Docker Community Forums

Share and learn in the Docker community.

Security on Docker volumes

docker

(Vishnuvpotti) #1

We are dockerizing bitbucket server. We have used RHEL host to install docker engine and using alpine as container image ( as atlassian themselves provided in official docker image)

Now for Bitbucket_home, we have chosen NFS folder instead of local folder. The NFS is exported at /nas/data in the host machine.

Now we plan to create docker volumes from these NFS folder and use them in the container.

My docker-compose.yml looks like

```
version: '2'

services:

  bitbucket-test:
    image: privaterepo/bitbucket-ssl:5.15.1
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    environment:
      NAS_PATH: ${nas_path}
      NAS_DOMAIN: ${nas_domain}
      NAS_LOGIN: ${nas_login}
      NAS_CREDENTIALS: ${nas_credentials}
      JDBC_DRIVER: ${jdbc_driver} 
      JDBC_URL: ${jdbc_url} 
      JDBC_USER: ${jdbc_user}
      JDBC_PASSWORD: ${jdbc_password}
    ports:
      - "8443:8443/tcp"
      - "7999:7999/tcp"
    volumes:
      - type: volume
        source: /nas/data
        target: /opt/bitbucket
        volume:
          nocopy: true
    labels:
      io.rancher.scheduler.affinity:host_label: bitbucket_host=true
      io.rancher.container.pull_image: always
    stdin_open: true
    tty: true
```

My questions is if we run multiple containers on the same host, nothing is preventing other containers from actually creating a volume from /nas/data folder.

How can we make multi containers run on same host while securing NFS folder?

Thanks in advance.


(Meemicaudi) #2

Hi,

I don’t know the answer to your question, but did want to just wanted to share something, since we are doing similar things. We are also running Docker on RHEL (one of which is also Bitbucket). We though, built the Bitbucket server on a RHEL container. Why? Because, in speaking with Red Hat, they will also support the OS within the container, if it is their RHEL image.

Just some food for thought. We basically took Atlassian’s Dockerfile, and made the necessary modifications so it worked in a RHEL image.

As for you actual question, if you are going to map the data, on a volume like that, you should separate that data into a proper sub-directory, specific to each container. So, have a /nas/data/bitbucket folder, for the Bitbucket data. This is much the same way Atlassian recommends setting their data directories when running multiples of their products on the same system. They must be under different paths so the data doesn’t mix and cause issues.

Hope this helps.

Thanks,
Curtis