this post was submitted on 01 May 2025
14 points (100.0% liked)

Self Hosted - Self-hosting your services.

13656 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
14
[Question] Why does a Docker container have access to a directory on my system not explicitly mounted as volume? (lemmy.ml)
submitted 1 month ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
 

I am in the process of migrating my Nextcloud instance from one server to another. I copied the Borg archive to one mountpoint, /mnt/ncbackup and intend to keep my data in /mnt/ncdata.

I couldn't really find out what to mount the backup directory to, so I just fired it up as documented in the documentation, and I was able to retrieve my backups from the non-mounted directory.

So this reveals a fundamental flaw in my understanding of how Docker works - I had assumed the container only had access to whatever was explicitly mounted. But I guess I am wrong?

This is the command I run:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest
top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 1 month ago

When giving docker access to a socket, the docker process will have access to any folder/file the running user has access to. That doesn't mean that your containers do, generally, but they can. This is how the Kinsing docker virus is so prevalent.

[–] [email protected] 12 points 1 month ago (1 children)

The Nextcloud AIO container itself doesn't have access to the backup directory, but it has access to the docker socket (/var/run/docker.sock). Having access to the docker socket means it can perform any docker operation on the host system, in this case starting a separate backup container with the backup directory mounted.

[–] [email protected] 5 points 1 month ago

Ah, got it! That sounds like an unhealthy amount of trust to give to a container, but I understand the need to give that access to the mastercontainer.

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago)

You are giving access to the docker socket (/var/run/docker.sock), so this container can create/edit/remove any container from your system, even add,edit, remove volumes or host path.

I have no idea if you can send modification API commands to a ReadOnly socket. I think you could, in the same way that you can do something with just HTTP-GET. Example: curl --unix-socket /var/run/docker.sock http:/images/json

Doc: https://docs.docker.com/reference/api/engine/version/v1.41/#tag/Container/operation/ContainerInspect

[–] [email protected] 2 points 1 month ago (1 children)

How did you retrieve your backups exactly?

[–] [email protected] 2 points 1 month ago

rsync from one server to the other.

When actually loading in the backup from the Nextcloud AIO interface, I specified the path on my local system (not the container).