Menu
If you set up an app stack with Docker (either in one container or as a sequence of linked containers) sooner or later there will be a need to serialize user data - e.g. the database. From what I have seen thus far this can be done in two ways
No issues with either of these approaches - they are easy to implement and work just fine. However, there are a few things that are not clear to me:
I'd much appreciate any help with this.
461
When a data container is actually alive where the data actually being written. For example do the files written to the /var/lib/mysql folder inside that container end up somewhere on the host's file system?
The volumes which are not mounted from the host are stored here: /var/lib/docker/volumes/
What are the risks of mapping a host system sub folder as a volume on to the Docker container bearing in mind that now the container's user is able to write directly to the host's file system
As long as your container is not run as privileged i.e. with the --privileged=true flag your container is not able to access devices and is locked out from several sensitive parts of the host fs. Secondly by default all processes inside docker run as root, this given them a lot of privileges inside container and since docker does not guarantee secure sand boxing yet potentially someone who hacks a process inside your container can break out. Therefore you should use the docker USER command in your docker file or the -u flag to run your processes as an alternate user.
Finally, is there a simple way to limit the size of that mapped volume?
You have to do it outside docker, maybe by creating a separate logical drive and sizing it to your needs.
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
