"Ensure a separate partition for containers has been created" is logged although separate is created. #332
Comments
|
Hi @RahulMetangale, you're correct. |
Signed-off-by: Thomas Sjögren <[email protected]>
|
I believe this has been fixed, could you test #333? |
|
@konstruktoid Thank you for your quick response. I checked out pull request 333. still seeing the same issue. |
|
@RahulMetangale, could you post the output of |
|
@konstruktoid here is the output
|
|
|
use mountpoint and DockerRootDir #332
|
if i run following command but now understand what issue is. I have created a directory on the mountpoint with the name 'docker' which is being used as docker root directory. mkdir datadrive Hence datadrive is mountpoint but /datadrive/docker is not. Thanks for the pointer. I will work on this. |
|
In my case, I made a new partition, mount it, copied /var/lib/docker to it, umount it, removed /var/lib/docker and mount the new partition |
|
Hi @soulawaker, could you post the output of |
|
Ah, yes. I post them. $ mountpoint -- "$(sudo docker info -f '{{ .DockerRootDir }}')"
/var/lib/docker/231072.231072 is not a mountpoint
$ grep "$(sudo docker info -f '{{ .DockerRootDir }}')" /proc/mounts
...nothing... |
|
@soulawaker as you can see |
|
@konstruktoid I thought isolating /var/lib/docker to another partition should be satisfied with security check 1.1. Am I missing any points? |
|
@soulawaker partially, but this is just as a spamming app will fill |
|
Hello @konstruktoid , ubuntu@ip-10-10-1-244:~$ mountpoint -- /docker-data/ ubuntu@ip-10-10-1-244:~$ docker info -f '{{ .DockerRootDir }}' ubuntu@ip-10-10-1-244:~$ grep /docker-data /proc/mounts But the security bench tests does not seem to recognize this [INFO] 1 - Host Configuration Any suggestions? |
|
Thanks @nithinka, I'll have a look. |
|
I have the same issue. I'm working with an AWS EC2 instance with an EBS volume mounted for the docker files. Originally I created sym-link in /var/lib/docker for /mnt/docker but I still got the warning for the 1.1 test. So then I copied the contents of /var/lib/docker into /mnt/docker, removed /var/lib/docker and added -g '/mnt/docker' to the docker startup options. Unfortunately still failing the 1.1 test. I know the actual aim has been achieved, but its the perfectionist in me wanting the visual clean-sweep of security tests. df -h mountpoint -- '/mnt/docker' docker info -f'{{.DockerRootDir }}' |
|
Hi @wlawton, I might be misunderstanding but does 1.1 fail even with the below results? |
|
Hi @konstruktoid. Yes unfortunately it still outputs a warning. Here is the output of the two mount checks and the tests execution run in sequence: `[root@ip-10-18-44-139 artifactory]# mountpoint -- '/mnt/docker' Docker, Inc. (c) 2015-Checks for dozens of common best-practices around deploying Docker containers in production.Inspired by the CIS Docker Community Edition Benchmark v1.1.0.#------------------------------------------------------------------------------ Initializing Thu Jan 9 12:39:53 UTC 2020 [INFO] 1 - Host Configuration |
|
Could you try running the bash script? The Docker image hasn't been updated yet (#405). |
|
Happy days! Warning is absent when using the bash script. Thanks a lot for your support. Initializing Thu Jan 9 14:40:11 UTC 2020 [INFO] 1 - Host Configuration [INFO] 1.1 - General Configuration |
|
Glad I could help :) |
|
Closing due to inactivity. |
I am using ubuntu 16.04 with docker version
Docker version 18.06.1-ce, build e68fc7a
I have created a separate partition for docker still security check warns about 1.1.
Here is the output of docker info command
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-1025-azure
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 27.48GiB
Name: AZLXSPTAPTDEVAP01
ID: IM4B:T3UU:O5S3:AAPG:A7UX:5VKM:434G:SKQO:M4AE:MERS:MMTJ:JBLU
Docker Root Dir: /datadrive/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
The text was updated successfully, but these errors were encountered: