mirror of https://github.com/docker/docs.git
Merge pull request #15926 from moxiegirl/carry-15210
add: best practice for security when sharing host directories.
This commit is contained in:
Sebastiaan van Stijn
commit
c844effeda
|
|
@ -141,11 +141,18 @@ $ docker run -d -P --name web -v /src/webapp:/opt/webapp:ro training/webapp pyth
|
||||||
Here we've mounted the same `/src/webapp` directory but we've added the `ro`
|
Here we've mounted the same `/src/webapp` directory but we've added the `ro`
|
||||||
option to specify that the mount should be read-only.
|
option to specify that the mount should be read-only.
|
||||||
|
|
||||||
|
Because of [limitations in the `mount`
|
||||||
|
function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/
|
||||||
|
035788.html), moving subdirectories within the host's source directory can give
|
||||||
|
access from the container to the host's file system. This requires a malicious
|
||||||
|
user with access to host and its mounted directory.
|
||||||
|
|
||||||
>**Note**: The host directory is, by its nature, host-dependent. For this
|
>**Note**: The host directory is, by its nature, host-dependent. For this
|
||||||
>reason, you can't mount a host directory from `Dockerfile` because built images
|
>reason, you can't mount a host directory from `Dockerfile` because built images
|
||||||
>should be portable. A host directory wouldn't be available on all potential
|
>should be portable. A host directory wouldn't be available on all potential
|
||||||
>hosts.
|
>hosts.
|
||||||
|
|
||||||
|
|
||||||
### Mount a host file as a data volume
|
### Mount a host file as a data volume
|
||||||
|
|
||||||
The `-v` flag can also be used to mount a single file - instead of *just*
|
The `-v` flag can also be used to mount a single file - instead of *just*
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue