5.19 Do not set mount propagation mode to shared

Information

Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode until needed.

Rationale:

A shared mount is replicated at all mounts and the changes made at any mount point are propagated to all mounts. Mounting a volume in shared mode does not restrict any other container to mount and make changes to that volume. This might be catastrophic if the mounted volume is sensitive to changes. Do not set mount propagation mode to shared until needed.

Solution

Do not mount volumes in shared mode propagation.

For example, do not start container as below:

docker run <Run arguments>--volume=/hostPath:/containerPath:shared<Container Image Name or ID> <Command>

Impact:

None.

Default Value:

By default, the container mounts are private.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: cce48b08540045a67977d27f9db67054574c62d6b9685ab682810129dc811f1d