I am in the process of migrating my Nextcloud instance from one server to another. I copied the Borg archive to one mountpoint, /mnt/ncbackup and intend to keep my data in /mnt/ncdata.

I couldn’t really find out what to mount the backup directory to, so I just fired it up as documented in the documentation, and I was able to retrieve my backups from the non-mounted directory.

So this reveals a fundamental flaw in my understanding of how Docker works - I had assumed the container only had access to whatever was explicitly mounted. But I guess I am wrong?

This is the command I run:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest
  • Xanza@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    When giving docker access to a socket, the docker process will have access to any folder/file the running user has access to. That doesn’t mean that your containers do, generally, but they can. This is how the Kinsing docker virus is so prevalent.