Security on Docker volumes

We are dockerizing bitbucket server. We have used RHEL host to install docker engine and using alpine as container image ( as atlassian themselves provided in official docker image)

Now for Bitbucket_home, we have chosen NFS folder instead of local folder. The NFS is exported at /nas/data in the host machine.

Now we plan to create docker volumes from these NFS folder and use them in the container.

My docker-compose.yml looks like

version: '2'


    image: privaterepo/bitbucket-ssl:5.15.1
      - SYS_ADMIN
      NAS_PATH: ${nas_path}
      NAS_DOMAIN: ${nas_domain}
      NAS_LOGIN: ${nas_login}
      NAS_CREDENTIALS: ${nas_credentials}
      JDBC_DRIVER: ${jdbc_driver} 
      JDBC_URL: ${jdbc_url} 
      JDBC_USER: ${jdbc_user}
      JDBC_PASSWORD: ${jdbc_password}
      - "8443:8443/tcp"
      - "7999:7999/tcp"
      - type: volume
        source: /nas/data
        target: /opt/bitbucket
          nocopy: true
      io.rancher.scheduler.affinity:host_label: bitbucket_host=true
      io.rancher.container.pull_image: always
    stdin_open: true
    tty: true

My questions is if we run multiple containers on the same host, nothing is preventing other containers from actually creating a volume from /nas/data folder.

How can we make multi containers run on same host while securing NFS folder?

Thanks in advance.


I don’t know the answer to your question, but did want to just wanted to share something, since we are doing similar things. We are also running Docker on RHEL (one of which is also Bitbucket). We though, built the Bitbucket server on a RHEL container. Why? Because, in speaking with Red Hat, they will also support the OS within the container, if it is their RHEL image.

Just some food for thought. We basically took Atlassian’s Dockerfile, and made the necessary modifications so it worked in a RHEL image.

As for you actual question, if you are going to map the data, on a volume like that, you should separate that data into a proper sub-directory, specific to each container. So, have a /nas/data/bitbucket folder, for the Bitbucket data. This is much the same way Atlassian recommends setting their data directories when running multiples of their products on the same system. They must be under different paths so the data doesn’t mix and cause issues.

Hope this helps.