Security on Docker volumes

vishnuvpotti · November 30, 2018, 4:59am

We are dockerizing bitbucket server. We have used RHEL host to install docker engine and using alpine as container image ( as atlassian themselves provided in official docker image)

Now for Bitbucket_home, we have chosen NFS folder instead of local folder. The NFS is exported at /nas/data in the host machine.

Now we plan to create docker volumes from these NFS folder and use them in the container.

My docker-compose.yml looks like

```
version: '2'

services:

  bitbucket-test:
    image: privaterepo/bitbucket-ssl:5.15.1
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    environment:
      NAS_PATH: ${nas_path}
      NAS_DOMAIN: ${nas_domain}
      NAS_LOGIN: ${nas_login}
      NAS_CREDENTIALS: ${nas_credentials}
      JDBC_DRIVER: ${jdbc_driver} 
      JDBC_URL: ${jdbc_url} 
      JDBC_USER: ${jdbc_user}
      JDBC_PASSWORD: ${jdbc_password}
    ports:
      - "8443:8443/tcp"
      - "7999:7999/tcp"
    volumes:
      - type: volume
        source: /nas/data
        target: /opt/bitbucket
        volume:
          nocopy: true
    labels:
      io.rancher.scheduler.affinity:host_label: bitbucket_host=true
      io.rancher.container.pull_image: always
    stdin_open: true
    tty: true
```

My questions is if we run multiple containers on the same host, nothing is preventing other containers from actually creating a volume from /nas/data folder.

How can we make multi containers run on same host while securing NFS folder?

Thanks in advance.

meemicaudi · December 5, 2018, 8:50pm

Hi,

I don’t know the answer to your question, but did want to just wanted to share something, since we are doing similar things. We are also running Docker on RHEL (one of which is also Bitbucket). We though, built the Bitbucket server on a RHEL container. Why? Because, in speaking with Red Hat, they will also support the OS within the container, if it is their RHEL image.

Just some food for thought. We basically took Atlassian’s Dockerfile, and made the necessary modifications so it worked in a RHEL image.

As for you actual question, if you are going to map the data, on a volume like that, you should separate that data into a proper sub-directory, specific to each container. So, have a /nas/data/bitbucket folder, for the Bitbucket data. This is much the same way Atlassian recommends setting their data directories when running multiples of their products on the same system. They must be under different paths so the data doesn’t mix and cause issues.

Hope this helps.

Thanks,
Curtis

Topic		Replies	Views
Folder in NAS as docker volume : Security aspect General docker	0	614	December 4, 2018
How are you guys solving the same network storage mount in multiple containers? General docker	1	933	September 15, 2016
Shared volume between muliple docker-compose Docker Desktop macos	0	2863	June 14, 2018
Docker Volume Data Security Query General	0	379	February 14, 2020
Mounting one host directory/file to multiple containers General	1	3481	February 8, 2016

Security on Docker volumes

Related topics