There are many cases where it is useful to mount an immutable data volume into a container, with configuration or static data (or code, it could be an apt repo or whatever).

I am proposing we add a new mount type so you can do (or whatever --mount is renamed to) - it would also be supported in compose files/bundles.

docker service create --mount type=image,src=alpine:3.5,dest=/alpine ...

These would fetch the image from the repository if necessary, allowing tags or hashes to be specified, and mount it at the specified mountpoint. This would always be read only. Docker would unpack the image and mount it, presumably using layers but this would be an implementation detail, as being read only this would not be visible.

Use cases include configuration data (not secrets, but miscellaneous scripts and config), actual data, apt repos, npm repos etc. If a hash was used it would be guaranteed to be consistent across multiple tasks in a service.

cc @AkihiroSuda @tonistiigi @stevvooe