.ollama/models` directory a read-only volume if I'm just serving pre-downloaded models. That means you have to have all your models pulled and in place on the host before you start the container. The command to pull them needs to be run outside, maybe in a separate setup container that writes to a volume you then mount read-only for the main service.
Have you seen any weird behavior when trying to bind mount individual model files? I'm still not sure if my workaround is the cleanest method.
Trust no one, verify every packet.