Docker 容器 - 用户数据
Docker Containers - User Data
如果您使用 Docker 设置应用程序堆栈(在一个容器中或作为一系列链接的容器),迟早需要序列化用户数据 - 例如数据库。据我目前所见,这可以通过两种方式完成
- 使用 -v 开关将主机上的卷映射到 Docker 容器。
- 创建专用数据容器,在需要时存储和恢复
这两种方法都没有问题 - 它们易于实施并且工作得很好。但是,有几件事我不太清楚:
- 当数据容器在实际写入数据的地方实际存在时。例如,写入该容器内 /var/lib/mysql 文件夹的文件是否最终位于主机文件系统的某个位置?
- 将主机系统子文件夹作为卷映射到 Docker 容器的风险是什么,请记住现在容器的用户可以直接写入主机的文件系统
- 最后,有没有简单的方法来限制映射卷的大小?
我将不胜感激任何帮助。
When a data container is actually alive where the data actually being written. For example do the files written to the /var/lib/mysql folder inside that container end up somewhere on the host's file system?
不是从主机挂载的卷存储在这里:
/var/lib/docker/volumes/
What are the risks of mapping a host system sub folder as a volume on to the Docker container bearing in mind that now the container's user is able to write directly to the host's file system
只要您的容器不是 运行 作为 privileged i.e. with the --privileged=true flag your container is not able to access devices and is locked out from several sensitive parts of the host fs. Secondly by default all processes inside docker run as root, this given them a lot of privileges inside container and since docker does not guarantee secure sand boxing yet potentially someone who hacks a process inside your container can break out. Therefore you should use the docker USER command in your docker file or the -u 标记 运行 您作为备用用户的进程。
Finally, is there a simple way to limit the size of that mapped volume?
您必须在 docker 之外执行此操作,也许可以创建一个单独的逻辑驱动器并根据需要调整大小。
如果您使用 Docker 设置应用程序堆栈(在一个容器中或作为一系列链接的容器),迟早需要序列化用户数据 - 例如数据库。据我目前所见,这可以通过两种方式完成
- 使用 -v 开关将主机上的卷映射到 Docker 容器。
- 创建专用数据容器,在需要时存储和恢复
这两种方法都没有问题 - 它们易于实施并且工作得很好。但是,有几件事我不太清楚:
- 当数据容器在实际写入数据的地方实际存在时。例如,写入该容器内 /var/lib/mysql 文件夹的文件是否最终位于主机文件系统的某个位置?
- 将主机系统子文件夹作为卷映射到 Docker 容器的风险是什么,请记住现在容器的用户可以直接写入主机的文件系统
- 最后,有没有简单的方法来限制映射卷的大小?
我将不胜感激任何帮助。
When a data container is actually alive where the data actually being written. For example do the files written to the /var/lib/mysql folder inside that container end up somewhere on the host's file system?
不是从主机挂载的卷存储在这里: /var/lib/docker/volumes/
What are the risks of mapping a host system sub folder as a volume on to the Docker container bearing in mind that now the container's user is able to write directly to the host's file system
只要您的容器不是 运行 作为 privileged i.e. with the --privileged=true flag your container is not able to access devices and is locked out from several sensitive parts of the host fs. Secondly by default all processes inside docker run as root, this given them a lot of privileges inside container and since docker does not guarantee secure sand boxing yet potentially someone who hacks a process inside your container can break out. Therefore you should use the docker USER command in your docker file or the -u 标记 运行 您作为备用用户的进程。
Finally, is there a simple way to limit the size of that mapped volume?
您必须在 docker 之外执行此操作,也许可以创建一个单独的逻辑驱动器并根据需要调整大小。