Use of the VOLUME instruction in the Dockerfile without further qualification would stick the sensitive information in /var/lib/docker/volumes/ somewhere (or wherever storage is configured) - which may be insecure behaviour out of the box. The resulting directory would not be guaranteed secure from user access in any way - I'd probably read into the Docker documentation. I also note that Kubernetes and podman may have impacts to this. I'm thinking it better to NOT to declare volumes in the Dockerfile and to enforce a safe location by use of Docker-Compose or requiring more explicit --volume arguments at run time.
harleylang
commented
2 years ago
Use of the
VOLUMEinstruction in theDockerfilewithout further qualification would stick the sensitive information in/var/lib/docker/volumes/somewhere (or wherever storage is configured) - which may be insecure behaviour out of the box. The resulting directory would not be guaranteed secure from user access in any way - I'd probably read into the Docker documentation. I also note that Kubernetes andpodmanmay have impacts to this. I'm thinking it better to NOT to declare volumes in theDockerfileand to enforce a safe location by use ofDocker-Composeor requiring more explicit--volumearguments at run time.