diff --git a/libpod/container.go b/libpod/container.go
index f68a3535e5..fc613f4063 100644
--- a/libpod/container.go
+++ b/libpod/container.go
@@ -970,3 +970,8 @@ func (c *Container) RootGID() int {
 func (c *Container) IsInfra() bool {
 	return c.config.IsInfra
 }
+
+// IsReadOnly returns whether the container is running in read only mode
+func (c *Container) IsReadOnly() bool {
+	return c.config.Spec.Root.Readonly
+}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c0912dc0db..f9e161cb31 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -107,7 +107,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			Type:        "bind",
 			Source:      srcPath,
 			Destination: dstPath,
-			Options:     []string{"rw", "bind", "private"},
+			Options:     []string{"bind", "private"},
+		}
+		if c.IsReadOnly() {
+			newMount.Options = append(newMount.Options, "ro")
 		}
 		if !MountExists(g.Mounts(), dstPath) {
 			g.AddMount(newMount)