The Docker local storage partition should be separate from other partitions
Set up the docker integration.
Description
All Docker containers and their data and metadata are stored in the /var/lib/docker directory. By default, /var/lib/docker should be mounted under either the / or /var partitions depending on how the Linux operating system in use is configured.
Rationale
Docker depends on /var/lib/docker as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.
Audit
To see the partition details for the /var/lib/docker mount point, at the Docker host run:
grep '/var/lib/docker\s' /proc/mounts
Alternatively, to see whether the configured root directory is a mount point, run.
mountpoint -- "$(docker info -f '{{ .DockerRootDir }}')"
For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.
Impact
None.
Default value
By default, /var/lib/docker is mounted under the / or /var partitions dependent on how the OS is configured.
References
- https://www.projectatomic.io/docs/docker-storage-recommendation/
CIS controls
Version 6.14 Controlled Access Based on the Need to Know
