|
|
@@ -141,11 +141,21 @@ $ docker run -d -P --name web -v /src/webapp:/opt/webapp:ro training/webapp pyth
|
|
|
Here we've mounted the same `/src/webapp` directory but we've added the `ro`
|
|
|
option to specify that the mount should be read-only.
|
|
|
|
|
|
+Because of [limitations in the `mount`
|
|
|
+function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/
|
|
|
+035788.html), moving subdirectories within the host's source directory can give
|
|
|
+access from the container to the host's file system. This requires a malicious
|
|
|
+user on the host with root access or with access to the Docker socket. Access to
|
|
|
+the Docker socket is equivalent to being privileged/root on the host. If your
|
|
|
+systems defines a `docker` group, be aware all its members have the necessary
|
|
|
+privileges to exploit this.
|
|
|
+
|
|
|
>**Note**: The host directory is, by its nature, host-dependent. For this
|
|
|
>reason, you can't mount a host directory from `Dockerfile` because built images
|
|
|
>should be portable. A host directory wouldn't be available on all potential
|
|
|
>hosts.
|
|
|
|
|
|
+
|
|
|
### Mount a host file as a data volume
|
|
|
|
|
|
The `-v` flag can also be used to mount a single file - instead of *just*
|
LIZAO LI