1

Suppose I have NodeJS application inside of Docker container. NodeJS can interact with host's filesystem using fs module. What I want is to give it access only to one folder (for example, /home/user1/thisfolder), and deny reading/writing any other folder or file on my host. Is there a way to restrict such kind of access in Docker?

UPD GOT ANSWER: Using AppArmor I could give node process only access to given directories, and when it tries to acces any other - it gets permission denied.

Scadge
  • 9,380
  • 3
  • 30
  • 39
  • Just to be sure i understood you question well. You want to give your docker container access to a specific directory on your host? – Regan Aug 13 '14 at 09:39
  • If it means that my NodeJS code inside this container will also have access to a specific directory on my host - then yes, this is what I want. – Scadge Aug 13 '14 at 09:42

2 Answers2

2

The solution you want to use is to mount a volume on the container using the -v option.

docker run -v /path/to/directory/on/your/host:/path/to/directory/on/your/container image CMD

It will let you access your volume.

More info : https://docs.docker.com/userguide/dockervolumes/

If you want to restrict access to other part of your container you should use Apparmor from outside the container.

Regan
  • 8,231
  • 5
  • 23
  • 23
  • Thanks for the clue, it helped me a bit. But I need to restrict access to other folders except this one. For instance, in nodejs code I can do `data = fs.readFileSync('./file1.txt','utf-8')` and receive file content into my variable `data` - that's OK. But something like `data = fs.readFileSync('/var/lib/anyfilehere.txt','utf-8')` should be restricted (throw exception or something). – Scadge Aug 13 '14 at 14:00
  • I think the best way would be to use Apparmor. But it's not my specialty. – Regan Aug 13 '14 at 14:28
  • AppArmor was a perfect solution to my problem. Thank you! – Scadge Aug 19 '14 at 19:23
  • I suggest you edit your question to add how you managed to do it. – Regan Aug 19 '14 at 19:42
1

Docker does not have access to the host filesystem unless you:

  • map some path to a volume (as @Regan above suggested)
  • run it in privileged mode

So, by default, docker is doing what you want.

Abel Muiño
  • 7,611
  • 3
  • 24
  • 15