Hey Folks, want to understand what is the best practice when it comes to persistent data.
I know I can either map a host directory to a container directory or I can create a Data Container Volume and store all persistent data in the Data Container…
I am just wondering… What is the best practice here? Are there any security concerns when mapping a host folder?
I find using data containers quite neat except when you bring down a docker container and the volumes become dangling… then you must be careful not to delete the volumes!
My take has generally been that a named volume is “better”, except that if you need to back up or archive or examine or edit the data, you can’t do it from the host directly, you have to launch that process from within a container. Now that Docker has named volumes, it’s easier to avoid leaking a volume, and I wouldn’t use a data-volume container any more; just docker volume create the named volume.
On native Linux, files the container reads and writes use some user ID in the container. This is a number, not a name, mapped by the /etc/passwd file in the container. If the container runs as uid 0 (root) then it will ignore host-directory permissions, but otherwise, you can hit issues where the container runs as uid 33 and your host doesn’t have a name in its /etc/passwd for that uid, so you wind up creating a world-writable host directory so your container works at all, and that’s kind of bad.
On other OS’s there are uid remapping schemes that can cause problems. (The last time I dealt with this head-on, in Docker Toolbox on Mac, container reads and writes as uid 0 got mapped to your Mac host uid and reads and writes as other users would just outright fail.)
I don’t think it’s possible for the container to “escape” a bind-mounted volume directory, though.