iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker stores container data by default under /var/lib/docker. To prevent issues such as disk space exhaustion, it is recommended to create a separate partition for Docker data. This ensures Docker containers are isolated from the main system and do not affect system performance.

Rationale:

Storing Docker data on a separate partition ensures that Docker containers do not fill up the root file system, preventing potential downtime or system issues due to lack of disk space. A dedicated partition improves resource management and security by isolating Docker-related files from other system files.

Impact:

Pros:

• Ensures better resource management by separating Docker data from the host file system.
  

• Prevents Docker data from consuming all available space on the root filesystem.
  

Cons:

• Requires partitioning or resizing disk space, which could cause downtime if not planned properly.
  

• Some configurations may require additional setup for mounting and ensuring Docker persists across reboots.
  

Default Value:

By default, Docker uses /var/lib/docker which is typically stored on the same partition as the root file system.

Pre-requisites:

• Disk partitioning tools available (e.g., LVM, fdisk).
  

• Administrative privileges to modify disk partitions and mount points.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Use df -h to check the current disk usage and confirm that /var/lib/docker is on a separate partition.
   
3. Ensure the partition is not shared with other files or directories by reviewing the mount or lsblk output.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run df -h to verify the disk partitions and ensure that Docker is using a dedicated partition.
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Create a new partition using LVM or a tool like fdisk and mount it to /var/lib/docker.
   
3. Modify /etc/fstab to ensure the new partition is mounted on reboot.
   
4. Restart Docker to ensure the changes take effect:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to remotely create a new partition and mount it for Docker storage.
   
2. Execute the following command to partition and mount the disk:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo lvcreate -L 10G -n docker_data docker_vg && sudo mkfs.ext4 /dev/docker_vg/docker_data && sudo mount /dev/docker_vg/docker_data /var/lib/docker && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.
   
2. Unmount the partition using sudo umount /var/lib/docker.
   
3. Optionally, remove the partition or restore the default Docker storage configuration by editing /etc/fstab and rebooting.
   
4. Restart Docker:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to remove the partition and revert Docker storage to the default location.
   
2. Execute the following command:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo umount /var/lib/docker && sudo rm -rf /var/lib/docker/* && sudo systemctl restart docker"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Storage Documentation: https://docs.docker.com/storage/