[Question] Why does a Docker container have access to a directory on my system not explicitly mounted as volume? (lemmy.ml)

submitted 1 month ago by cyberwolfie@lemmy.ml to c/selfhost@lemmy.ml

6 comments fedilink hide all child comments

I am in the process of migrating my Nextcloud instance from one server to another. I copied the Borg archive to one mountpoint, /mnt/ncbackup and intend to keep my data in /mnt/ncdata.

I couldn't really find out what to mount the backup directory to, so I just fired it up as documented in the documentation, and I was able to retrieve my backups from the non-mounted directory.

So this reveals a fundamental flaw in my understanding of how Docker works - I had assumed the container only had access to whatever was explicitly mounted. But I guess I am wrong?

This is the command I run:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest

you are viewing a single comment's thread
view the rest of the comments

[-] kaki@sh.itjust.works 12 points 1 month ago

The Nextcloud AIO container itself doesn't have access to the backup directory, but it has access to the docker socket (/var/run/docker.sock). Having access to the docker socket means it can perform any docker operation on the host system, in this case starting a separate backup container with the backup directory mounted.

[-] cyberwolfie@lemmy.ml 5 points 1 month ago

Ah, got it! That sounds like an unhealthy amount of trust to give to a container, but I understand the need to give that access to the mastercontainer.

this post was submitted on 01 May 2025

14 points (100.0% liked)

Self Hosted - Self-hosting your services.

12522 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

No harassment
crossposts from c/Open Source & c/docker & related may be allowed, depending on context
Video Promoting is allowed if is within the topic.
No spamming.
Stay friendly.
Follow the lemmy.ml instance rules.
Tag your post. (Read under)

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate.

Cross-posting

!everything_git@lemmy.ml is allowed!
!docker@lemmy.ml is allowed!
!portainer@lemmy.ml is allowed!
!fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
!selfhosted@lemmy.ml is allowed!

If you see a rule-breaker please DM the mods!

founded 4 years ago

MODERATORS

dogmuffins@lemmy.ml

Zoe8338@lemmy.ml

testman@lemmy.ml