The Docker local storage partition should be separate from other partitions

docker

Classification:

compliance

Framework:

cis-docker

Control:

1.2.1

Set up the docker integration.

Description

All Docker containers and their data and metadata are stored in the /var/lib/docker directory. By default, /var/lib/docker should be mounted under either the / or /var partitions depending on how the Linux operating system in use is configured.

Rationale

Docker depends on /var/lib/docker as the default directory where all Docker-related files, including the images, are stored. This directory could fill up quickly, causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.

Audit

To see the partition details for the /var/lib/docker mount point, at the Docker host run:

grep '/var/lib/docker\s' /proc/mounts

Alternatively, to see whether the configured root directory is a mount point, run:

mountpoint -- "$(docker info -f '{{ .DockerRootDir }}')"

Remediation

For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.

Impact

None.

Default value

By default, /var/lib/docker is mounted under the / or /var partitions depending on how the OS is configured.

References

  1. https://www.projectatomic.io/docs/docker-storage-recommendation/

CIS controls

Version 6.14 Controlled Access Based on the Need to Know

PREVIEWING: alai97/reorganize-some-sections-in-dora-metrics