Docker Community Forums

Share and learn in the Docker community.

Restricting where to mount on with -v

docker
security

(Erik-jan Riemers) #1

Like the subject says, it would be nice if you could restrict people from mounting anything except from a certain location. I could say that a certain user has access to /data and only that folder can be mounted (assuming the user has local docker rights on a server) everythign else i don’t want can be done with apparmor/selinux/sudo etc afaik.

Or is there already a similar way to restrict what volumes a person can bind towards (on the server, so not another docker volume)

Would give some apps more freedom which i don’t want to give that type of rights.

Regards,
Erik

p.s. i assume something like that could be possible by writing a volume plugin, but thats to for away for my cheesecake head.


(Ktwalrus) #2

I’d like something like this too. Actually, I’d like to just have the local volume plugin support associating a volume name with a host directory/path. I have used a 3rd party volume plugin called local-persist to associate hostdir with a docker volume. It somewhat works, but I encountered some issues that make me reluctant to deploy this in production. Much better if the local built-in volume driver supported this directly (at least I would feel like it will be maintained for future docker releases and I could use it in production). For now, I am just using ENVs in my -v options to associate a name with a hostdir.

Does the local volume driver in Docker 1.12 support creating a volume for a hostdir? The docs seem to have some indication that you can mount NFS or BTRFS filesystems using the local volume driver, but the documentation is very scarce on this and not very clear to me.