Remove usage of the `VOLUME` instruction

[polarathene]

The VOLUME instruction should be removed from the image build.

• Containers already persist state internally until the container is destroyed (for example, an image upgraded to a new tag).
• Proper persistence externally should be explicit.

prometheus/Dockerfile

Lines 16 to 21 in e04913a

	WORKDIR /prometheus
	RUN chown -R nobody:nobody /etc/prometheus /prometheus
	USER nobody
	EXPOSE 9090
	VOLUME [ "/prometheus" ]

---

Anonymous volumes are created when an image has a VOLUME instruction. They will initialize by copying any of the existing content at the mount point (unlike a bind mount volume which typically replaces content at the mount point):

• With docker run --rm ..., each container instance started will create a new anonymous volume. Without the --rm, these will accumulate pointlessly while the user may not be aware of this implicit waste on their system.
• Docker Compose behaves differently, with additional logic to preserve the same anonymous volume across instances of the container for a given compose project.

---

The VOLUME instruction provides no value to an image. It only causes problems.

For detailed justification, please see below context for my previous write-up on this subject:

• fix: Dockerfile - VOLUME directive is an anti-pattern kanidm/kanidm#2948
• Dockerfile: Remove VOLUME instruction ory/hydra#3683
• Remove VOLUME instructions caddyserver/caddy-docker#118 (comment)
• Example of implicit 2GB disk usage per container instance (not applicable to images with empty VOLUME published, but clearly documents a VOLUME concern)

---

For reference, this image previously has already previously removed another VOLUME instruction (but it lacks any context as to why)

[dgl]

Docker Compose behaves differently, with additional logic to preserve the same anonymous volume across instances of the container for a given compose project.

It feels like this does have the potential to break someone who runs a Prometheus alongside their project stack through a docker compose configuration; we have a strong compatibility promise: https://prometheus.io/docs/prometheus/latest/stability/.

While I agree this should be explicit, all changing this would do is potentially break people. This is possibly something to consider for a major release (quite a way off given 3.0 only just came out).

Update: https://github.com/search?q=path%3Acompose.yml+prom%2Fprometheus&type=code is a lot of results, I've barely looked at them (many do define /prometheus as a volume), but that's a lot of users even in a sample of public GitHub code.

[polarathene]

TL;DR: The anonymous volume will remain even if your image drops it; unless the user invokes/automates removal of detached anonymous volumes before they add an explicit anonymous volume to their compose.yaml.

---

It feels like this does have the potential to break someone who runs a Prometheus alongside their project stack through a docker compose configuration; we have a strong compatibility promise

Sorry? I don't see anything about guaranteeing stability with an implicit feature of software outside the control of Prometheus. What happens if the software itself were to drop such support? Same outcome, except you have less time to communicate it.

I've raised a request upstream for deprecating the instruction behaviour to implicitly create a volume, it'll probably get rejected but you may want to subscribe in the event it doesn't.

---

While I agree this should be explicit, all changing this would do is potentially break people. This is possibly something to consider for a major release (quite a way off given 3.0 only just came out).

That's fine, I maintain projects with Docker myself and am likewise cautious, this is more of a PSA to discourage the use in your image.

In the linked issue I demonstrate how two images with the same VOLUME path declared will share that anonymous volume (if using the same service name, despite changing the image, such as mongo => valkey).

While in the issue I reported here, you'll see this reference where the expectation of a clean slate for a container without the anonymous volume differs with Docker Compose than Docker CLI. It was only until recently in Sep 2024 that a Docker Compose V2 release restored their --renew-anon-volumes functionality.

As a user if I am trying a new image out like yours and want to wipe the state to produce a bug report or any other valid reason, that's not going to happen with Docker Compose from docker compose down or docker compose up --force-recreate alone, which is what most users would do and expect starts a fresh container with no persisted state (unless it was configured to explicitly).

---

Update: https://github.com/search?q=path%3Acompose.yml+prom%2Fprometheus&type=code is a lot of results, I've barely looked at them (many do define /prometheus as a volume), but that's a lot of users even in a sample of public GitHub code.

It's your project to maintain, but I find it bizarre to delay such a change for a considerable time when anyone that cares seriously about their data should make an explicit volume for it. They should have done so from the start, and if they're new to docker may unfortunately learn the hardway when their data doesn't persist.

Thus the audience you're catering to by not removing VOLUME is inexperienced users (which is fair), that presumably have never had to think about persisting data in containers yet. FWIW, they won't lose the data (this proves they won't), but it will be difficult to locate unless they revert the image tag to what they had before (for inexperienced users relying upon :latest, it'd be more annoying), however as the linked proof shows, the user can explicitly add an anonymous volume in their config with the same path as VOLUME specified and it'll bring it back and be bound to the same Docker Compose behaviour.

They will be prone to data loss if they have automated image upgrades and pruning that removes the detached anonymous volume... you can at best mention it in changelog or other means of communication, and the users that don't read those but get affected are likely to be affected by semver major release too 😅

I respect the decision to hold off, but as you can see the impact risk should be lower than anticipated.

[beorn7]

Hello from the bug scrub,

Thanks for your explanations. We need to consider this more carefully.

@dgl any thoughts about this? Any other Docker experts want to chime in? Maybe @SuperQ ?

[roidelapluie]

We have to keep VOLUME for the current release. It is a huge breaking change for many small users. Even if it is a minority of users, that is still a pretty big/scary change for them (you upgrade => all your data is gone; if you do not see it immediately, you will have to merge 2 TSDB's).

Meanwhile, in 3.x we can:

• Announce the deprecation loud and clear in the docs / release notes.
• Add -v prometheus-data:/prometheus to the getting started

And prepare the removal in 4.x.

[roidelapluie]

Another option is to keep VOLUME forever, which indicates to users who look at the Dockerfile which data should be persisted, and add a note in the Dockerfile and the docs that proper volumes should be preferred.

That way we do not break anyone.

[polarathene]

TL;DR:

• VOLUME is legacy instruction and anti-pattern for a Dockerfile. It serves no real value beyond providing a minor convenience (with caveats) specifically for Docker Compose users.

• I repeat again, it's highly unlikely anyone that values persistence will lose their data. Only Docker Compose users will be impacted AFAIK, and recovery for them is simple:

  services:
    example:
      image: prom/prometheus
      # Add an explicit anonymous volume for `/prometheus` to restore:
      volumes:
        - /prometheus

  A small subset of users may accidentally prune the volume after the upgrade and fail to recover the implicit persisted storage. Such users were bound to encounter a mishap one way or another if not from this change somewhere else, that is not your responsibility (changelog and docs are sufficient).

This is mostly a nitpick I bring to the attention of maintainers when I encounter it. For this project there doesn't seem to be any other users chiming in since I opened the issue, and no member of the project has expressed troubleshooting an issue thus far that was related to the use of VOLUME 😅 I'd still encourage dropping it for your 4.x release.

---

Verbose reply

FWIW the Valkey project removed VOLUME in early Dec 2025. So far no issues raised about data loss complaints there, other projects I've referenced that have done the same also haven't resulted in any issues AFAIK.

The earlier GH search for compose files as reference has images that are pinned to 2.x releases or rely on latest tag. Neither are really valid (2.x pins won't be affected, while latest pins are poor practice for breaking change concerns, often these aren't real configs but reference examples so persistence isn't necessarily considered regardless).

---

Even if it is a minority of users, that is still a pretty big/scary change for them (you upgrade => all your data is gone; if you do not see it immediately, you will have to merge 2 TSDB's).

It's not gone though (unless you have some automated pruning without backup?). Technically the risk depends on what the user does after that upgrade. The concern with merging TSDB's is valid, so I totally understand wanting to delay the change until a major version release where breaking changes risks expects users to read the changelog before blindly upgrading.

As noted, VOLUME doesn't really serve much purpose outside of Docker Compose for persistence as opposed to the containers own internal state. For Docker Compose the data is associated to the service itself by the VOLUME path, not the image itself with the VOLUME instruction.

You can swap the image to an entirely different project with the same path in a VOLUME instruction and unexpectedly that container will now have the anonymous volume from your previous prometheus container vs whatever image you switched to. In this scenario upgrading the prometheus image just removes the implicit VOLUME so it's not mounted when the container is started, however, reverting the image to a prior release will restore that.

I previously provided this link that proved no data loss.

It is a huge breaking change for many small users.

As per the referenced link I just gave, you don't need the VOLUME instruction in the image, for Docker Compose you can add an explicit anonymous volume of the same path and it'll restore that data just the same, with the added bonus that you're not relying on implicit config for persisting data you value?

Users that care about their data being persisted should be using explicit volumes (named data volumes or bind mounts tbh), not implicit anonymous volumes.

To clarify, without Docker Compose these VOLUME instructions do not persist volumes across image upgrades, thus it is irrelevant to anyone else (unless there's another project out there that breaks this expectation for how VOLUME should only be associated to a container of the same image digest).

---

Another option is to keep VOLUME forever

Your reasoning assumes users interested in this would be reading the Dockerfile or other inspection vs following documentation for how to use the image? (where all other relevant config info is covered and is fairly standard expectation)

Once again VOLUME is only meaningful for long-lived services in the sense of Docker Compose, but this is an anti-pattern IMO as implicit persistence the way Docker Compose does this can lead to confusion and inconsistency from other container managed environments. That's not good for users or maintainers to deal with.

I understand the minor convenience of avoiding 1-2 lines to add an explicit volume mapping for persistence, but I honestly see nothing wrong with that given containers are expected to be ephemeral. Persistence should be explicit.

---

That way we do not break anyone.

I've been bit several times due to VOLUME usage.

How many users are actually relying on this that care about their data (the vast majority of which should be able to recover it without issue, and if not that's really on them for not following your docs on persistence, while performing a volume prune (automated or manual) so soon after an upgrade without reading release notes).

I've also seen projects that restructure their persistence paths, that's not that friendly to migrate an implicit anonymous volume to support, but notably easier with named and bind mount volumes. A change like that may be unlikely for this project, but surely you can understand that there's far more positives to drop VOLUME, with the only real con being a very niche set of users (majority relying on an anonymous volume can check release notes or some common issue raised after release with the advice to add an explicit volume to restore their data).

[roidelapluie]

See #17876