I have access to a centos 7.9 machine with Docker installed. For this example I will be playing with the nginx
image and the directories /usr/share/xml/fontconfig
and /usr/share/nginx/html
. You can see that these directories contain some important files for nginx
:
root@f7990388c7d0:/# ls /usr/share/nginx/html/
50x.html index.html
root@f7990388c7d0:/# ls /usr/share/xml/fontconfig/
fonts.dtd
Let's create a volume, attach it to an nginx
container at /usr/share/nginx/html
and make sure we can see the files both on the server and on the container:
[cloud_user@eb993010811c ~]$ docker volume create my_volume
my_volume
[cloud_user@eb993010811c ~]$ docker container run -d --name container1 -v my_volume:/usr/share/nginx/html nginx
f7990388c7d0302db7f1135549bf0bb1a024256d9a89ebead306a6d775449514
[cloud_user@eb993010811c ~]$ docker volume inspect my_volume
[
{
"CreatedAt": "2022-11-09T14:46:38Z",
"Driver": "local",
"Labels": {},
"Mountpoint": "/var/lib/docker/volumes/my_volume/_data",
"Name": "my_volume",
"Options": {},
"Scope": "local"
}
]
[cloud_user@eb993010811c ~]$ sudo ls /var/lib/docker/volumes/my_volume/_data
50x.html index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/nginx/html
50x.html index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/xml/fontconfig
fonts.dtd
All good so far. Now, let's suppose that we mount the same volume on a different container, and on a different filesystem path:
[cloud_user@eb993010811c ~]$ docker container run -d --name container2 -v my_volume:/usr/share/xml/fontconfig nginx
7ceec36b8c4d7d0eb172c1926d273d4e2e18b2cf509c8c5a18bf1302e98aedfc
[cloud_user@eb993010811c ~]$ sudo ls /var/lib/docker/volumes/my_volume/_data
50x.html index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container2 ls /usr/share/xml/fontconfig
50x.html index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/xml/fontconfig
fonts.dtd
[cloud_user@eb993010811c ~]$ docker container exec -it container1 /bin/bash
root@f7990388c7d0:/# ls /usr/share/nginx/html/
50x.html index.html
root@f7990388c7d0:/# ls /usr/share/xml/fontconfig/
fonts.dtd
We can see that the Docker server does NOT see the fonts.dtd
file, and container2
's directory contents have been effectively usurped by those contained in the /usr/share/nginx/html
directory of container1
. Additionally, container1
s directory contents are UNaffected by this process.
From a security / stability standpoint, I can understand that it would probably make little sense to have a volume with files corresponding to different filesystem paths. But is it possible to do this through some different means? There will have to be use-cases for this, there's a use-case for everything.
CodePudding user response:
Answered in comments of question.