Clever Geek Handbook

Docker containers - user data

If you've set up your application stack with Docker (either in a single container or as a series of linked containers), sooner or later you will need to serialize user data - for example, a database. From what I've seen so far, this can be done in two ways.

  • Host volume volumes in a Docker container with the -v switch.
  • Create a dedicated data container that is saved and restored as needed.

There is no problem with any of these approaches - they are easy to implement and work very well. However, there are a few things I don't understand:

  • When the data container is actually alive, where the data is actually written. For example, are the files written to the / var / lib / mysql folder inside this container located somewhere on the host's filesystem?
  • What are the risks of mapping a subfolder of a host system as a volume on a Docker container, given that the container user can now write directly to the host's filesystem.
  • Finally, is there an easy way to limit the size of the displayed volume?

I would really appreciate any help on this.

+3


source to share


1 answer


When the data container is actually alive, where the data is actually written. For example, are the files written to the / var / lib / mysql folder inside this container located somewhere on the host's filesystem?

Volumes that are not installed from the host are stored here: / var / Library / loader / volume /

What are the risks of mapping a subfolder of the host system as a volume on a Docker container, given that the container user can now write directly to the host filesystem



Until your container is started as privileged , that is, with the --privileged = true flag, your container cannot access devices and is blocked from several sensitive parts of the fs host. Second, by default, all processes inside docker run as root, which gives them a lot of privileges inside the container, and since docker doesn't guarantee a safe sandbox, potentially someone could hack the process inside your container. Therefore, you must use the docker USER command in your dockerfile or -u to start your processes as an alternate user.

Finally, is there an easy way to limit the size of the displayed volume?

You should do this outside of docker, perhaps by creating a separate logical drive and defining it according to your needs.

+4


source






More articles:


All Articles