Rule ID
SV-235810r960963_rule
Version
V2R2
CCIs
Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode until needed. A shared mount is replicated at all mounts and the changes made at any mount point are propagated to all mounts. Mounting a volume in shared mode does not restrict any other container to mount and make changes to that volume. This unintended volume changes could potentially impact data hosted on the mounted volume. Do not set mount propagation mode to shared until needed. By default, the container mounts are private.
Ensure mount propagation mode is not set to shared or rshared.
This check should be executed on all nodes in a Docker Enterprise cluster.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'
If Propagation=shared or Propagation-rshared, then this is a finding.Do not mount volumes in shared mode propagation. For example, do not start container as below: docker run <Run arguments> --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>