0

I have access to a centos 7.9 machine with Docker installed. For this example I will be playing with the nginx image and the directories /usr/share/xml/fontconfig and /usr/share/nginx/html. You can see that these directories contain some important files for nginx:

root@f7990388c7d0:/# ls /usr/share/nginx/html/
50x.html  index.html
root@f7990388c7d0:/# ls /usr/share/xml/fontconfig/
fonts.dtd

Let's create a volume, attach it to an nginx container at /usr/share/nginx/html and make sure we can see the files both on the server and on the container:

[cloud_user@eb993010811c ~]$ docker volume create my_volume
my_volume
[cloud_user@eb993010811c ~]$ docker container run -d --name container1 -v my_volume:/usr/share/nginx/html nginx
f7990388c7d0302db7f1135549bf0bb1a024256d9a89ebead306a6d775449514
[cloud_user@eb993010811c ~]$ docker volume inspect my_volume
[
    {
        "CreatedAt": "2022-11-09T14:46:38Z",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/var/lib/docker/volumes/my_volume/_data",
        "Name": "my_volume",
        "Options": {},
        "Scope": "local"
    }
]
[cloud_user@eb993010811c ~]$ sudo ls /var/lib/docker/volumes/my_volume/_data
50x.html  index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/nginx/html
50x.html  index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/xml/fontconfig
fonts.dtd

All good so far. Now, let's suppose that we mount the same volume on a different container, and on a different filesystem path:

[cloud_user@eb993010811c ~]$ docker container run -d --name container2 -v my_volume:/usr/share/xml/fontconfig nginx
7ceec36b8c4d7d0eb172c1926d273d4e2e18b2cf509c8c5a18bf1302e98aedfc
[cloud_user@eb993010811c ~]$ sudo ls /var/lib/docker/volumes/my_volume/_data
50x.html  index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container2 ls /usr/share/xml/fontconfig
50x.html  index.html
[cloud_user@eb993010811c ~]$ docker container exec -it container1 ls /usr/share/xml/fontconfig
fonts.dtd
[cloud_user@eb993010811c ~]$ docker container exec -it container1 /bin/bash
root@f7990388c7d0:/# ls /usr/share/nginx/html/
50x.html  index.html
root@f7990388c7d0:/# ls /usr/share/xml/fontconfig/
fonts.dtd

We can see that the Docker server does NOT see the fonts.dtd file, and container2's directory contents have been effectively usurped by those contained in the /usr/share/nginx/html directory of container1. Additionally, container1 s directory contents are UNaffected by this process.

From a security / stability standpoint, I can understand that it would probably make little sense to have a volume with files corresponding to different filesystem paths. But is it possible to do this through some different means? There will have to be use-cases for this, there's a use-case for everything.

Jason
  • 2,495
  • 4
  • 26
  • 37
  • 1
    Can you say a little more about what you're trying to do with the volumes? It's normal for mounts of any sort to hide what was in the original filesystem; Kubernetes volume mounts, Docker bind mounts, and plain Unix mount(8) all behave this way. Your first example apparently behaves differently only because plain volume copies content from the image into an empty volume, but only if it's the very first time you've ever used the volume, only if it's a named volume, and only if you're using Docker and not some higher-level orchestrator. – David Maze Nov 09 '22 at 16:35
  • 1
    This might be helpful https://stackoverflow.com/a/47673246/17600005 – Vab Nov 13 '22 at 13:02

0 Answers0