The Docker local storage partition should be separate from other partitions
Set up the docker integration.
Description
All Docker containers and their data and metadata are stored in the /var/lib/docker directory. By default, /var/lib/docker should be mounted under either the / or /var partitions depending on how the Linux operating system in use is configured.
Rationale
Docker depends on /var/lib/docker as the default directory where all Docker-related files, including the images, are stored. This directory could fill up quickly, causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.
Audit
To see the partition details for the /var/lib/docker mount point, at the Docker host run:
grep '/var/lib/docker\s' /proc/mounts
Alternatively, to see whether the configured root directory is a mount point, run:
mountpoint -- "$(docker info -f '{{ .DockerRootDir }}')"
For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.
Impact
None.
Default value
By default, /var/lib/docker is mounted under the / or /var partitions depending on how the OS is configured.
References
- https://www.projectatomic.io/docs/docker-storage-recommendation/
CIS controls
Version 6.14 Controlled Access Based on the Need to Know
